Release Notes - Ranger - Version 2.0.0
New Feature
- [RANGER-2049] - Support doAs in Ranger Admin Portal / REST API
- [RANGER-2170] - Ranger supports plugin to enable, monitor and manage Elasticsearch
- [RANGER-2209] - Service Definition for ABFS to support Ranger Authorization
- [RANGER-2232] - Security Zones feature in Apache Ranger
- [RANGER-2281] - Support Trusted Proxy in ranger
- [RANGER-2325] - Implement ranger plugin for Ozone
- [RANGER-2331] - Ranger-KMS - KeySecure HSM Integration
- [RANGER-2354] - Add custom condition at policy level
- [RANGER-2414] - Enhancements to support roles in Ranger policies
- [RANGER-2425] - Enhance ranger hive plugin to support sql role commands
- [RANGER-2443] - Ranger UI support for access via Knox Trusted Proxy
Improvement
- [RANGER-1715] - Enhance Ranger Hive Plugin to support authorization on Hive replication Tasks
- [RANGER-1851] - Enhance Ranger Hive Plugin to support authorization for KILL QUERY command
- [RANGER-1935] - Upgrade Ranger to support Apache Hadoop 3.0.0
- [RANGER-1958] - [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
- [RANGER-1978] - Upgrade Jackson Databind to 2.8.11
- [RANGER-2093] - RangerHiveAuthorizer showPrivileges should show Hive Objects ACLs from Ranger
- [RANGER-2140] - Upgrade spring and guava libraries
- [RANGER-2148] - Update Ranger Hive dependency version to 3.0
- [RANGER-2151] - Update Ranger Hbase dependency version to 2.0
- [RANGER-2153] - Supply the function of reverting policy history version.
- [RANGER-2157] - Add NiFi Registry service definition and NiFiRegistryClient
- [RANGER-2158] - Performance improvement to REST API call to update policies
- [RANGER-2161] - Improvement in policy screen permission item's
- [RANGER-2162] - Upgrade c3p0 libraries
- [RANGER-2164] - Ranger to add default altlas policy for rangertagsync user.
- [RANGER-2167] - Upgrade to Apache parent pom version 20
- [RANGER-2168] - Add service admin user through service config
- [RANGER-2169] - Create unique index on service and name column of x_policy table
- [RANGER-2172] - Good coding practices for unix authentication Service in Ranger
- [RANGER-2173] - Optimize Trie constuction and Policy lookup
- [RANGER-2177] - Handle validations for duplicate configuration item during service create/edit
- [RANGER-2181] - Code Improvement To Follow Best Practices
- [RANGER-2184] - Update RangerAtlas authorization to authorize add/update/remove of relationships
- [RANGER-2188] - Support multiple threads to build Trie and on-lookup post-setup for Trie nodes
- [RANGER-2191] - Update ranger-tool with new options to control Trie
- [RANGER-2203] - Review and update database schema for ranger policies to minimize database queries/updates
- [RANGER-2207] - Allow resources to appear in column mask policies without being visible in access policies
- [RANGER-2208] - Code improvement to fetch User/Group information and Service Config details
- [RANGER-2210] - Ranger support for Apache Kafka 2.0.0
- [RANGER-2212] - Add multiple urls tips for the ‘Kylin URL’ configuration item when creating the kylin-plugin service
- [RANGER-2214] - Do some code improvement for the error message for KylinClient.java
- [RANGER-2216] - Ranger Audit UI lacks the feature to search the audits using Policy Id
- [RANGER-2218] - Service-Definition update should not allow updates to names of resources, access-types, conditions or data-masks
- [RANGER-2221] - Apache Ranger Kafka authorizer should support new resource "DelegationToken" in Apache Kafka 2.0.0 version
- [RANGER-2222] - Apache RangerKafkaPlugin support to handle Kafka Cluster as a new resource
- [RANGER-2231] - Upgrade to Knox 1.1.0
- [RANGER-2237] - Upgrade Kylin version to 2.5.0
- [RANGER-2239] - Update to surefire 2.21.0
- [RANGER-2243] - Provide option to ranger builds to specifically build a single plugin
- [RANGER-2251] - Need to provide options for making java heap size memory configurable in Ranger services
- [RANGER-2257] - Add policyID to error message when click the Access log of Audit
- [RANGER-2258] - Improve the policy list page to prompt users when the service is disabled
- [RANGER-2265] - To make the profile "all" to be active by default when ranger build
- [RANGER-2266] - To make Id to ID in Audit Pages of Ranger Admin
- [RANGER-2267] - Add a icon to differentiate the status of the service
- [RANGER-2268] - Optimize policy and tags migration to new schema
- [RANGER-2279] - Reduce the time spent changing passwords during Ranger Admin install
- [RANGER-2286] - Ranger install may be prevented by leftover DB entry
- [RANGER-2287] - Improve and optimize db_setup.py file code
- [RANGER-2291] - Make optimized db schema script idempotent for all DB Flavors
- [RANGER-2295] - Set specific Ranger version in patches status entry table
- [RANGER-2296] - Enhance Ranger Audit framework to have security zone in the audit
- [RANGER-2303] - Add kylin-plugin infomation to README.txt
- [RANGER-2309] - Improve group search on policy edit page.
