New Features 

  • [RANGER-2640] - Implement SHOW ROLE GRANT in Hive ranger plugin
  • [RANGER-3000] - Audit-filter feature implementation to help reduce volume of audit logs generated
  • [RANGER-3191] - Ranger UI for configuring Audit filters.
  • [RANGER-3241] - Need feature to make the access log file name configurable
  • [RANGER-3242] - Need feature to make the access log file name configurable for user
  • [RANGER-3248] - In Ranger Audit collection number of shards should be depending on the number of infra-solr nodes
  • [RANGER-3249] - Enhance RangerScriptExecutionContext class to provide APIs for comprehensive tag information
  • [RANGER-3397] - Update ACL computation to (optionally) expand Ranger Roles to users and groups and include chained-plugins in ACL computation

Improvements 

  • [RANGER-2767] - Ranger showing only 100 services in ranger admin ui
  • [RANGER-2910] - Add kerberos and SSL support for client libraries
  • [RANGER-2937] - Refresh Ranger's Solr configs
  • [RANGER-2946] - Ranger UI - third party library version upgrades
  • [RANGER-2950] - Upgrade Spring framework and Spring Security libraries
  • [RANGER-2972] - REST api to delete service/ repo using cluster name
  • [RANGER-2983] - Add HBase users with decrypteek permission in default policy for kms
  • [RANGER-2986] - Performance improvements for Ranger usersync
  • [RANGER-2995] - Add 'exclude service users' option in URL param
  • [RANGER-2996] - Add search by Roles and Auditor user should be able to see "Roles" tab
  • [RANGER-2998] - API for Ranger KMS service status
  • [RANGER-3001] - Update Ranger KafkaClient to use Kafka AdminClient API instead of Zookeeper

  • [RANGER-3002] - Query info popup stuck in Ranger access audits view
  • [RANGER-3006] - Add cluster name field to service create form
  • [RANGER-3008] - Internal API for controlling Trie behavior
  • [RANGER-3011] - Code improvement for Audit Access Log Detail popup
  • [RANGER-3012] - Dockerfile to support building from local repository
  • [RANGER-3013] - Remove minor version of "jna" jar file
  • [RANGER-3017] - RangerHiveAuthorizer should authorize URL in Hive tempUDFs operation
  • [RANGER-3020] - Normalize naming and processing of config parameters for chained plugin
  • [RANGER-3024] - Improve response time and refactor code for GET API /service/xusers/lookup/users
  • [RANGER-3027] - Improve response time for GET API service/xusers/users
  • [RANGER-3029] - Ranger - Upgrade handlebars 1.3.0 to 4.6.0
  • [RANGER-3044] - User is not able to change the password from user profile page
  • [RANGER-3050] - Password can not be changed in User Profile page
  • [RANGER-3056] - Show Audit ID in Audit->Access tab
  • [RANGER-3057] - Support Audit search based on Audit ID
  • [RANGER-3065] - RangerServiceResource model object needs to be enhanced to store/track any additional information about the resource
  • [RANGER-3067] - Schema changes to improve performance of chained plugin feature
  • [RANGER-3076] - [New UI] if service side bar expanded then include/exclude toggle button in hive policy gets shrink
  • [RANGER-3078] - Supporting import policy based on PolicyName, ServiceName and ZoneName
  • [RANGER-3087] - Making db_setup.py fool-proof and robust
  • [RANGER-3091] - Upgrade solr version in Ranger to Solr 8.6.3
  • [RANGER-3096] - Upgrade to Kafka 2.5 with kafka_2.12 artifact in Ranger
  • [RANGER-3103] - Ranger KMS should log full UGI principal
  • [RANGER-3105] - Upgrade Ranger Tomcat to 8.5

  • [RANGER-3109] - Ranger Access audit improvements
  • [RANGER-3118] - Upgrade jackson to 2.11.3
  • [RANGER-3119] - Upgrade to slf4j 1.7.30
  • [RANGER-3120] - [Ranger Latest UI] Long tag based service names are not shown correctly
  • [RANGER-3122] - Support delegate-admin for specific permissions
  • [RANGER-3130] - [Ranger Admin UI] Improvement in Ranger Latest UI's Edit Policy Page
  • [RANGER-3131] - Remove some warnings in Maven build output
  • [RANGER-3147] - enhance resource-trie to enable finding evaluators for a given resource and its children
  • [RANGER-3153] - Upgrade to TLS to version 1.2 and above
  • [RANGER-3157] - Improvements for audit details page part-2
  • [RANGER-3168] - User/Auditor should have read-only access for Servicedef via PublicAPIsv2 API
  • [RANGER-3185] - Docker setup to run Ranger enabled HiveServer2
  • [RANGER-3186] - [Ranger Access Audit Improvement]Changes done from one user, persists for other users as well.
