Ranger
| ![[Important]](../common/images/admon/important.png) | Important | 
|---|---|
| Hortonworks strongly recommends that all users running HDP 2.3.4 upgrade to HDP 2.3.4.7. | 
HDP 2.3.4 provides Ranger 0.5.0 and the following Apache patches:
- RANGER-246: Need to update the current implementation for recent changes in Kafka. 
- RANGER-526: Provide REST API to change user role. 
- RANGER-586: Ranger plugins should not add dependent libraries to component's CLASSPATH. 
- RANGER-590: Escape spaces in the user and group names which are part of rest call URI in UserSync process. 
- RANGER-602: Solr client in SolrCloud mode should work with zookeeper settings also. 
- RANGER-607: Unable to create multiple policyItems for same user or group. 
- RANGER-608: Denied access to list a directory does not generate audit. 
- RANGER-652: LDAP configuration tool. 
- RANGER-656: Ranger UI - KMS Need to handle 404 error when clicked on breadcrumb. 
- RANGER-658: Package ranger_credential_helper.py with Ranger Usersync assembly. 
- RANGER-661: Plugin receives empty policy list though the service has policies. 
- RANGER-663: Race condition during policy update causes policy to get in an bad state. 
- RANGER-664: Ranger PolicyRefresh REST Client timeout parameter should be configurable. 
- RANGER-665: ranger.ldap.ad.referral property is not getting updated in RANGER-admin-site.xml. 
- RANGER-666: Ranger to support Azure SQL Database. 
- RANGER-671: Add support to retrieve permissions for the logged in user from UserSession rather going to database every time. 
- RANGER-673: Setup changes to allow Ranger service to installed using custom service user. 
- RANGER-674: Ranger public rest api gives 200 response for wrong credential instead of 401. 
- RANGER-677: Ranger Admin fails to render policies referring to groups that contain "." in name. 
- RANGER-680: Remove public group by default in default policy for KMS repo. 
- RANGER-681: Update default sync intervals for LDAP and UNIX. 
- RANGER-682: Ranger to support Azure Blob Datastore as an audit destination via HDFS audit handler. 
- RANGER-684: Ranger Usersync - Add Ability to transform user/group names. 
- RANGER-687: after each 30 seconds audit is getting updated in plugin tab. 
- RANGER-688: Handle scenario where ids of XUser and XPortalUser are not in sync. 
- RANGER-697: KeyAdmin role user should see only KMS related audit access logs in Audit tab. 
- RANGER-700: Provide a wrapper shell script to run the FileSourceUserGroupBuilder process. 
- RANGER-701: Update setup scripts to allow special characters in passwords. 
- RANGER-702: Optimize policy download performance. 
- RANGER-705: Ranger Usersync should provide summary logs on the sync progress instead of not logging any details after 2000 users. 
- RANGER-706: Optimize audit db upgrade patches to minimize timeout issues. 
- RANGER-712: Create a new project which can serve as a template to write ranger extensions. 
- RANGER-713: Knox-plugin failed to enable after plugin modification for not to add dependent libraries to component's CLASSPATH. 
- RANGER-714: Enhancements to the db admin setup scripts. 
- RANGER-715: Fix issues reported by coverity test in Ranger Plugin ClassLoader. 
- RANGER-717: Hive and HBase ranger plugin Audit to DB failed to log after plugin modification for not to add dependent libraries to component's CLASSPATH. 
- RANGER-720: Ldap discovery tool doesn't seem to be working as expected. 
- RANGER-724: AuditBatchQueue: prevQueueSize not recomputed after initial assignment - static code analyzer flagged issue. 
- RANGER-725: Add the right .gitignore file to the newly projects so that directory listing is clean after a build. 
- RANGER-727: Knox Plugin failed to AuditToSpool file when Audit Destination is down. 
- RANGER-731: Ranger plugin for YARN doesn't seem to be able to write audit to Kerberized HDFS. 
- RANGER-733: Implement best coding practices to resolve issues found during code scan. 
- RANGER-739: Ranger HBase Plugin returning null for RegionObserver.preCompact calls causing HBase:ACL issue. 
- RANGER-740: Kafka Authorizer interface has added close() method. Ranger should also implement it. 
- RANGER-741: Fix installation script to skip Audit DB password check if audit source is SOLR. 
- RANGER-742: Ranger usersync fails after syncing 500 users from AD or ldap server when paged results is enabled. 
- RANGER-743: External users with Admin Role should be allowed to create/update users. 
- RANGER-744: Kafka Authorizer has updated how IP/Host is passed. 
- RANGER-745: Upgrade Apache commons-collections. 
- RANGER-747: RangerAdmin is considering "none" as valid ZK Host Name for Solr. 
- RANGER-748: Users in policy got changed after upgrade. 
- RANGER-749: Ranger KMS to support multiple KMS instances with keys across multiple clusters. 
- RANGER-754: Ranger YARN Plugin lookup and test connection should support SPENGO enabled HTTP Authentication. 
- RANGER-755: ldap run.sh script fails since auth directory does not exist. 
- RANGER-756: LdapTool fails with -r option to retrieve only users/group/all. 