- [RANGER-2314] - Do some code improvement for the error message in SqoopClient.java
- [RANGER-2317] - Enable compilation on JDK11
- [RANGER-2322] - Use "TLS" in SSLContext.getInstance
- [RANGER-2324] - Bootstrapping Solr in Ranger service start-up
- [RANGER-2330] - Ensure that policy/resource based searches are security-zone aware
- [RANGER-2332] - Update Grant/Revoke API access after Security zone feature
- [RANGER-2340] - Add Policy Version to the Ranger Audit log
- [RANGER-2341] - Support for Incremental policy updates to improve performance of ranger-admin and plugins by optimal building of policy-engine
- [RANGER-2345] - Upgrade Apache Solr version to 7.7.0 or later
- [RANGER-2349] - Provide an API to download policies and tags
- [RANGER-2351] - Implement Import / Export of Policies by Zone
- [RANGER-2353] - Upgrade Apache Thrift Java client library to 0.12.0
- [RANGER-2357] - Improvement on getServices API
- [RANGER-2374] - Add refresh access type to allow sharing policies between Hive and Impala
- [RANGER-2377] - Make solr bootstrapping configurable
- [RANGER-2379] - Support for associating a tag service with security zone and relevant authorization logic
- [RANGER-2382] - Improvement to Access Audit page-Add ‘agentHostname’ column to audit log table, which records IP-address/hostname of the plugin
- [RANGER-2385] - Improvement to Audit page -> Plugin status tab
- [RANGER-2386] - Code duplication due to RangerCredentialProvider.getCredentialString returns char[]
- [RANGER-2387] - add public api v2 for security zones
- [RANGER-2389] - Ranger Hive Plugin enhancement for KILL query and Replication commands authorization
- [RANGER-2390] - Ranger should add service admin privilege support for hive service objects - LLAP command sets
- [RANGER-2391] - Ranger authorization for ADD, COMPILE and CREATE TEMPORARY UDF operation in Hive
- [RANGER-2392] - Create / Update zone to have provision to associate Tag based service with zone
- [RANGER-2394] - Filter/exclude multiple users in audit search
- [RANGER-2395] - Add presto plugin
- [RANGER-2407] - [Best Practices] Update/Remove default header values sent from Ranger
- [RANGER-2408] - Restrict Ranger User's capabilities according to their role
- [RANGER-2420] - Ranger spends 36% of CPU in ObjectMapper
- [RANGER-2424] - Track and display application id of service generating access audit on access audit page
- [RANGER-2427] - Tag policies are not evaluated if no security zones are configured
- [RANGER-2431] - Upgrade Atlas version to 2.0.0
- [RANGER-2432] - Upgrade Hadoop Version to 3.1.1
- [RANGER-2435] - Add support for sticky breadcrumbs.
