Fixed Issues in Ranger

Review the list of Ranger issues that are resolved in Cloudera Runtime 7.3.1, its service packs and cumulative hotfixes.

Cloudera Runtime 7.3.1.400 SP2

CDPD-78680: Selected long string values getting truncated in the react-select control
In Ranger React UI, the react-select input values are getting truncated for long values.

This issue is fixed. The selected long input string values are not getting truncated on Ranger React UI.

Cloudera Runtime 7.3.1.300 SP1 CHF 1

CDPD-80492: Tomcat upgrade to 9.0.99+
Upgraded Tomcat to 9.0.99+ to address CVE-2025-24813.
CDPD-80018: Concurrent policy label update leads to an infinite loop
Concurrent updates to policy labels for a policy lead to an infinite loop causing the Ranger database to crash. Concurrent policy label update and underlying policy deletion also result in the same behavior.

Fixed concurrent updates to policy labels. Policy label updates are skipped if the underlying policy gets deleted.

Cloudera Runtime 7.3.1.200 SP1

CDPD-79911: Upgrade netty to 4.1.118.Final
Ranger: Upgraded netty to 4.1.118.Final due to CVE-2025-24970, CVE-2025-25193.
CDPD-79778: Issue in APPEND mode while writing Ranger audits to HDFS
Ranger audits to HDFS currently use APPEND mode in case of errors or exceptions encountered in writing audits to HDFS destination (to prevent large number of audit files), and falls back to WRITE mode if unable to APPEND.

The issue is fixed now. A configuration parameter to enable APPEND mode while writing Ranger audits to HDFS is added.

CDPD-79460: RMS full-sync breaks due to unsupported schema
RMS supports HDFS and Ozone file-system in private cloud and S3 in public cloud. The supported file schema types are hdfs, s3a, o3fs, and ofs. If Hive table location was stored at other file-system which was not supported by the RMS, then full-sync threw exception, due to unsupported schema. The full-sync was never completed.

This fix skips the unsupported file schema types while processing table and database metadata during full-sync and delta-sync in RMS. Therefore, table and database locations stored at other file-system, which is not supported by the RMS, are not mapped and appropriate messages are logged in RMS server log file.

CDPD-78195: Enhance the audit generated in Ranger during data discovery call from REST Catalog API
The audit generated in Ranger during data discovery call from the REST Catalog API is now enhanced. Calls such as list Databases / ListTables did not have the correct access Types and are enhanced to provide details on the operation.
CDPD-77093: HBase scan operation returns denied columns in result
In some cases, Ranger authorization returned access results of some HBase data even when the user was not entitled to do so.

This issue is fixed now.

Cloudera Runtime 7.3.1.100 CHF 1

CDPD-78204: Alter Rename should not check for the CREATE permission on the database in which renamed table is created
Alter rename command does not require CREATE permission on the database in which renamed table is created.
CDPD-78072: Set role command was not audited by Ranger
The issue is fixed now. Ranger now supports the auditing of the SET ROLE command for Hive plugin.
CDPD-77948: CSV injection vulnerability during CSV and Excel file export
When policies are created with the special characters mentioned in the document, there were vulnerabilities which can be exploited.

The issue is fixed now. Checks have been added to ensure whenever such characters are present, a space after it is added.

CDPD-77093: Hbase scan operation returns denied columns in result
In some cases, Ranger authorization returns access results of some HBase data even when the user is not entitled to.

This issue is fixed now.

CDPD-76662: RMS server threw ConcurrentModificationException
The original ConcurrentModificationException was likely thrown when the resource-mappings were modified in response to changes in the Hive metadata while they were being serialized for downloading to the NameNode (or secondary-namenode).

The fix is to create a shallow copy of resource-mappings before applying deltas which ensures that resource-mappings are not modified while they are being serialized for downloading to the NameNode.

