Release Notes - Ranger - Version 2.3.0
New Feature
| RANGER-3569 | Support Ranger KMS integration with Google cloud HSM |
| RANGER-3580 | Support Ranger KMS integration with TencentKMS |
| RANGER-3603 | HDFS audit files rollover improvement to trigger rollover in monitoring thread |
| RANGER-3605 | Support macros in row-filter/condition expressions |
| RANGER-3630 | Support wildcards, group short names, and list of memberof attribute DNs for computing user search filter |
| RANGER-3764 | conditions to support macros IS_IN_GROUP, IS_IN_ROLE, HAS_TAG |
| RANGER-3779 | conditions enhancement to support macros IS_IN_ANY_GROUP, IS_IN_ANY_ROLE, HAS_TAGS |
Improvement
| RANGER-2846 | Add support for resource[volume, bucket, key] look up in ozone plugin |
| RANGER-2967 | Add support for Amazon CloudWatch Logs as an Audit Store |
| RANGER-3023 | Permission tab takes longer time to load with large number of users and group_users data |
| RANGER-3030 | Replace Findbugs with Spotbugs maven plugin |
| RANGER-3221 | Improve logging in Presto plugin |
| RANGER-3276 | Remove duplicate code from buildks.java |
| RANGER-3290 | ArrayIndexOutOfBoundsException if solr is down |
| RANGER-3298 | Add coarse URI check for Hive Agent |
| RANGER-3299 | Upgrading the bouncycastle version for bcprov-jdk15on |
| RANGER-3389 | Swagger UI Support for Ranger REST API |
| RANGER-3435 | RANGER-3401 Add unique index on guid, service and zone_id column of x_policy table |
| RANGER-3439 | RANGER-3401 Add rest api to get or delete ranger policy based on guid |
| RANGER-3455 | [Logout-Ranger] Should either be disabled/ should redirect to knox logout page |
| RANGER-3459 | Upgrade Ranger's Kafka dependency to 2.8 |
| RANGER-3475 | Promote TagRest endpoints to /public/v2 |
| RANGER-3487 | Update underscorejs with latest version. |
| RANGER-3493 | RANGER-3490 Add unique index on service and resource_signature column of x_policy table |
| RANGER-3498 | RANGER : Remove log4j1 dependencies. |
| RANGER-3504 | Create framework to execute DB patch dependent on Java patch. |
| RANGER-3510 | Ranger upgrade spring framework version to 5.3.12 |
| RANGER-3515 | Enhance Ranger Java client SSL config to be configured using serviceType and AppId |
| RANGER-3518 | Limit the query size stored in Audit logs |
| RANGER-3519 | Provide an option to optimize space needed by Trie objects |
| RANGER-3521 | Ranger KMS IS NOT ENFORCING HSTS ON SSL PORT DEFINED BY RFC 6797 |
| RANGER-3526 | policy evaluation ordering to use name as secondary sorting key |
| RANGER-3533 | Provide sorting on columns throughout the audits result set and policy listing page. |
| RANGER-3538 | Reduce the granularity of locking when building/retrieving a policy-engine within Ranger admin service |
| RANGER-3539 | Add jacoco-maven-plugin for code coverage |
| RANGER-3540 | Add support to read audit logs from Amazon CloudWatch |
| RANGER-3545 | Remove Logger Checks for Info Enabled |
| RANGER-3548 | Update performance engine test scripts |
| RANGER-3550 | support for using user/tag attributes in row-filter expressions and conditions |
| RANGER-3551 | Analyze & optimize module permissions related API |
| RANGER-3553 | Unit test coverage for XUserMgr and UserMgr class |
| RANGER-3556 | Ranger tagsync logs unnecessary messages |
| RANGER-3561 | Upgrade Storm version to 1.2.4 |
| RANGER-3562 | Redesign post commit tasks for updating ref-tables when policy/role is updated |
| RANGER-3565 | RangerRESTClient to support retry |
| RANGER-3566 | Update version in ranger-2.3 to 2.3.0-SNAPSHOT |
| RANGER-3567 | support for use of user attributes in policy resources |
| RANGER-3573 | Add vim in docker base image |
| RANGER-3577 | RANGER : Upgrade POI version to 5.1.0 |
| RANGER-3578 | Simplify code for policy label creation |
| RANGER-3585 | Docker setup to run Ranger usersync and tagsync |
| RANGER-3586 | Script condition expression to support csv of group/tag attributes |
| RANGER-3595 | Tar of KMS contains rubbish files |
| RANGER-3600 | Ranger service tags import request failure |
| RANGER-3606 | remove unnecessary static members from plugin class loaders |
| RANGER-3609 | option to add usergroup enricher automatically based on references in policies |
| RANGER-3620 | Ranger - Upgrade tomcat to 8.5.75 |
| RANGER-3621 | Optimise Tag/Policy iterator |
| RANGER-3624 | Update Ranger services Password Policy |