- [RANGER-2436] - Custom condition: Access from cluster
- [RANGER-2446] - Suggestion - Include security zone details as part of admin audit for policy update
- [RANGER-2454] - Remove the trailing slash in Ranger URL in RangerAdminJersey2RESTClient
- [RANGER-2458] - Cluster property name changes in Ranger Plugin code
- [RANGER-2464] - Upgrade spring, zookeeper, c3p0, jackson-databind, tomcat libraries
- [RANGER-2465] - Create a PolicyCondition to apply if all given tags are present for the accessed resource
- [RANGER-2466] - Improvement in setting cluster Name in RangerAccessRequest
- [RANGER-2467] - similar to clusterName custom condition, add clusterType custom condition.
- [RANGER-2468] - Upgrade jQuery version in Ranger.
- [RANGER-2475] - Replacing bootstrap accordion with jquery SlideToggle.
- [RANGER-2481] - Create a tag service when a resource service is created and link it to resource service
- [RANGER-2482] - Ranger: use Solr API to upload config set (during bootstrapping)
- [RANGER-2484] - Improve import API to merge the policies if resources are exactly same
- [RANGER-2489] - Missing dependencies in assembly for Presto plugin
- [RANGER-2490] - Add https support while using Solr API to upload config set
- [RANGER-2494] - Ranger Custom PolicyCondition for TagsNotPresent and AnyTagPresent
- [RANGER-2496] - Update Spring Security version to 4.2.13
- [RANGER-2498] - Improvement to plugin status tab.
- [RANGER-2503] - Ranger Import API should be able to override an existing policy
- [RANGER-2506] - Add cluster name in plugin status tab.
- [RANGER-2507] - Support for policy to implicitly deny all accesses not explicitly allowed by it
- [RANGER-2508] - Good coding practices for concurrent policy label creation
- [RANGER-2515] - add .gitignore for project plugin-presto and ranger-presto-plugin-shim
- [RANGER-2517] - UI changes for policy to implicitly deny all accesses not explicitly allowed by it.
- [RANGER-2523] - Ranger Admin debug config improvement
Bug
- [RANGER-1644] - Change the default Crypt Algo to use stronger cryptographic algo.
- [RANGER-1738] - RangerYarnAuthorizer not compatible with Hadoop-3.0.0
- [RANGER-1951] - build problems with the saveVersion.py script
- [RANGER-1955] - Wrong quoting in Ranger SQL install scripts
- [RANGER-2112] - Ranger KMS broken with JDK 8 update 171
- [RANGER-2114] - Internal Exception: com.mysql.jdbc.MysqlDataTruncation: Data truncation: Data too long for column 'content' at row 1
- [RANGER-2152] - Incorrect debugging information in RangerPluginClassLoader.java
- [RANGER-2155] - Ranger Tagsync fails to Authenticate to Atlas when Tag Source set to AtlasRest in Kerberos environment
- [RANGER-2160] - 'Email Address' search is not working properly along with other filter in user listing page,userRoles filters also needs to be improved.
- [RANGER-2165] - Address JPA Cache issue when policies Create, Update and Delete are done via REST API in Apache Ranger admin
- [RANGER-2166] - A ClassNotFound exception is thrown with atlasrest as a tag source
- [RANGER-2180] - Handle token replacement correctly when token is not defined in the request context
- [RANGER-2182] - Handle upgrade scenario since atlas-service def is added with new resources for relationship
- [RANGER-2183] - Use INodeAttribute information to authorize HDFS access
- [RANGER-2186] - Increment service-specific policy and tag versions after update transaction is committed
- [RANGER-2187] - External Group search fails on Ranger UI when installed with postgres
- [RANGER-2189] - Atlas service default policies should allow relationship operations for all
- [RANGER-2193] - Form validation during testconnection should be consistent with service creation/editing
- [RANGER-2195] - TagPolicy not working due to failure in updating tag policy version
- [RANGER-2196] - Ensure that any explicit threads used by Ranger are marked as daemon threads
- [RANGER-2197] - Delegate Admin is not able to create policy
- [RANGER-2201] - Log no ranger audits when entityId value is not null or empty string
- [RANGER-2204] - Ranger Admin's admin log event for changing Audit Logging of a policy doesn't show the actual changes
- [RANGER-2213] - Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.90.