CDPD-76630: Ranger Audit Filter for the HBase service was not working as expected
On the service creation page, while adding audit filters, the resources column includes an Include/Exclude switch for most resources. The issue was arising when selecting an option in the switch:
  • If Include was selected, the isExclude parameter should be false, but it was incorrectly set to true.
  • If Exclude was selected, the isExclude parameter should be true, but it was incorrectly set to false.
Due to this incorrect mapping, the switch values were reversed, causing the audit filter values to be set incorrectly. As a result, incorrect audit access logs were generated.

The issue is fixed now.

CDPD-76131: A ResourceTrie node referring to modified policy-evaluator was removed even when it contained wildcard-evaluator(s)
If the policy-deltas were enabled, then when two policies had a common subset of resources and were defined on same user (or subset of users, through groups or direct users), that time if one of these policies was modified (on anything: name, resource, user), it was the only one in effect during access evaluation, until the underlying service was restarted. The underlying cause was a ResourceTrie node referring to modified policy-evaluator was removed even when it contained wildcard-evaluator(s).

This fix removes self node from the resourceTrie only if it has no children, no evaluators, and no wildcard-evaluators.

CDPD-75947: Support SASL bind for Ranger Usersync with AD/LDAP
Usersync of Ranger supports GSSAPI SASL Bind. For more information see, .
CDPD-75105: Performance fixes for Ozone plugin
Fixed the performance issues observed while evaluating policies for multi-level resources:
  • RANGER-4893: Improves policy evaluation for multilevel resource hierarchies.
  • RANGER-4922: Reduces time to find tags associated with multilevel resources.
CDPD-72979: Ranger Tagsync did not support Ozone OFS paths/O3FS recursive feature
There was no support for OFS path/O3FS recursive feature in 7.3.1. So while you upgraded from 7.1.9 SP1 CHF3 or higher to 7.3.1, you saw a regression.

This issue has been fixed now in 7.3.1 CHF1. Ozone keys will now be recursively checked for tags and tag based policies. So, tags applied for parent directory will be applicable to subdirectories too. If you are already using tag based policies for Ozone keys and upgrading from 7.1.9 SP1 CHF2 or lower or 7.3.1, and you want the new behavior (i.e. isRecursive=true) for old tagged keys, you need to retag these keys in Atlas.

Common Vulnerabilities and Exposures (CVE) that is fixed in this CHF:
CVE-2024-55532 - Apache Ranger

Cloudera Runtime 7.3.1

CDPD-73663: RMS server threw ConcurrentModificationException
The original ConcurrentModificationException was likely thrown when the resource-mappings were modified in response to changes in the Hive metadata while they were being serialized for downloading to the NameNode (or secondary-namenode).
The fix is to create a shallow copy of resource-mappings before applying deltas which ensures that resource-mappings are not modified while they are being serialized for downloading to the NameNode.
CDPD-73326: Reduce memory needed to create Ranger policy engine
Ranger policy engine creates a RangerPolicyResourceMatcher object for every resource specified either in policy or in a tag association. PolicyResourceMatcher, for the services that have more than one level in their resource hierarchy, consists of RangerResourceMatcher objects for each level in the resource-level hierarchy for the resource. In many cases, this leads to creation of multiple RangerResourceMatchers with identical resource specification.

The fix for this issue avoids creation of multiple RangerResourceMatcher objects by maintaining a cache of them in the RangerPluginContext object associated with the Ranger policy engine, thereby reducing policy engine's memory needs.

CDPD-73144: Trie to support processing of evaluators during traversal
Ranger policy engine uses trie data structure to organize resources for faster retrieval of policies/tags/zones associated with a given resource. When a resource consists of multiple elements, like database/table/column, as many trie instances are consulted to retrieve policies/tags/zones associated with the resource. Such multi-trie retrieval can be optimized with a 2-pass traversal - first pass to get count and the second pass to get the actual objects. Trie data structure used in Ranger policy engine should be updated to support this optimization.