| RANGER-3628 | Support fine grain authorization for different solr objects |
| RANGER-3629 | RANGER - Handle solr permissions during upgrade |
| RANGER-3632 | Improve ranger logs, RENAME_ON_ROTATE and others |
| RANGER-3634 | Remove duplicate entries from usersync distribution file |
| RANGER-3646 | LOG.debug print content error |
| RANGER-3647 | Connection to DB fails for MySQL version above 8.0 |
| RANGER-3649 | Represent the Solr admin object types on the Ranger UI |
| RANGER-3651 | Remove jersey1.x version dependency for knox plugin |
| RANGER-3653 | Replace aws java sdk bom dependencies with bundled dependencies |
| RANGER-3658 | Docker: Ranger containers to run as user=ranger |
| RANGER-3660 | [Ranger Admin UI] Improvements in tooltip hints for better user experience |
| RANGER-3662 | There should be pause button for error popup |
| RANGER-3665 | "No Data Found !!" messages in Ranger admin UI alarm users |
| RANGER-3666 | Ranger UI improvement - Add warning popup if auto-complete for resource lookup is failing in Edit policy page |
| RANGER-3667 | Improve feedback in policy creation UI when resource does not exist |
| RANGER-3669 | Connection to DB fails for MySQL version above 8.0 |
| RANGER-3672 | Show better error messages during failed logins |
| RANGER-3673 | Need to enable cipher configuration for Usersync |
| RANGER-3675 | Upgrade tomcat due to intermittent READ TIMEOUT |
| RANGER-3686 | Docker setup to run Ranger with MySQL database |
| RANGER-3687 | Password Policy Best Practices for Strong Security |
| RANGER-3689 | Ranger : ranger-2.3 Port missing commits. |
| RANGER-3693 | Ranger - Upgrade tomcat to 8.5.78 |
| RANGER-3698 | Ranger - Upgrade kylin to 3.1.3 |
| RANGER-3699 | Ranger - Upgrade poi to 5.2.1+ |
| RANGER-3704 | remove semicolon from c3P0 preferredTestQuery |
| RANGER-3725 | Update atlas default audit filter to filter Atlas entity-read events by Nifi user. |
| RANGER-3736 | Update RangerChainedPlugin to support masking and row-filtering |
| RANGER-3738 | Restructure ranger Dockerfile to use multi-stage builds |
| RANGER-3743 | Add isDenyAllElse mapping to addCustomRangerDefaultPolicies method |
| RANGER-3744 | Produces annotation ordering should be consistent: json, xml |
| RANGER-3759 | Add default logback configuration file for trino plugin |
| RANGER-3760 | Make trino plugin configurable for trino environment running in docker |
| RANGER-3768 | RangerBasePlugin configuration to optionally disable userstore refresher |
Bug
| RANGER-2426 | ranger-plugins-audits should depend on kafka-clients not kafka server |
| RANGER-2704 | Support browser login using kerberized authentication |
| RANGER-2847 | Add support/Fix Test connection with Ozone service |
| RANGER-3091 | Upgrade solr version in Ranger to Solr 8.6.3 |
| RANGER-3285 | expose user source details in ranger UI |
| RANGER-3403 | Ranger usersync role based rules not working as expected |
| RANGER-3427 | Null Dereference in PublicApis.java |
| RANGER-3433 | Null Dereference in ServiceREST getPolicyByName method |
| RANGER-3442 | Ranger KMS DAO memory issues when many new keys are created |
| RANGER-3468 | When multiple Ranger tabs are opened, Some tabs are not redirecting to Knox Logout page |
| RANGER-3484 | Ranger usersync directory is being created as root owner |
| RANGER-3490 | Make policy resource signature is unique in a service |
| RANGER-3502 | Make GET zone APIs accessible to authorized users only |
| RANGER-3505 | Ranger usersync fails to sync users when a duplicate user exists in ranger |
| RANGER-3507 | Handle trailing slash in the ranger Hive URL policy authorization |
| RANGER-3509 | update role fails for role admins |
| RANGER-3511 | RANGER-3490 Create Java patch to update policy resource-signature to unique value. |
| RANGER-3512 | RANGER-3401 Create Java patch to update policy guid to unique value. |
| RANGER-3514 | Fix updates to sync source post upgrades |
| RANGER-3516 | Java patch 'J10045' taking more time during upgrade. |
| RANGER-3522 | Improve Tagsync authentication error reporting |
| RANGER-3527 | Create Apache Ranger next maintenance release branch 2.3 |
| RANGER-3528 | Ranger Group creation audit is not shown during service creation |
| RANGER-3535 | A delegate admin user should be able to add another user with all or subset of permissions they have |