- [RANGER-2215] - Can't copy and paste multiple paths into Ranger Admin UI for HDFS create policy
- [RANGER-2220] - Admin UI loads slowly because of many small JavaScript files
- [RANGER-2224] - 'drop temporary function <udf>' command should be handled by 'global' resource and 'Temorary UDF Admin' permission.
- [RANGER-2229] - Perform graceful terminate with retries before doing forceful kill for usersync and tagsync
- [RANGER-2234] - Cannot add or update a child row,a foreign key constraint fails when installing ranger-admin
- [RANGER-2235] - Modify the login session detail page as a modal.
- [RANGER-2238] - String comparison should not use ‘==’ in ServiceUtil.java
- [RANGER-2241] - Fix release build scripts to conform to latest Apache release guidelines - Part 2 - Remove sha1 and mds
- [RANGER-2242] - JiSQL utility is failing Oracle UDF
- [RANGER-2244] - Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.91 or later.
- [RANGER-2245] - Exclude Jetty libraries
- [RANGER-2247] - Ranger Plugin for HDFS throws StringIndexOutOfBounds exception when policy resource is "\"
- [RANGER-2248] - Sorting does not work in AbstractPredicateUtil.java
- [RANGER-2250] - Service configs fields are not showing for atlas service form page
- [RANGER-2252] - Permission "Kafka Admin" should not be part of Topic resource in Ranger Kafka resource definition
- [RANGER-2262] - Improvement of export to excel from report listing page for Oracle database.
- [RANGER-2263] - Remove unnecessary explicit dependency for apache commons compress jar in Ranger
- [RANGER-2264] - Kafka default policies for new resources are not showing up in UI when upgrade is done from older version
- [RANGER-2269] - Implement best coding practices for validating user input
- [RANGER-2270] - Restrict tag module access to unprivileged users
- [RANGER-2272] - Ensure that case of resource-definition names and access-type names in Ranger policy is the same as in service-definition after successful validation
- [RANGER-2273] - Allow service admin and delegated admin user to view list of users and groups though they have 'USER' role
- [RANGER-2275] - Make db_setup retry delay configurable
- [RANGER-2276] - Email Address should be verified when Add New User in Ranger Admin
- [RANGER-2277] - Kylin repository config missing "Common Name for Certificate"
- [RANGER-2278] - Unable to delete user if he has references in new ref tables.
- [RANGER-2280] - The emptyText of User Sync and Plugin Status should be reasonable
- [RANGER-2282] - The error message for changing password is incorrect in User Profile page.
- [RANGER-2283] - User is getting total count of groups even if he is assigned to one group due to which pagination is breaking
- [RANGER-2284] - Unable to build image using docker
- [RANGER-2288] - Sqoop repository config missing "Common Name for Certificate"
- [RANGER-2289] - Unable to get Audit Admin tab page.
- [RANGER-2292] - Test case fix for RANGER-2276
- [RANGER-2294] - Front-end and back-end email address regular expression should be the same
- [RANGER-2297] - getContentSummary validation failure
- [RANGER-2298] - Modify JAVA_VERSION_REQUIRED to 1.8 in install.properties
- [RANGER-2299] - Modify the permissions of the kms install.properties file to 700
- [RANGER-2304] - Need to add property dfs.permissions.ContentSummary.subAccess when enabling Ranger HDFS plugin manually
- [RANGER-2305] - When Audit spooling to local filesystem is enabled, log files of the component have show a wrong error message
- [RANGER-2306] - Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger
- [RANGER-2307] - Native code can segfault or return misleading error messages
- [RANGER-2311] - After the user profile is updated, the page still displays the original information.
- [RANGER-2313] - tagsync fails to authenticate with ranger in kerberized cluster when using ranger-tagsync-update.sh script
- [RANGER-2316] - Incorrect path in Quick State Guide at http://ranger.apache.org/quick_start_guide.html
- [RANGER-2318] - Incorrect git url on the homepage
- [RANGER-2321] - Docker build fails due to PhantomJS dependency
- [RANGER-2326] - zoneName field is getting added with type "boolean" in Ranger Solr schema
- [RANGER-2327] - Update Ranger db schema to use common sequence name
- [RANGER-2328] - Time-based policies do not work correctly if access time is not set in the authorization request
- [RANGER-2333] - Logs does not get generated for Zone Description field available on Security Zone page.
