Release Notes - Ranger - Version 2.0.0

New Feature

  • [RANGER-2049] - Support doAs in Ranger Admin Portal / REST API
  • [RANGER-2170] - Ranger supports plugin to enable, monitor and manage Elasticsearch
  • [RANGER-2209] - Service Definition for ABFS to support Ranger Authorization
  • [RANGER-2232] - Security Zones feature in Apache Ranger
  • [RANGER-2281] - Support Trusted Proxy in ranger
  • [RANGER-2325] - Implement ranger plugin for Ozone
  • [RANGER-2331] - Ranger-KMS - KeySecure HSM Integration
  • [RANGER-2354] - Add custom condition at policy level
  • [RANGER-2414] - Enhancements to support roles in Ranger policies
  • [RANGER-2425] - Enhance ranger hive plugin to support sql role commands
  • [RANGER-2443] - Ranger UI support for access via Knox Trusted Proxy

Improvement

  • [RANGER-1715] - Enhance Ranger Hive Plugin to support authorization on Hive replication Tasks
  • [RANGER-1851] - Enhance Ranger Hive Plugin to support authorization for KILL QUERY command
  • [RANGER-1935] - Upgrade Ranger to support Apache Hadoop 3.0.0
  • [RANGER-1958] - [HBase] Implement getUserPermissions API of AccessControlService.Interface to allow clients to access HBase permissions stored in Ranger
  • [RANGER-1978] - Upgrade Jackson Databind to 2.8.11
  • [RANGER-2093] - RangerHiveAuthorizer showPrivileges should show Hive Objects ACLs from Ranger
  • [RANGER-2140] - Upgrade spring and guava libraries
  • [RANGER-2148] - Update Ranger Hive dependency version to 3.0
  • [RANGER-2151] - Update Ranger Hbase dependency version to 2.0
  • [RANGER-2153] - Supply the function of reverting policy history version.
  • [RANGER-2157] - Add NiFi Registry service definition and NiFiRegistryClient
  • [RANGER-2158] - Performance improvement to REST API call to update policies
  • [RANGER-2161] - Improvement in policy screen permission item's
  • [RANGER-2162] - Upgrade c3p0 libraries
  • [RANGER-2164] - Ranger to add default altlas policy for rangertagsync user.
  • [RANGER-2167] - Upgrade to Apache parent pom version 20
  • [RANGER-2168] - Add service admin user through service config
  • [RANGER-2169] - Create unique index on service and name column of x_policy table
  • [RANGER-2172] - Good coding practices for unix authentication Service in Ranger
  • [RANGER-2173] - Optimize Trie constuction and Policy lookup
  • [RANGER-2177] - Handle validations for duplicate configuration item during service create/edit
  • [RANGER-2181] - Code Improvement To Follow Best Practices
  • [RANGER-2184] - Update RangerAtlas authorization to authorize add/update/remove of relationships
  • [RANGER-2188] - Support multiple threads to build Trie and on-lookup post-setup for Trie nodes
  • [RANGER-2191] - Update ranger-tool with new options to control Trie
  • [RANGER-2203] - Review and update database schema for ranger policies to minimize database queries/updates
  • [RANGER-2207] - Allow resources to appear in column mask policies without being visible in access policies
  • [RANGER-2208] - Code improvement to fetch User/Group information and Service Config details
  • [RANGER-2210] - Ranger support for Apache Kafka 2.0.0
  • [RANGER-2212] - Add multiple urls tips for the ‘Kylin URL’ configuration item when creating the kylin-plugin service
  • [RANGER-2214] - Do some code improvement for the error message for KylinClient.java
  • [RANGER-2216] - Ranger Audit UI lacks the feature to search the audits using Policy Id
  • [RANGER-2218] - Service-Definition update should not allow updates to names of resources, access-types, conditions or data-masks
  • [RANGER-2221] - Apache Ranger Kafka authorizer should support new resource "DelegationToken" in Apache Kafka 2.0.0 version
  • [RANGER-2222] - Apache RangerKafkaPlugin support to handle Kafka Cluster as a new resource
  • [RANGER-2231] - Upgrade to Knox 1.1.0
  • [RANGER-2237] - Upgrade Kylin version to 2.5.0
  • [RANGER-2239] - Update to surefire 2.21.0
  • [RANGER-2243] - Provide option to ranger builds to specifically build a single plugin
  • [RANGER-2251] - Need to provide options for making java heap size memory configurable in Ranger services
  • [RANGER-2257] - Add policyID to error message when click the Access log of Audit
  • [RANGER-2258] - Improve the policy list page to prompt users when the service is disabled
  • [RANGER-2265] - To make the profile "all" to be active by default when ranger build
  • [RANGER-2266] - To make Id to ID in Audit Pages of Ranger Admin
  • [RANGER-2267] - Add a icon to differentiate the status of the service
  • [RANGER-2268] - Optimize policy and tags migration to new schema
  • [RANGER-2279] - Reduce the time spent changing passwords during Ranger Admin install
  • [RANGER-2286] - Ranger install may be prevented by leftover DB entry
  • [RANGER-2287] - Improve and optimize db_setup.py file code
  • [RANGER-2291] - Make optimized db schema script idempotent for all DB Flavors
  • [RANGER-2295] - Set specific Ranger version in patches status entry table