  • [RANGER-3192] - Use read-write locks for managing access to policy-engine and tag-repository
  • [RANGER-3196] - Docker setup to cache archives to avoid repeated downloads
  • [RANGER-3200] - Ranger KMS - Upgrade api-i18n jar from 1.0.0-M20 to 1.0.2+
  • [RANGER-3201] - Ranger KMS - Upgrade api-i18n jar from 1.0.0-M20 to 1.0.2+
  • [RANGER-3202] - Ranger KMS - Upgrade api-i18n jar from 1.0.0-M20 to 1.0.2+
  • [RANGER-3206] - Enhance db_setup.py to allow reading env variables set in ranger-admin-env scripts
  • [RANGER-3207] - Graceful handling of invalid usernames for usersync
  • [RANGER-3209] - Upgrade netty-all.version 4.1.49.Final to 4.1.60.Final
  • [RANGER-3210] - Upgrade Tomcat to 8.5.63+
  • [RANGER-3212] - Java client: Support for SSL, kerberos and packaging
  • [RANGER-3213] - Ranger - Upgrade to velocity 2.3
  • [RANGER-3214] - Configure default audit filters when ranger repo is created
  • [RANGER-3223] - Documentation of Ranger Java Client
  • [RANGER-3227] - Get Exception when visit result of RangerClient.findRoles()
  • [RANGER-3228] - Improvement in audit filter feature
  • [RANGER-3239] - Ranger : Add checkbox for default audit filters on Service Creation page
  • [RANGER-3240] - Show Latest Response from Server on all pages of Ranger UI
  • [RANGER-3246] - Upgrade netty-all version to 4.1.61.Final +
  • [RANGER-3247] - [UI-improvement] Ranger admin audit log does not show service/repo name in the policy operation
  • [RANGER-3250] - Add relevant indexes to database table to speed up ingress processing of tagged entities
  • [RANGER-3251] - [Ranger Audit Filters UI] Tag, KMS service not showing the audit filters in UI section
  • [RANGER-3052] - Cannot search by object name in page /reports/audit/admin
  • [RANGER-3253] - Make incremental policy change computation more resilient
  • [RANGER-3254] - sync source changes when same group is present in different sync source
  • [RANGER-3284] - Simplify processing of tasks scheduled to execute after current transaction is completed
  • [RANGER-3285] - expose user source details in ranger UI
  • [RANGER-3287] - Improve Tagsync authentication error reporting
  • [RANGER-3293] - Show user source details on user tab in ranger UI.
  • [RANGER-3295] - Update Ranger Policy Engine capability matrix
  • [RANGER-3305] - Service version update improvements
  • [RANGER-3306] - Allow comma in policy resource text field.
  • [RANGER-3308] - Create python script to test stability of policy CRUD
  • [RANGER-3309] - Support batch upload of tags to Ranger
  • [RANGER-3324] - Make optimised db schema script idempotent for all DB Flavors.
  • [RANGER-3328] - RANGER-KMS : code improvement
  • [RANGER-3334] - Enhance Ranger admin REST Client to use cookie for policy, tag and role download
  • [RANGER-3339] - Make Ranger Solr audit collection storage configurable
  • [RANGER-3347] - Add default policy for hbase user in hdfs services
  • [RANGER-3349] - Handling multiple grant role command for same user
  • [RANGER-3357] - Ranger HivePlugin Authorization for a new Hive operation
  • [RANGER-3358] - Ranger - Upgrade Tomcat to 8.5.69
  • [RANGER-3360] - Best Practice: Use updated policy object after pruning the policy object
  • [RANGER-3361] - Ranger Admin : Improve error message while deleting users and groups associated with role.