Now, Trie to support processing of evaluators during traversal is enhanced.

CDPD-73102: Access issues for s3 express buckets
Fixed S3 Express bucket access with RAZ enabled in all regions.
CDPD-72203: Users observing role change from ROLE_SYS_ADMIN to ROLE_USER
Fixes role reset (to USER role) for users in usersync paged requests to ranger-admin.
CDPD-71719: Ranger override policy was not working
Ranger override policy was not allowing the access even though all permissions were given to the user.
This fix ensures that once all of the requested accesses are successfully allowed by (possibly multiple) Ranger policies, the access evaluation terminates with access allowed as the result.
CDPD-70081: "Drop database cascade" resulted in dropping of a table on which the user did not have access
Drop database cascade failed if the user did not have access to one or more of the underlying tables. It deleted the tables the user had access to but not others which caused the database to be not dropped as well.
This issue is fixed now.
CDPD-69488: Upgrade failure due to NPE in PatchForUpdatingServiceDefJson_J10058
Patch upgrade error failure in non-default service-def is fixed now.
CDPD-69305: /plugins/policies/importPoliciesFromFile API returns 500 service connectivity error through Knox Proxy
The fix imports large policy files using the Ranger importPoliciesFromFile API through Knox.
CDPD-68921: Exclude flag not taking effect for Ozone key resource in Ranger policy
Fix for exclude flag not taking effect for Ozone key resource in Ranger policy has been added.
CDPD-68853: Create function and Drop function commands are not supported when Ranger plugin is enabled
Support for Create and Drop function commands in Ranger trino plugin has been added.
CDPD-68827: Alter materialized view command is not working when Ranger plugin is enabled
Added support for Alter materialized view command in Ranger trino plugin.
CDPD-68826: Refresh materialized view command is not working when Ranger plugin is enabled
Added support for Refresh materialized view command in Ranger trino plugin.
CDPD-68376: Enable policy and tag deltas for Ranger admin and plugins by default
Policy and tag deltas for Ranger admin and plugins are enabled by default.
CDPD-68238: Update operations are not supported when Ranger plugin is enabled
The fix enables support for the update statement in the Ranger Trino plugin.
CDPD-67823: Ranger RMS gives all permissions to the user through the Create permission
An additional check is now made to ensure that the user attempting to alter a HDFS directory that maps to the Hive database is owner of the Hive database for the attempted operation is allowed.
CDPD-67193: Issue with inactivityTimeout getting reset
The inactivityTimeout was getting reset when a user updated its profile from the UserProfile page.

Fixed issue of not resetting inactivityTimeout to a default value of 15 minutes when user updates its profile from UserProfile page on Ranger Admin UI.

CDPD-66842: Ranger Admin server gives empty response
Ranger Admin server gave an empty response when a user with user-role tried to update lastname or email address.

The issue is fixed now. Error response with message will be shown when a user with user-role tries to add/update last name or email address.

CDPD-66839: Enhance perf-tracer to get CPU time when possible
Ranger module is instrumented with performance measurement code. It enables performance logging for the module and helps in measuring the amount of time spent during execution of various methods/functions during its operation. For achieving more precise time measurement, this feature supports nanosecond precision when the JVM version supports it.
CDPD-66624: Transform URLs with or without “/” at the end issue
The fix enables the transformation step handle “/” at the end of the path.
CDPD-66404: Merging apache ranger jiras for handling local storage data for column show/hide functionality
Implemented Column Hide/Show functionality in Audit > Plugin Status tab.
CDPD-66358: HS2 logs having a huge number of WARN logs
HS2 logs had a huge number of WARN logs from RangerHiveAuthorizer regarding connection to HMS for fetching Hive object owner.

This fix addresses the issue where HS2 logs have a huge number of WARN logs.