  • [RANGER-2296] - Enhance Ranger Audit framework to have security zone in the audit
  • [RANGER-2303] - Add kylin-plugin infomation to README.txt
  • [RANGER-2309] - Improve group search on policy edit page.
  • [RANGER-2314] - Do some code improvement for the error message in SqoopClient.java
  • [RANGER-2317] - Enable compilation on JDK11
  • [RANGER-2322] - Use "TLS" in SSLContext.getInstance
  • [RANGER-2324] - Bootstrapping Solr in Ranger service start-up
  • [RANGER-2330] - Ensure that policy/resource based searches are security-zone aware
  • [RANGER-2332] - Update Grant/Revoke API access after Security zone feature
  • [RANGER-2340] - Add Policy Version to the Ranger Audit log
  • [RANGER-2341] - Support for Incremental policy updates to improve performance of ranger-admin and plugins by optimal building of policy-engine
  • [RANGER-2345] - Upgrade Apache Solr version to 7.7.0 or later
  • [RANGER-2349] - Provide an API to download policies and tags
  • [RANGER-2351] - Implement Import / Export of Policies by Zone
  • [RANGER-2353] - Upgrade Apache Thrift Java client library to 0.12.0
  • [RANGER-2357] - Improvement on getServices API
  • [RANGER-2374] - Add refresh access type to allow sharing policies between Hive and Impala
  • [RANGER-2377] - Make solr bootstrapping configurable
  • [RANGER-2379] - Support for associating a tag service with security zone and relevant authorization logic
  • [RANGER-2382] - Improvement to Access Audit page-Add ‘agentHostname’ column to audit log table, which records IP-address/hostname of the plugin
  • [RANGER-2385] - Improvement to Audit page -> Plugin status tab
  • [RANGER-2386] - Code duplication due to RangerCredentialProvider.getCredentialString returns char[]
  • [RANGER-2387] - add public api v2 for security zones
  • [RANGER-2389] - Ranger Hive Plugin enhancement for KILL query and Replication commands authorization
  • [RANGER-2390] - Ranger should add service admin privilege support for hive service objects - LLAP command sets
  • [RANGER-2391] - Ranger authorization for ADD, COMPILE and CREATE TEMPORARY UDF operation in Hive
  • [RANGER-2392] - Create / Update zone to have provision to associate Tag based service with zone
  • [RANGER-2394] - Filter/exclude multiple users in audit search
  • [RANGER-2395] - Add presto plugin
  • [RANGER-2407] - [Best Practices] Update/Remove default header values sent from Ranger
  • [RANGER-2408] - Restrict Ranger User's capabilities according to their role
  • [RANGER-2420] - Ranger spends 36% of CPU in ObjectMapper
  • [RANGER-2424] - Track and display application id of service generating access audit on access audit page
  • [RANGER-2427] - Tag policies are not evaluated if no security zones are configured
  • [RANGER-2431] - Upgrade Atlas version to 2.0.0
  • [RANGER-2432] - Upgrade Hadoop Version to 3.1.1
  • [RANGER-2435] - Add support for sticky breadcrumbs.
  • [RANGER-2436] - Custom condition: Access from cluster
  • [RANGER-2446] - Suggestion - Include security zone details as part of admin audit for policy update
  • [RANGER-2454] - Remove the trailing slash in Ranger URL in RangerAdminJersey2RESTClient
  • [RANGER-2458] - Cluster property name changes in Ranger Plugin code
  • [RANGER-2464] - Upgrade spring, zookeeper, c3p0, jackson-databind, tomcat libraries
  • [RANGER-2465] - Create a PolicyCondition to apply if all given tags are present for the accessed resource
  • [RANGER-2466] - Improvement in setting cluster Name in RangerAccessRequest
  • [RANGER-2467] - similar to clusterName custom condition, add clusterType custom condition.
  • [RANGER-2468] - Upgrade jQuery version in Ranger.
  • [RANGER-2475] - Replacing bootstrap accordion with jquery SlideToggle.
  • [RANGER-2481] - Create a tag service when a resource service is created and link it to resource service
  • [RANGER-2482] - Ranger: use Solr API to upload config set (during bootstrapping)
  • [RANGER-2484] - Improve import API to merge the policies if resources are exactly same
  • [RANGER-2489] - Missing dependencies in assembly for Presto plugin
  • [RANGER-2490] - Add https support while using Solr API to upload config set
  • [RANGER-2494] - Ranger Custom PolicyCondition for TagsNotPresent and AnyTagPresent
  • [RANGER-2496] - Update Spring Security version to 4.2.13
  • [RANGER-2498] - Improvement to plugin status tab.
  • [RANGER-2503] - Ranger Import API should be able to override an existing policy
  • [RANGER-2506] - Add cluster name in plugin status tab.
  • [RANGER-2507] - Support for policy to implicitly deny all accesses not explicitly allowed by it
  • [RANGER-2508] - Good coding practices for concurrent policy label creation
  • [RANGER-2515] - add .gitignore for project plugin-presto and ranger-presto-plugin-shim
  • [RANGER-2517] - UI changes for policy to implicitly deny all accesses not explicitly allowed by it.
  • [RANGER-2523] - Ranger Admin debug config improvement