- RANGER-757: [LDAP tool] authentication fails if use -d option to search only users. 
- RANGER-758: Handle special characters in passwords starting from -r. 
- RANGER-761: Transaction logs not getting generated under audit menu admin tab if policy name is changed. 
- RANGER-766: Yarn Plugin Config hadoop.security.authentication should be non-mandatory with default value. 
- RANGER-767: Refactor UserGroupSink implementation and consolidate performance improvements. 
HDP 2.3.2 provided Ranger 0.5.0 and the following Apache patches:
- RANGER-551 Policy Validation: If resource levels are not valid for any hierarchy then checks about missing mandatory levels should be skipped 
BUG FIXES
- RANGER-560 Policy validation: Provide user friendly error messages about validation failures 
- RANGER-580 HBase plugin: Plugin may not work after upgrade 
- RANGER-584 Service validation: Provide user friendly error messages about validation failures 
- RANGER-587 ranger-admin-site.xml not getting updated when ranger.authentication.method is changed 
- RANGER-588 Take care of Ranger KMS installation even if 'java' is not in PATH 
- RANGER-593 Service def validation: Provide user friendly error messages about validation failures 
- RANGER-594 Policy Validation: Change the logic to generate friendly error messages to be like used for Service and Service def 
- RANGER-598 Update Ranger config migration script to work with Ranger 0.5 
- RANGER-615 Audit to db: Truncate all string values of audit record so that writing of audit does not fail 
- RANGER-618 KMS gets slower in key creation once Database grows 
- RANGER-621 Solr service-def JSON has incorrect impliedGrants for solr_admin permission 
- RANGER-622 Hive plugin: Add jar via beeline throws NPE 
- RANGER-623 Enable plugin scripts should handle file permissions for certain umask value 
- RANGER-624 Windows installation broken after SQLAnywhere support 
- RANGER-625 Change db flavor input parameter value from SQLAnywhere to SQLA 
- RANGER-627 Processing done by Audit Shutdown hooks can confuse someone looking at logs to think that shutdown of a service is held up due to Ranger plugin 
- RANGER-628 Make filters for ranger-admin search binds configurable 
- RANGER-630 Data consistency across API and UI 
- RANGER-632 Policy validation error messages produced by the server are not seen by the user 
- RANGER-637 Make REFERRAL property in Ranger User sync configurable 
- RANGER-638 Ranger admin should redirect back to login page when session cookies expires 
- RANGER-639 Storm plugin - commons-lang is a required dependency and hence should be packaged as part of storm plugin 
- RANGER-641 Ranger kms start fails if java is not set and started using service keyword 
- RANGER-642 Update USERSEARCHFILTER for Ranger Authentication on Windows 
- RANGER-653 Move delegated admin check to mgr layer from service layer for XPermMap and XAuditMap 
HDP 2.3.0 provided Ranger 0.5.0 and the following Apache patches:
- RANGER-422 Add additional database columns to support aggregation 
- RANGER-423 Support audit log aggregation in Ranger Admin UI 
- RANGER-513 Policy validation: resource hierarchies check does not work with single-node hierarchies as in HDFS 
- RANGER-551 Policy Validation: If resource levels are not valid for any hierarchy then checks about missing mandatory levels should be skipped. 
- RANGER-564 Add incubating to the release name 
BUG FIXES
- RANGER-219 Autocomplete behavior of hive tables/columns 
- RANGER-524 HBase plugin: list command should prune the tables returned on user permissions 
- RANGER-529 Policy Validation: resources of a policy must match one of the resource hierarchies of the service def. 
- RANGER-533 HBase plugin: if user does not have family-level access to any family in a table then user may be incorrectly denied access done at table/family level during get or scan 
- RANGER-539 Rolling downgrade changes 
- RANGER-545 Fix js error for lower versions of FF (less than 30) 
- RANGER-548 Key rollover command fails 
- RANGER-550 Hive plugin: Add audit logging support for metadata queries that have filtering support from hive 
- RANGER-553 Default policy creation during service creation should handle service defs with multiple hierarchies, e.g. hive, properly 
- RANGER-554 Ranger KMS keys listing page does not support pagination 
- RANGER-555 Policy view page (from access audit page) gives 404 with Oracle DB 
- RANGER-558 HBase plugin: unless user has READ access at some level under the table/family being accessed (via scan/get) authorizer should throw an exception and audit 
- RANGER-565 Ranger Admin install fails (sometimes) with IO Error when DB used in Oracle 
- RANGER-566 Installation of Ranger on Oracle 12c with shared database needs to use private synonym instead of public synonym 
- RANGER-569 Enabling Ranger plugin for HBase should not modify hbase.rpc.protection value 
- RANGER-570 Knox plugin: after upgrading ranger from 0.4 to 0.5 the Knox plugin won't work because classes with old names are missing 
- RANGER-571 Storm plugin: after upgrading ranger from 0.4 to 0.5 the plugin won't work because classes with old names are missing 
- RANGER-575 Allow KMS policies to be assigned to all users 
- RANGER-576 Storm audit not showing access type in the Ranger Admin Audit UI 
HDP CHANGES
- RANGER-450 Failed to install Ranger component due to Ranger policyManager script failures 