| RANGER-3542 | Invalid HTTPS Check |
| RANGER-3543 | Remove spotbugs-annotations-3.1.9 from classpath |
| RANGER-3544 | Security zones listing will be in alphabetical order. |
| RANGER-3546 | Update Spotbugs plugin Executions cycle |
| RANGER-3547 | Upgrade to use log4j 2.16.0+ version to ensure that we are using supported version of log4j |
| RANGER-3554 | [Intermittent] API call to fetch the list of policies for a particular service repo returns a deleted policy in the response |
| RANGER-3557 | Upgrade to use log4j 2.17.0+ version to ensure that we are using supported version of log4j |
| RANGER-3559 | RANGER KMS - Metric details for kms are not getting collected |
| RANGER-3563 | [Docker] plugin installation fails with error: XAAUDIT.AMAZON_CLOUDWATCH.ENABLE not defined |
| RANGER-3564 | Installation of Ranger plugin for HDFS fails due to missing libraries |
| RANGER-3568 | Services of one zone are seen in other zone from UI |
| RANGER-3571 | Typo in GrantRevokeRoleRequest.java |
| RANGER-3576 | service creation is failing intermittently due to DB unique key constraint violation |
| RANGER-3579 | Upgrade Log4j2 to 2.17.1 due to CVE-2021-44832 |
| RANGER-3584 | ServiceTags are not computed correctly by applying incremental changes to existing ServiceTags |
| RANGER-3589 | Ranger java patches failing due to admin privilege checks. |
| RANGER-3591 | Upgrade protobuf-java to 3.19.3 |
| RANGER-3592 | Upgrade Spring framework to 5.3.15 |
| RANGER-3593 | the hive table owner who create the table can not have the full priviledge |
| RANGER-3594 | mysql setup scripts failed with binlog-enabled mysql |
| RANGER-3597 | RANGER-3590 User role should not be able to modify the Policy |
| RANGER-3610 | Docker: Skip service creation for ranger components during ranger container restart |
| RANGER-3611 | Uncatched NullPointerException when missing lastKnownVersion in ServiceREST::getServicePoliciesIfUpdated |
| RANGER-3613 | RANGER KMS : Check if master key with the given alias exists or not if LUNA HSM is enabled. |
| RANGER-3617 | incorrect deny for _any access due to tag policy |
| RANGER-3619 | REST API should return 403 when authenticated client is not allowed to access API. |
| RANGER-3625 | Update isDebugEnable condition in RangerHiveAuthorizer |
| RANGER-3638 | Solr Ranger document level security breaks solr if collection is reloaded |
| RANGER-3642 | Ranger - Upgrade jquery-ui to 1.13.1 |
| RANGER-3644 | tagsync: FileTagSource to retry if Ranger is not reachable |
| RANGER-3652 | update resource-matcher unit tests to include wildcard=false |
| RANGER-3659 | Ranger Admin goes to OOM when usersync is trying to delete existing group mappings from ranger DB |
| RANGER-3663 | RangerBizUtil.checkAdminAccess() should return false if user-session is not available |
| RANGER-3674 | Fix PMD issue |
| RANGER-3676 | tag-based policies don't recognize {OWNER} in users as resource owners |
| RANGER-3677 | Update Password Policy validation at WEB-UI |
| RANGER-3678 | Update password validation criteria |
| RANGER-3681 | Ranger Database deadlock when createPolicy is running parallel |
| RANGER-3690 | Fix NullPointerException in java patch 054 |
| RANGER-3691 | Upgrade spring to 5.3.18 CVE-2022-22965 |
| RANGER-3692 | Ranger cannot connect to the DB when the DB is outaged for a long time |
| RANGER-3702 | RANGER - Export policy in excel is failing. |
| RANGER-3709 | Fix NullPointerException in getSecureServicePoliciesIfUpdated call of ServiceRest |
| RANGER-3730 | log4j dependency is not completely removed |
| RANGER-3735 | RANGER : Behaviour change in external user status. |
| RANGER-3737 | Usersync is broken due to NullPointerException |
| RANGER-3747 | Fix failing sql patches |
| RANGER-3750 | RANGER : PatchForSolrSvcDefAndPoliciesUpdate_J10055 failing with 'duplicate key value violates unique constraint' |
| RANGER-3753 | Hive masking policies don't recognize {OWNER} user |
| RANGER-3755 | Build Plugin-Trino artifacts only with JDK 11 |
| RANGER-3765 | tag-based policy masking to override resource-based policy |
| RANGER-3769 | Removing a tag-service association from a service does not update policy engine |
| RANGER-3773 | maven can not build ranger-2.3.0 because commons-cli is duplicated in pom |
| RANGER-3777 | Fix execute permissions for all docker init scripts |
| RANGER-3778 | Kerberos Login cause NullPointerException |