Bug

  • [RANGER-1644] - Change the default Crypt Algo to use stronger cryptographic algo. 
  • [RANGER-1738] - RangerYarnAuthorizer not compatible with Hadoop-3.0.0
  • [RANGER-1951] - build problems with the saveVersion.py script
  • [RANGER-1955] - Wrong quoting in Ranger SQL install scripts
  • [RANGER-2112] - Ranger KMS broken with JDK 8 update 171
  • [RANGER-2114] - Internal Exception: com.mysql.jdbc.MysqlDataTruncation: Data truncation: Data too long for column 'content' at row 1
  • [RANGER-2152] - Incorrect debugging information in RangerPluginClassLoader.java
  • [RANGER-2155] - Ranger Tagsync fails to Authenticate to Atlas when Tag Source set to AtlasRest in Kerberos environment
  • [RANGER-2160] - 'Email Address' search is not working properly along with other filter in user listing page,userRoles filters also needs to be improved.
  • [RANGER-2165] - Address JPA Cache issue when policies Create, Update and Delete are done via REST API in Apache Ranger admin
  • [RANGER-2166] - A ClassNotFound exception is thrown with atlasrest as a tag source
  • [RANGER-2180] - Handle token replacement correctly when token is not defined in the request context
  • [RANGER-2182] - Handle upgrade scenario since atlas-service def is added with new resources for relationship
  • [RANGER-2183] - Use INodeAttribute information to authorize HDFS access
  • [RANGER-2186] - Increment service-specific policy and tag versions after update transaction is committed
  • [RANGER-2187] - External Group search fails on Ranger UI when installed with postgres
  • [RANGER-2189] - Atlas service default policies should allow relationship operations for all
  • [RANGER-2193] - Form validation during testconnection should be consistent with service creation/editing
  • [RANGER-2195] - TagPolicy not working due to failure in updating tag policy version
  • [RANGER-2196] - Ensure that any explicit threads used by Ranger are marked as daemon threads
  • [RANGER-2197] - Delegate Admin is not able to create policy
  • [RANGER-2201] - Log no ranger audits when entityId value is not null or empty string
  • [RANGER-2204] - Ranger Admin's admin log event for changing Audit Logging of a policy doesn't show the actual changes
  • [RANGER-2213] - Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.90.
  • [RANGER-2215] - Can't copy and paste multiple paths into Ranger Admin UI for HDFS create policy
  • [RANGER-2220] - Admin UI loads slowly because of many small JavaScript files
  • [RANGER-2224] - 'drop temporary function <udf>' command should be handled by 'global' resource and 'Temorary UDF Admin' permission.
  • [RANGER-2229] - Perform graceful terminate with retries before doing forceful kill for usersync and tagsync
  • [RANGER-2234] - Cannot add or update a child row,a foreign key constraint fails when installing ranger-admin
  • [RANGER-2235] - Modify the login session detail page as a modal.
  • [RANGER-2238] - String comparison should not use ‘==’ in ServiceUtil.java
  • [RANGER-2241] - Fix release build scripts to conform to latest Apache release guidelines - Part 2 - Remove sha1 and mds
  • [RANGER-2242] - JiSQL utility is failing Oracle UDF
  • [RANGER-2244] - Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.91 or later.
  • [RANGER-2245] - Exclude Jetty libraries
  • [RANGER-2247] - Ranger Plugin for HDFS throws StringIndexOutOfBounds exception when policy resource is "\"
  • [RANGER-2248] - Sorting does not work in AbstractPredicateUtil.java
  • [RANGER-2250] - Service configs fields are not showing for atlas service form page
  • [RANGER-2252] - Permission "Kafka Admin" should not be part of Topic resource in Ranger Kafka resource definition
  • [RANGER-2262] - Improvement of export to excel from report listing page for Oracle database.
  • [RANGER-2263] - Remove unnecessary explicit dependency for apache commons compress jar in Ranger
  • [RANGER-2264] - Kafka default policies for new resources are not showing up in UI when upgrade is done from older version
  • [RANGER-2269] - Implement best coding practices for validating user input
  • [RANGER-2270] - Restrict tag module access to unprivileged users
  • [RANGER-2272] - Ensure that case of resource-definition names and access-type names in Ranger policy is the same as in service-definition after successful validation
  • [RANGER-2273] - Allow service admin and delegated admin user to view list of users and groups though they have 'USER' role
  • [RANGER-2275] - Make db_setup retry delay configurable
  • [RANGER-2276] - Email Address should be verified when Add New User in Ranger Admin