  • [RANGER-3362] - UI Improvements 
  • [RANGER-3363] - Support Session Inactivity Timeout for Ranger
  • [RANGER-3371] - Update algorithm to build Ranger policy-database object from Ranger policy-view object
  • [RANGER-3374] - Syncing 300K+ user group mappings to ranger is causing ranger to go out of memory
  • [RANGER-3376] - Add policy_guid column in x_policy_change_log table
  • [RANGER-3381] - Upgrade to junit 4.13.1
  • [RANGER-3384] - Metric Get API add input validation
  • [RANGER-3388] - Session Inactivity Timeout: Ranger UI part
  • [RANGER-3396] - RangerPolicyItemRowFilterInfo::toString() method shows "RangerPolicyItemDataMaskInfo" as class name
  • [RANGER-3447] - Ranger startup optimization: reduce number of DB queries to read service-defs


Bugs

  • [RANGER-2940] - Added code to update user roles when group memberships are changed with AD/LDAP incremental sync
  • [RANGER-2981] - Unwanted popup display on Security Zone Tab

  • [RANGER-2985] - User with all permission in ranger is not able to update volume
  • [RANGER-2987] - Remove unused ratis jars in ranger admin packaging for ozone plugin
  • [RANGER-2988] - Role Name Search filter is not available on policy listing page
  • [RANGER-2991] - Ranger should close solrclient connection
  • [RANGER-2997] - Ranger usersync role assignment issues
  • [RANGER-3002] - Query info popup stuck in Ranger access audits view
  • [RANGER-3007] - Ozone & Ranger Upgrade: Not able to access volume after Upgrade
  • [RANGER-3014] - Revert RANGER-2789 GET API service/xusers/users turns very slow when there are more than 1000 users
  • [RANGER-3021] - RangerRole Version update is not in correct format in an upgraded cluster
  • [RANGER-3034] - Remove cached policies in plugin if the service is deleted in Ranger admin
  • [RANGER-3037] - Import policy API is not returning proper response in case pre authorization fails
  • [RANGER-3038] - Group memberships not getting updated to ranger
  • [RANGER-3058] - create table fails when ViewDFS(client side HDFS mounting fs) mount points are targeting to Ozone/S3 FS
  • [RANGER-3060] - Maven build failing due to PMD violations
  • [RANGER-3061] - Default configuration error when enable ssl for ranger admin
  • [RANGER-3062] - Even after removing ‘Security Zone’ permission for an user, UI still shows ‘Security Zone’ tab
  • [RANGER-3064] - Make policy API consistent with the UI behavior for keyadmin role
  • [RANGER-3068] - Ranger Usersync is not handling error during initialization process
  • [RANGER-3070] - Add Support for using {OWNER} placeholder in Ozone Ranger Plugin
  • [RANGER-3071] - Supporting character set which is not included in latin1
  • [RANGER-3073] - Incorrect UI hint message for password validation in FIPS environment
  • [RANGER-3074] - Fix build issues
  • [RANGER-3079] - Fix build failures for ranger-2.2 branch
  • [RANGER-3083] - denyAllElse policy does not handle access request with access-type of '_any'
  • [RANGER-3084] - Ranger database connection fails when postgres is SSL enabled & postgresql-42.2.14 driver jar is used
  • [RANGER-3088] - Build tagged-resource-cache using memory optimization flags identical to policy-cache
  • [RANGER-3090] - KMS setup.sh fails due to blank property value of ranger.ks.db.ssl.certificateFile
  • [RANGER-3093] - Add required libraries to ranger-tools to ensure that perftester scripts run correctly
  • [RANGER-3094] - Ranger HDFS audit not capturing the correct path for write rename operations
  • [RANGER-3095] - not able to list the keys with a user whose id contains non latin character
  • [RANGER-3098] - Updates to validity period of tag are not reflected in Ranger database
  • [RANGER-3101] - Ranger usersync not recovering from initial errors in subsequent syncs
  • [RANGER-3104] - Ranger Hive policy with nested Roles failed to authorize request
  • [RANGER-3107] - Optimize memory requirements for storing Tag/Policy/Zone trie - Trade-off processing time for memory
  • [RANGER-3112] - Ranger usersync unit test cases are failing on mac
  • [RANGER-3117] - Need feature to capture URL of a particular instance of audit event
  • [RANGER-3121] - HBase list command authorization issue in Ranger
  • [RANGER-3124] - Search filter with user name having non latin character is not working on Audit>>Access tab
  • [RANGER-3129] - Python client uses incorrect default value assignment for method parameters