- [RANGER-2334] - Audits: filter out service audit logs and additional users logs from user audit logs
- [RANGER-2335] - Overlapping of 'include' toggle button on policy create/edit page.
- [RANGER-2336] - Ranger HBase plugin should pack guava lib as a dependency.
- [RANGER-2337] - Context-Enrichers need to clean up completely when the policy-engine is destroyed
- [RANGER-2339] - UI changes for User role users should also have access to Security Zone
- [RANGER-2342] - Exclude jackson jaxrs library from ranger-admin packaging
- [RANGER-2343] - Evaluate tag policies in the same security zone as accessed resource
- [RANGER-2344] - Ranger HBase Test failure due to Mini HBase cluster start up issue.
- [RANGER-2347] - Restrict capabilities of security zone administrator and auditor
- [RANGER-2350] - Ranger UI: Clicking on zone edit Breadcrumb redirect to 404 page not found
- [RANGER-2352] - Ranger installation is failing for Oracle and Postgres DB
- [RANGER-2355] - Reports page: policy listing to have column of Zone name
- [RANGER-2356] - External user's email address can be edited
- [RANGER-2359] - Show zone association with tag based service.
- [RANGER-2367] - Hive "show grants" when Ranger is authorizer should show permission details from Ranger
- [RANGER-2371] - Security Zone policies do not work correctly when incremental policy updates are enabled
- [RANGER-2372] - Remove non-existing URL entries from spring config file
- [RANGER-2373] - User creation POST and PUT response not showing groupIdList and groupNameList with expected data
- [RANGER-2375] - RangerAuthContext is not correctly initialized
- [RANGER-2376] - Ranger Plugin ClassLoader Doesn't Restore Thread ClassLoader
- [RANGER-2381] - Failed to refresh policies when servicename contains space
- [RANGER-2383] - Incorrect response when trying to delete user attached to a security zone
- [RANGER-2384] - Get All Zones API is returning response in raw format,proper response object is required.
- [RANGER-2396] - Inconsistency in policy operations in a disabled Ranger service
- [RANGER-2397] - HiveServer2 fails to start with Hive Plugin for Ranger
- [RANGER-2399] - User's listing page hits users API call twice from UI
- [RANGER-2400] - policy name needs to be unique within security zone and service
- [RANGER-2401] - Ranger Secuity Zone needs to be added in audit type filter in admin audit
- [RANGER-2403] - proper error should be thrown when service part of zone being deleted
- [RANGER-2404] - Delegate-admin permission granted by policy needs to be effective only within the zone to which the policy belongs
- [RANGER-2405] - Evaluation of Ranger policies targeted to valid but partial resources
- [RANGER-2406] - rangerusersync open too many session for ldap sync
- [RANGER-2409] - Policy level condition sample matcher initialization issue
- [RANGER-2411] - Restrict Admin role user to create Zone for KMS service
- [RANGER-2412] - Policy Condition Evaluators existing and newly created should work in both policy level and policy item level
- [RANGER-2413] - Python script to update rangertagsync config properties
- [RANGER-2415] - Value of isExcludes flag needs to be considered when matching accessed resource to Ranger policy
- [RANGER-2417] - Set Atlas Entity owner to RangerAccessResource ownerUser attribute for Atlas Ranger Plugin
- [RANGER-2419] - Improve sql script to skip statements when atlas service def is not supported
- [RANGER-2421] - Solr audit fails in Atlas plugin
- [RANGER-2423] - Ranger KnoxSSO authentication in Ranger HA environment
- [RANGER-2430] - Zoneadmin User is able to create policy for those services which is not associated to zone
- [RANGER-2434] - Remove dependency from com.google.common.base.Objects or MoreObjects
- [RANGER-2437] - Update grant/revoke error message to provide more information about the principal type
- [RANGER-2438] - Legacy PublicAPI REST API to get all policies fails
- [RANGER-2439] - Unable to view policy details from access audits when policy has policy condition at policy level
- [RANGER-2444] - Admin logs are not getting generated when "policy level" policy condition is updated
- [RANGER-2445] - Import of Tag based policies for zone
- [RANGER-2449] - if service part of zone is not present then null pointer exception is thrown
- [RANGER-2451] - Atlas plugin is not working when security zone is created for Atlas service in Ranger Admin.