  • [RANGER-2277] - Kylin repository config missing "Common Name for Certificate"
  • [RANGER-2278] - Unable to delete user if he has references in new ref tables.
  • [RANGER-2280] - The emptyText of User Sync and Plugin Status should be reasonable
  • [RANGER-2282] - The error message for changing password is incorrect in User Profile page.
  • [RANGER-2283] - User is getting total count of groups even if he is assigned to one group due to which pagination is breaking
  • [RANGER-2284] - Unable to build image using docker
  • [RANGER-2288] - Sqoop repository config missing "Common Name for Certificate"
  • [RANGER-2289] - Unable to get Audit Admin tab page.
  • [RANGER-2292] - Test case fix for RANGER-2276
  • [RANGER-2294] - Front-end and back-end email address regular expression should be the same
  • [RANGER-2297] - getContentSummary validation failure
  • [RANGER-2298] - Modify JAVA_VERSION_REQUIRED to 1.8 in install.properties
  • [RANGER-2299] - Modify the permissions of the kms install.properties file to 700
  • [RANGER-2304] - Need to add property dfs.permissions.ContentSummary.subAccess when enabling Ranger HDFS plugin manually
  • [RANGER-2305] - When Audit spooling to local filesystem is enabled, log files of the component have show a wrong error message
  • [RANGER-2306] - Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger
  • [RANGER-2307] - Native code can segfault or return misleading error messages
  • [RANGER-2311] - After the user profile is updated, the page still displays the original information.
  • [RANGER-2313] - tagsync fails to authenticate with ranger in kerberized cluster when using ranger-tagsync-update.sh script
  • [RANGER-2316] - Incorrect path in Quick State Guide at http://ranger.apache.org/quick_start_guide.html
  • [RANGER-2318] - Incorrect git url on the homepage
  • [RANGER-2321] - Docker build fails due to PhantomJS dependency
  • [RANGER-2326] - zoneName field is getting added with type "boolean" in Ranger Solr schema
  • [RANGER-2327] - Update Ranger db schema to use common sequence name
  • [RANGER-2328] - Time-based policies do not work correctly if access time is not set in the authorization request
  • [RANGER-2333] - Logs does not get generated for Zone Description field available on Security Zone page.
  • [RANGER-2334] - Audits: filter out service audit logs and additional users logs from user audit logs
  • [RANGER-2335] - Overlapping of 'include' toggle button on policy create/edit page.
  • [RANGER-2336] - Ranger HBase plugin should pack guava lib as a dependency.
  • [RANGER-2337] - Context-Enrichers need to clean up completely when the policy-engine is destroyed
  • [RANGER-2339] - UI changes for User role users should also have access to Security Zone
  • [RANGER-2342] - Exclude jackson jaxrs library from ranger-admin packaging
  • [RANGER-2343] - Evaluate tag policies in the same security zone as accessed resource
  • [RANGER-2344] - Ranger HBase Test failure due to Mini HBase cluster start up issue.
  • [RANGER-2347] - Restrict capabilities of security zone administrator and auditor
  • [RANGER-2350] - Ranger UI: Clicking on zone edit Breadcrumb redirect to 404 page not found
  • [RANGER-2352] - Ranger installation is failing for Oracle and Postgres DB
  • [RANGER-2355] - Reports page: policy listing to have column of Zone name
  • [RANGER-2356] - External user's email address can be edited
  • [RANGER-2359] - Show zone association with tag based service.
  • [RANGER-2367] - Hive "show grants" when Ranger is authorizer should show permission details from Ranger
  • [RANGER-2371] - Security Zone policies do not work correctly when incremental policy updates are enabled
  • [RANGER-2372] - Remove non-existing URL entries from spring config file
  • [RANGER-2373] - User creation POST and PUT response not showing groupIdList and groupNameList with expected data
  • [RANGER-2375] - RangerAuthContext is not correctly initialized
  • [RANGER-2376] - Ranger Plugin ClassLoader Doesn't Restore Thread ClassLoader
  • [RANGER-2381] - Failed to refresh policies when servicename contains space
  • [RANGER-2383] - Incorrect response when trying to delete user attached to a security zone
  • [RANGER-2384] - Get All Zones API is returning response in raw format,proper response object is required.
  • [RANGER-2396] - Inconsistency in policy operations in a disabled Ranger service
  • [RANGER-2397] - HiveServer2 fails to start with Hive Plugin for Ranger
  • [RANGER-2399] - User's listing page hits users API call twice from UI