  • [RANGER-3134] - Remove global JAAS Configuration for Ranger auditing to SOLR
  • [RANGER-3140] - Ranger ShutdownHook hook to be called in RangerHBaseCoprocessor preShutdown apis for a clean shutdown of HBase
  • [RANGER-3143] - Ranger usersync, user group mapping for user deletion is not syncing up, if only one user is present in the group
  • [RANGER-3149] - Adding exisitng policy check for PatchForKafkaServiceDefUpdate_J10033
  • [RANGER-3156]  - RangerResouceTrie.add() and RangerResourceTrie.delete() do not work correctly for the resources containing wildcards
  • [RANGER-3159]  - Having any permission on hbase tables should allow listing of tables
  • [RANGER-3163] - Ranger Database deadlock when Service creation and user sync are running parallel
  • [RANGER-3169] - Ranger Usersync config for keystore type and truststore type for LDAPS are not effective
  • [RANGER-3171] - Ranger ui became broken after logout in Firefox
  • [RANGER-3172] - Patch to migrate old policy to use new Policy Ref table
  • [RANGER-3175] - Add back the support to provide option to retrieve users from group member attribute
  • [RANGER-3178] - Fix spurious full policy/tag downloads when incremental policy/tag updates are enabled
  • [RANGER-3187] - Roles download failed in Ranger after upgrade
  • [RANGER-3190] - Skip python unit tests if requests library not present
  • [RANGER-3194] - Ranger Access Audits page not loading
  • [RANGER-3199] - illegal reflective access operation warning in KMS catalina.out logs
  • [RANGER-3203] - Add back the support to provide option to retrieve groups from user memberof attribute
  • [RANGER-3205] - Policy Item not render in report page
  • [RANGER-3207] - Graceful handling of invalid usernames for usersync
  • [RANGER-3208] - NPE in Ranger policy engine when processing SELF_OR_CHILD scoped search
  • [RANGER-3218] - User getting denied even after having tag based policy
  • [RANGER-3220] - Zone name is not getting populated for tag based policy.
  • [RANGER-3224] - Not able to delete security-zone
  • [RANGER-3229] - Correct Kafka default policy item for all-delegation token and rangerlookup user
  • [RANGER-3233] - Ranger Kafka Plugin changes to get the UGI from Kafka client JAAS config instead of Subject from Kafka LoginManager
  • [RANGER-3234] - Ranger db patch no 045 is failing for oracle db.
  • [RANGER-3235] - Remove hive-exec dependency from Ranger audit frame work
  • [RANGER-3238] - Incorrect response for 'ranger_metric denyconditions' in Collect Diagnostic Data
  • [RANGER-3252] - Inconsistent behavior in Ranger Role authorization with in same hive beeline session
  • [RANGER-3259] - [Ranger Audit Filter] Ranger role is allowed to delete, even if its used in audit filters
  • [RANGER-3260] - Update default hdfs audit filters to filter out unwanted audits
  • [RANGER-3261] - Remove unused .htaccess file from component
  • [RANGER-3262] - Ranger group memberships are not working for LDAP sync
  • [RANGER-3263] - libthrift 0.14.x exclude tomcat-embed-core from dependency
  • [RANGER-3264] - [Solr Ranger Plugin] Add support/Fix Test connection with Solr service
  • [RANGER-3266] - Solr inter-node communication not working after enabling Ranger
  • [RANGER-3268] - Ranger Audit filter should filter audits that are created by Hive Role command operations
  • [RANGER-3272] - Zone tag policies are getting deleted when zone is updated
  • [RANGER-3275] - Need to update solr-config.xml in the ranger-audits collection config-set
  • [RANGER-3277]- Number of users/groups marked for delete are not shown in logs
  • [RANGER-3280]- Ensure that the policy/tag versions gets correctly updated for every change to service/policy/tag
  • [RANGER-3286] - Oracle upgrade fails with oracle: SQLSyntaxErrorException in 052-add-unique-constraint-on-change-logs
  • [RANGER-3288] - Ranger Audit Filters doesn't filter hdfs read operation when filter is set to not audit read
  • [RANGER-3291] - NPE in BasePlugin if the first policy download contains no policies and no policy-deltas
  • [RANGER-3292[ - Fix ConcurrentModificationException from RangerTransactionSynchronizationAdapter
  • [RANGER-3294] - AccessResult attribute with isAudited as false not filtered in Ranger Audit Filter
  • [RANGER-3297] - Internal user is not marked as external after the user sync source details are changed
  • [RANGER-3301] - [UI] in admin audit log tables not formatted correctly for long string value for resources.