- [RANGER-2453] - Tag data-masking policy should allow only one tag as resource
- [RANGER-2455] - When service created inside a zone landing page that service gets created in unzonned landing page.
- [RANGER-2456] - Upgrade of Ranger Admin to the current version fails in PatchForKafkaServiceDefUpdate_J10025
- [RANGER-2459] - [E] ranger_core_db_mysql.sql file import failed!
- [RANGER-2463] - Ranger admin authorization audits fails intermittently to fetch from Solr
- [RANGER-2469] - java.lang.IllegalArgumentException: More than one fragment with the name during Ranger start after RANGER-2464
- [RANGER-2473] - Upgrade of Ranger Admin to the current version fails in PatchForAtlasResourceAndAccessTypeUpdate_J10016
- [RANGER-2474] - Policy version and details in access audits wrong when deny condition added to policy
- [RANGER-2478] - Exception in thread "main" java.lang.NoClassDefFoundError: com/google/common/base/Preconditions
- [RANGER-2479] - Change test connection preferred SQL statement for Oracle DB Flavor
- [RANGER-2480] - Hive URL Policy doesn't match if recursive flag is on for the url resource
- [RANGER-2485] - Security zone filter is causing Ranger audit access request waiting for longer
- [RANGER-2487] - Resource policy names with a characters that are typically HTML escaped mutate and grow as they are saved.
- [RANGER-2493] - Ranger takes long time to delete a service with many policies
- [RANGER-2500] - Zone Policies not getting imported when 'updateIfExists=true' is passed through curl.
- [RANGER-2502] - Presto plugin insert bug
- [RANGER-2509] - Add validation message for Importing non JSON file on import action.
- [RANGER-2511] - default tag based service is getting created for the tag based service
- [RANGER-2513] - Unable to delete user if he has references in new ref tables.
- [RANGER-2514] - Search field validation prompt is inconsistent with field names in audit page
- [RANGER-2516] - Update Ranger default policies to provide entity-read access to public group
- [RANGER-2518] - Allow service creator to delete the service
- [RANGER-2519] - Import policy may fail if a policy exists with same guid in another service
- [RANGER-2520] - Prevent Roles to be saved in Ranger Role Management page when user or groups are not added to the role
Test
- [RANGER-2150] - Unit test coverage for XUserMgr and UserMgr class
- [RANGER-2171] - Unit Test cases to cover policy operations from service admin user
Wish
Task
- [RANGER-2198] - Remove deprecated client API from HBase plugin
- [RANGER-2226] - Define explicit (test) dependency on json-smart in the Knox agent
- [RANGER-2256] - Grammatical error in UI
- [RANGER-2422] - Zone Admin and Zone Auditor can see only its associated audit access log
- [RANGER-2452] - Release Ranger 2.0.0
Sub-task
- [RANGER-2175] - Write install guide for Ranger Elasticsearch plugin RANGER-2170
- [RANGER-2219] - De-normalize schema for storing tags and related objects
- [RANGER-2260] - Atlas servicedef version change patch should update atlas access type def for tag def also.
- [RANGER-2274] - Allow delegated admin user to view list of users and groups though they have 'USER' role
- [RANGER-2293] - Create and update ref tables for security zone data
- [RANGER-2310] - Record admin audits in Ranger during Create, Update and Delete operations on Zone
- [RANGER-2320] - Make db schema patches script idempotent for all DB Flavors
- [RANGER-2402] - Best Practices: Make db schema script idempotent
- [RANGER-2429] - Ranger KMS is not starting properly
- [RANGER-2477] - Ranger KnoxSSO authentication when X-Forwarded-Host header is not forwarded