  • [RANGER-2400] - policy name needs to be unique within security zone and service
  • [RANGER-2401] - Ranger Secuity Zone needs to be added in audit type filter in admin audit
  • [RANGER-2403] - proper error should be thrown when service part of zone being deleted
  • [RANGER-2404] - Delegate-admin permission granted by policy needs to be effective only within the zone to which the policy belongs
  • [RANGER-2405] - Evaluation of Ranger policies targeted to valid but partial resources
  • [RANGER-2406] - rangerusersync open too many session for ldap sync
  • [RANGER-2409] - Policy level condition sample matcher initialization issue
  • [RANGER-2411] - Restrict Admin role user to create Zone for KMS service
  • [RANGER-2412] - Policy Condition Evaluators existing and newly created should work in both policy level and policy item level
  • [RANGER-2413] - Python script to update rangertagsync config properties
  • [RANGER-2415] - Value of isExcludes flag needs to be considered when matching accessed resource to Ranger policy
  • [RANGER-2417] - Set Atlas Entity owner to RangerAccessResource ownerUser attribute for Atlas Ranger Plugin
  • [RANGER-2419] - Improve sql script to skip statements when atlas service def is not supported
  • [RANGER-2421] - Solr audit fails in Atlas plugin
  • [RANGER-2423] - Ranger KnoxSSO authentication in Ranger HA environment
  • [RANGER-2430] - Zoneadmin User is able to create policy for those services which is not associated to zone
  • [RANGER-2434] - Remove dependency from com.google.common.base.Objects or MoreObjects
  • [RANGER-2437] - Update grant/revoke error message to provide more information about the principal type
  • [RANGER-2438] - Legacy PublicAPI REST API to get all policies fails
  • [RANGER-2439] - Unable to view policy details from access audits when policy has policy condition at policy level
  • [RANGER-2444] - Admin logs are not getting generated when "policy level" policy condition is updated
  • [RANGER-2445] - Import of Tag based policies for zone
  • [RANGER-2449] - if service part of zone is not present then null pointer exception is thrown
  • [RANGER-2451] - Atlas plugin is not working when security zone is created for Atlas service in Ranger Admin.
  • [RANGER-2453] - Tag data-masking policy should allow only one tag as resource
  • [RANGER-2455] - When service created inside a zone landing page that service gets created in unzonned landing page.
  • [RANGER-2456] - Upgrade of Ranger Admin to the current version fails in PatchForKafkaServiceDefUpdate_J10025
  • [RANGER-2459] - [E] ranger_core_db_mysql.sql file import failed!
  • [RANGER-2463] - Ranger admin authorization audits fails intermittently to fetch from Solr
  • [RANGER-2469] - java.lang.IllegalArgumentException: More than one fragment with the name during Ranger start after RANGER-2464
  • [RANGER-2473] - Upgrade of Ranger Admin to the current version fails in PatchForAtlasResourceAndAccessTypeUpdate_J10016
  • [RANGER-2474] - Policy version and details in access audits wrong when deny condition added to policy
  • [RANGER-2478] - Exception in thread "main" java.lang.NoClassDefFoundError: com/google/common/base/Preconditions
  • [RANGER-2479] - Change test connection preferred SQL statement for Oracle DB Flavor
  • [RANGER-2480] - Hive URL Policy doesn't match if recursive flag is on for the url resource
  • [RANGER-2485] - Security zone filter is causing Ranger audit access request waiting for longer
  • [RANGER-2487] - Resource policy names with a characters that are typically HTML escaped mutate and grow as they are saved.
  • [RANGER-2493] - Ranger takes long time to delete a service with many policies
  • [RANGER-2500] - Zone Policies not getting imported when 'updateIfExists=true' is passed through curl.
  • [RANGER-2502] - Presto plugin insert bug
  • [RANGER-2509] - Add validation message for Importing non JSON file on import action.
  • [RANGER-2511] - default tag based service is getting created for the tag based service
  • [RANGER-2513] - Unable to delete user if he has references in new ref tables.
  • [RANGER-2514] - Search field validation prompt is inconsistent with field names in audit page
  • [RANGER-2516] - Update Ranger default policies to provide entity-read access to public group
  • [RANGER-2518] - Allow service creator to delete the service
  • [RANGER-2519] - Import policy may fail if a policy exists with same guid in another service
  • [RANGER-2520] - Prevent Roles to be saved in Ranger Role Management page when user or groups are not added to the role