  • [RANGER-3304] - Create solr audit conf zip archive
  • [RANGER-3311] - Ranger Usersync not retrying failed updates for unix or file sync source
  • [RANGER-3312] - Role is getting removed from policy when user present in that policy is deleted
  • [RANGER-3320] - ranger tags are not added for when tagging identically named database/tables in two different Ranger services
  • [RANGER-3322] - remove grant of public synonym privileges for oracle db
  • [RANGER-3323] - Ranger Hive Table lookup is not working
  • [RANGER-3325] - Roles information not present in the Excel and CSV files which are downloaded from Reports page
  • [RANGER-3333] - Ozone Ranger Audits are not showing up in Ranger Admin UI for "om" service user
  • [RANGER-3336] - All policies are exported, when searching reports using roles
  • [RANGER-3337] - Ranger policy not taking effect with HDFS Snapshots
  • [RANGER-3338] - Masking and Row filter policy are getting exported from report page when Policy type=Access
  • [RANGER-3341] - External user's role creation may fail in certain version of MariaDB
  • [RANGER-3343] - Ranger policy cache is incorrect in some scenario
  • [RANGER-3344] - Ranger Admin fails to start with java.lang.NoClassDefFoundError: org/apache/htrace/core/Tracer$Builder
  • [RANGER-3345] - Default Ranger policy for KMS should include "om" user for Ozone bucket level encryption to work
  • [RANGER-3350] - Ranger HivePluginAuthorizer SHOW CURRENT ROLES not fetching the role set in current hive beeline session
  • [RANGER-3351] - Incorrect hive query displayed for grant and revoke role command
  • [RANGER-3353] - Show roles is not listing all roles
  • [RANGER-3355] - Ranger Admin : Update the current logging mechanism to use custom log4j conf
  • [RANGER-3366] - Cluster type is missed in copy constructor of RangerAccessRequestImpl
  • [RANGER-3367] - [Intermittent] Ranger Admin perf logs are not getting logged after Spring Security upgrade
  • [RANGER-3372] - Issue in policies search on report page with user having more than one unix group
  • [RANGER-3385] - Duplicate SQL prefix should not be allowed
  • [RANGER-3387] - Ranger Admin Header Validation
  • [RANGER-3398] - Duplicate JAVA patch suffix should not be allowed
  • [RANGER-3404] - user with no permissions can access and edit delegate admin only policies
  • [RANGER-3419] -  compressDeltas method returns two ranger policy entries for policy create+update case when provided lastKnownVersion is previous to create call
  • [RANGER-3441] - PropertiesUtil (Admin) logging potentially sensitive data
  • [RANGER-3446] - log4j initialization failure in docker setup
  • [RANGER-3455] - [Logout-Ranger] Should either be disabled/ should redirect to knox logout page
  • [RANGER-3462] - User with delegated admin permission on a resource cannot fetch policy for the resource
  • [RANGER-3480] - Policy version in access audit is not matching with the policy version seen in policy view
  • [RANGER-3481] - Incremental policy updates do not work correctly for multiple security zones
  • [RANGER-3489] - Add htrace-core.jar as dependency for various Ranger Plugins
  • No labels