CDPD-66136: Display of query information for Show databases/schemas command on Ranger Admin UI
In Ranger React UI, if the resource type for certain commands were logged as "null" in the audits, then in the access audits, the information of the query/operations performed would not be displayed.
This ticket addresses the issue and displays the query/operation information for access audits where the resource type was "null".
CDPD-66092: Ranger Javapatch failure even if service-defs do not exist in Ranger DB
Added support to upgrade non-default service-defs in Ranger.
CDPD-65923: Audit logs for Mask and Row policy does not show policy condition under policy item
The fix now shows policy conditions under policy items for Mask and Row policy Audit logs.
CDPD-65650: Pagination missing on the Ranger Admin - Plugin Status page
This fix offers the following:
  • Sorting works properly after this patch.
  • Pagination added.
CDPD-63891: Backport the ranger-trino changes from upstream to downstream
Trino support in Ranger has been added.
OPSAPS-70838: Flink user should be add by default in ATLAS_HOOK topic policy in Ranger >> cm_kafka
The "flink" service user is granted publish access on the ATLAS_HOOK topic by default in the Kafka Ranger policy configuration.
OPSAPS-69411: Update AuthzMigrator GBN to point to latest non-expired GBN
Users will now be able to export sentry data only for given Hive objects (databases and tables and the respective URLs) by using the config "authorization.migration.export.migration_objects" during export.
OPSAPS-68252: "Ranger RMS Database Full Sync" option was not visible on mow-int cluster setup for hrt_qa user (7.13.0.0)
The fix makes the command visible on cloud clusters when the user has minimum EnvironmentAdmin privilege.
Apache Patch information
  • RANGER-4973
  • RANGER-4972
  • RANGER-4960
  • RANGER-4933
  • RANGER-4912
  • RANGER-4905
  • RANGER-4893
  • RANGER-4833
  • RANGER-4823
  • RANGER-4819
  • RANGER-4818
  • RANGER-4802
  • RANGER-4799
  • RANGER-4798
  • RANGER-4797
  • RANGER-4796
  • RANGER-4791
  • RANGER-4786
  • RANGER-4782
  • RANGER-4781
  • RANGER-4780
  • RANGER-4774
  • RANGER-4767
  • RANGER-4753
  • RANGER-4747
  • RANGER-4745
  • RANGER-4737
  • RANGER-4729
  • RANGER-4722
  • RANGER-4720
  • RANGER-4718
  • RANGER-4717
  • RANGER-4710
  • RANGER-4699
  • RANGER-4698
  • RANGER-4690
  • RANGER-4689
  • RANGER-4688
  • RANGER-4681
  • RANGER-4673
  • RANGER-4668
  • RANGER-4653
  • RANGER-4641
  • RANGER-4611
  • RANGER-4609
  • RANGER-4607
  • RANGER-4598
  • RANGER-4597
  • RANGER-4596
  • RANGER-4595
  • RANGER-4594
  • RANGER-4593
  • RANGER-4591
  • RANGER-4590
  • RANGER-4589
  • RANGER-4588
  • RANGER-4586
  • RANGER-4578
  • RANGER-4577
  • RANGER-4576
  • RANGER-4575
  • RANGER-4574
  • RANGER-4573
  • RANGER-4568
  • RANGER-4555
  • RANGER-4554
  • RANGER-4553
  • RANGER-4552
  • RANGER-4551
  • RANGER-4550
  • RANGER-4549
  • RANGER-4548
  • RANGER-4547
  • RANGER-4546
  • RANGER-4545
  • RANGER-4544
  • RANGER-4532
  • RANGER-4515
  • RANGER-4513
  • RANGER-4492
  • RANGER-4370
  • RANGER-4303
  • RANGER-4278
  • RANGER-4261
  • RANGER-4229
  • RANGER-4221
  • RANGER-4172
  • RANGER-4010
  • RANGER-3805
  • RANGER-3772
  • RANGER-3759
  • RANGER-3745
  • RANGER-3657
  • RANGER-3182
  • RANGER-3174