Test

  • [RANGER-2150] - Unit test coverage for XUserMgr and UserMgr class
  • [RANGER-2171] - Unit Test cases to cover policy operations from service admin user

Wish

Task

  • [RANGER-2198] - Remove deprecated client API from HBase plugin
  • [RANGER-2226] - Define explicit (test) dependency on json-smart in the Knox agent
  • [RANGER-2256] - Grammatical error in UI
  • [RANGER-2422] - Zone Admin and Zone Auditor can see only its associated audit access log
  • [RANGER-2452] - Release Ranger 2.0.0

Sub-task

  • [RANGER-2175] - Write install guide for Ranger Elasticsearch plugin RANGER-2170
  • [RANGER-2219] - De-normalize schema for storing tags and related objects
  • [RANGER-2260] - Atlas servicedef version change patch should update atlas access type def for tag def also.
  • [RANGER-2274] - Allow delegated admin user to view list of users and groups though they have 'USER' role
  • [RANGER-2293] - Create and update ref tables for security zone data
  • [RANGER-2310] - Record admin audits in Ranger during Create, Update and Delete operations on Zone
  • [RANGER-2320] - Make db schema patches script idempotent for all DB Flavors
  • [RANGER-2402] - Best Practices: Make db schema script idempotent
  • [RANGER-2429] - Ranger KMS is not starting properly
  • [RANGER-2477] - Ranger KnoxSSO authentication when X-Forwarded-Host header is not forwarded
  • No labels