- CDPD-76180: Ranger DataShare created shows status as ACTIVE
instead of the default REQUESTED
- 7.3.2
- When a new Ranger Data Share is created, its status was
incorrectly set to
ACTIVE by default. This issue has been resolved. The
system now correctly sets the default status to REQUESTED upon
creation, matching the expected behavior and avoiding user confusion about the Data
Share state.
-
Apache JIRA: RANGER-4997
- CDPD-77975: Load table REST API showing details of unauthorized
table
- 7.3.1.400, 7.3.2
- The Iceberg REST Catalog load table API incorrectly
returned metadata details for tables that were excluded from the Ranger policy,
resulting in a 200 response instead of the expected 404
NoSuchTableException. This issue has been resolved by adding
filtering support to get_table_metas. Unauthorized tables are now
properly hidden and return the appropriate error response.
- CDPD-80657: Filter Ranger access audit by DataSet
- 7.3.2
- The Ranger user interface filter by datasets was
non-functional. This issue is resolved and you can now filter Ranger access audits by
Dataset.
-
Apache JIRA: RANGER-5156
- CDPD-94396: IDBroker includes preceding / in prefix when
substituting session policy contents
- 7.3.1.507, 7.3.1.800, 7.3.2.0
- IDBroker assumed that prefix values in policy condition
statements could include a preceding
/ character, which caused policies
not to work properly. This issue has been resolved. IDBroker now removes the leading
/ character from prefix values when performing substitutions in
session policies.
- CDPD-85416: Add client configuration to HiveAuthzContext for
REST catalog audit differentiation
- 7.3.2
- When calls are made to Ranger HiveAuthorizer from the
REST Catalog, Ranger was unable to differentiate the plugins between the Hive Metastore
and the REST Catalog. This caused audits to be incorrectly logged for the calls made
from the REST Catalog service. This issue is resolved. The authorization context has
been enriched to include the
client_type, allowing Ranger to properly
differentiate and audit the calls.
- CDPD-85261: Rest Catalog service should use only HMS
RangerHiveAuthorizer for its command authorization
- 7.3.2
- The REST Catalog service incorrectly created a new
instance of the Ranger Hive plugin for authorization. This caused the main Hive plugin
reference to be overwritten because the REST Catalog is embedded in the Hive Metastore
(HMS). This issue has been resolved. The REST Catalog service now correctly uses only
the HMS RangerHiveAuthorizer for its command authorization.
- CDPD-96185: REST Catalog APIs failing with error code 500 at the
time of rolling upgrade
- 7.3.2.0
- During rolling upgrades, Iceberg REST Catalog API
requests routed through Knox failed with a 500 error code. This happened because High
Availability (HA) failover was not supported for the
iceberg-rest
service in Knox. This issue has been resolved. Knox now supports HA for the
iceberg-rest service, ensuring that API requests properly fail over
to available instances during upgrades.
-
Apache JIRA: ATLAS-4785
- CDPD-85058: REST Catalog APIs failing with error code 401 during
rolling upgrade
- 7.3.2
- During rolling upgrades, REST Catalog APIs could fail
with an HTTP 401 error code due to an access token fetch failure when the connection to
IDBroker encountered an
UnknownHostException. This issue has been
resolved.
- CDPD-81420: Add ownership information in tablecontext when doing
filteringTableNames and filterTableMetas
- 7.3.2
- The Iceberg REST Catalog was missing table ownership
information when fetching and filtering metadata using
filterTable.
This caused mapping issues in IDBroker. This issue has been resolved. The REST Catalog
now correctly uses filterTableMetas to include ownership information
when invoking client.get_all_tables.
- CDPD-83430: STS token generated incorrectly when
fetchDelegationToken fails
- 7.3.2
- An issue in the REST Catalog allowed Security Token
Service (STS) tokens to be incorrectly generated for queries even when the
fetchDelegationToken operation to IDBroker failed. This issue has been
resolved. Now, queries will correctly fail to generate STS tokens and execute if
IDBroker cannot be reached to fetch the required delegation token.
- CDPD-80334: REST Catalog plugin is not sending the audit with
"rest catalog" as app Id for audit segregation
- 7.3.1.400, 7.3.2.0
- The Iceberg REST Catalog plugin incorrectly failed to
send audit logs with the "rest catalog" Application ID, which prevented proper audit
segregation. This issue has been resolved. The REST Catalog plugin configuration has
been overridden to correctly send the audit with the "rest catalog" Application ID for
audit segregation.
- CDPD-82812: HA feature not working for Rest Catalog
- 7.3.2.0
- Previously, the Knox topology file
cdp-share-access.xml created during Cloudera Data Sharing setup could
not handle multiple Hive Metastore (HMS) nodes. In the event of a node failure, healthy
nodes could not reliably take over the workload. This issue has been resolved. The Knox
topology now correctly supports High Availability (HA) for the REST Catalog, ensuring
proper failover between HMS nodes.
