Fixed issues for Cloudera Iceberg REST Catalog are addressed in Cloudera Runtime 7.3.2, its service packs and cumulative hotfixes.
Cloudera Runtime 7.3.2 resolves Cloudera Iceberg REST Catalog issues and incorporates fixes from the
service packs and cumulative hotfixes from 7.3.1.100 through 7.3.1.700. For a comprehensive
record of all fixes in Cloudera Runtime 7.3.1.x, see Fixed Issues.
- CDPD-76180: Ranger DataShare created shows status as ACTIVE
instead of the default REQUESTED
- 7.3.2
- When a new Ranger Data Share is created, its status was
incorrectly set to
ACTIVE by default. This issue has been resolved. The
system now correctly sets the default status to REQUESTED upon creation,
matching the expected behavior and avoiding user confusion about the Data Share state.
-
Apache JIRA: RANGER-4997
- CDPD-77975: Load table REST API showing details of unauthorized
table
- 7.3.1.400, 7.3.2
- The Iceberg REST Catalog load table API incorrectly
returned metadata details for tables that were excluded from the Ranger policy, resulting
in a 200 response instead of the expected 404
NoSuchTableException. This
issue has been resolved by adding filtering support to get_table_metas.
Unauthorized tables are now properly hidden and return the appropriate error response.
- CDPD-80657: Filter Ranger access audit by DataSet
- 7.3.2
- The Ranger user interface filter by datasets was
non-functional. This issue is resolved and you can now filter Ranger access audits by
Dataset.
-
Apache JIRA: RANGER-5156
- CDPD-94396: IDBroker includes preceding / in prefix when
substituting session policy contents
- 7.3.1.507, 7.3.1.800, 7.3.2.0
- IDBroker assumed that prefix values in policy condition
statements could include a preceding
/ character, which caused policies
not to work properly. This issue has been resolved. IDBroker now removes the leading
/ character from prefix values when performing substitutions in session policies.
- CDPD-85416: Add client configuration to HiveAuthzContext for REST
catalog audit differentiation
- 7.3.2
- When calls are made to Ranger HiveAuthorizer from the REST
Catalog, Ranger was unable to differentiate the plugins between the Hive Metastore and the
REST Catalog. This caused audits to be incorrectly logged for the calls made from the REST
Catalog service. This issue is resolved. The authorization context has been enriched to
include the
client_type, allowing Ranger to properly differentiate and
audit the calls.
- CDPD-85261: Rest Catalog service should use only HMS
RangerHiveAuthorizer for its command authorization
- 7.3.2
- The REST Catalog service incorrectly created a new instance
of the Ranger Hive plugin for authorization. This caused the main Hive plugin reference to
be overwritten because the REST Catalog is embedded in the Hive Metastore (HMS). This
issue has been resolved. The REST Catalog service now correctly uses only the HMS
RangerHiveAuthorizer for its command authorization.
- CDPD-96185: REST Catalog APIs failing with error code 500 at the
time of rolling upgrade
- 7.3.2.0
- During rolling upgrades, Iceberg REST Catalog API requests
routed through Knox failed with a 500 error code. This happened because High Availability
(HA) failover was not supported for the
iceberg-rest service in Knox.
This issue has been resolved. Knox now supports HA for the iceberg-rest
service, ensuring that API requests properly fail over to available instances during
upgrades.
-
Apache JIRA: ATLAS-4785
- CDPD-85058: REST Catalog APIs failing with error code 401 during
rolling upgrade
- 7.3.2
- During rolling upgrades, REST Catalog APIs could fail with
an HTTP 401 error code due to an access token fetch failure when the connection to
IDBroker encountered an
UnknownHostException. This issue has been
resolved.
- CDPD-81420: Add ownership information in tablecontext when doing
filteringTableNames and filterTableMetas
- 7.3.2
- The Iceberg REST Catalog was missing table ownership
information when fetching and filtering metadata using
filterTable. This
caused mapping issues in IDBroker. This issue has been resolved. The REST Catalog now
correctly uses filterTableMetas to include ownership information when
invoking client.get_all_tables.
- CDPD-83430: STS token generated incorrectly when
fetchDelegationToken fails
- 7.3.2
- An issue in the REST Catalog allowed Security Token Service
(STS) tokens to be incorrectly generated for queries even when the
fetchDelegationToken operation to IDBroker failed. This issue has been resolved.
Now, queries will correctly fail to generate STS tokens and execute if IDBroker cannot be
reached to fetch the required delegation token.
- CDPD-80334: REST Catalog plugin is not sending the audit with
"rest catalog" as app Id for audit segregation
- 7.3.1.400, 7.3.2.0
- The Iceberg REST Catalog plugin incorrectly failed to send
audit logs with the "rest catalog" Application ID, which prevented proper audit
segregation. This issue has been resolved. The REST Catalog plugin configuration has been
overridden to correctly send the audit with the "rest catalog" Application ID for audit
segregation.
- CDPD-82812: HA feature not working for Rest Catalog
- 7.3.2.0
- Previously, the Knox topology file
cdp-share-access.xml created during Cloudera Data Sharing setup could not handle multiple Hive Metastore (HMS) nodes. In the event of a node failure, healthy nodes could not reliably take over the workload. This issue has been resolved. The Knox topology now correctly supports High Availability (HA) for the REST Catalog, ensuring proper failover between HMS nodes.
