Cloudera Docs

Fixed Issues in Ranger

Review the list of Apache Ranger issues that are resolved in Cloudera Runtime 7.3.2, its service packs and cumulative hotfixes.

Cloudera Runtime 7.3.2

The fixed issues for Apache Ranger in Cloudera Runtime 7.3.2 include all cumulative fixes from lower versions, specifically ranging from Cloudera Runtime 7.3.1.100 through 7.3.1.706. For a comprehensive record of all fixes, see Fixed Issues.

CDPD-91064: USER role accounts to access only their own user details
7.3.2
Fixed an issue where Ranger users with only the USER role could retrieve details of admin or keyadmin users with similar usernames via the /service/xusers/users API. The API now restricts USER-role accounts to accessing only their own user details.
CDPD-90358: Hostname verification issue
7.3.2
Fixed an issue in Ranger where hostname verification did not correctly validate the hostname across the certificate chain, improving SSL/TLS security for secured connections.
CDPD-87716: Ranger RAZ on S3 path with encoded characters
7.3.2
Fixed an issue where Ranger RAZ did not correctly evaluate S3 access policies for Iceberg table partitions when the S3 path contained encoded characters (for example, the = in partition directory names encoded by the AWS SDK v2). Because the encoded path was not decoded before policy evaluation, deny policies on those partition directories were not applied as expected. The path is now decoded prior to authorization checks, ensuring that deny policies on Iceberg partition directories are honored correctly.
CDPD-85478: [GDS] Dataset details not visible in Ranger access logs for RMS enforcement
7.3.2
Fixed an issue where, for RMS enforcement cases, Ranger access logs showed only the dataset policy ID but did not include the corresponding GDS dataset details. Audit entries now correctly capture the GDS dataset information for RMS-enforced datasets.
CDPD-82386: Ranger does not clean up stale plugin entries after role deletion or migration
7.3.2
Ranger now provides supported REST APIs to remove stale plugin status entries from Ranger Admin. Previously, plugin records for deleted or migrated service roles were not cleaned up and continued to appear under Audits > Plugin Status, causing confusion about plugin health and forcing risky manual database updates. The fix introduces ranger-admin endpoints to delete obsolete plugin entries either by ID or by attributes (such as service name, plugin host name, and application type), allowing administrators to safely clean up outdated plugin information and keep the Plugin Status view accurate.
CDPD-81148: Ranger enters an infinite loop and generate persistent database errors
7.3.2
Fixed an issue where Ranger could enter an infinite loop and generate persistent database errors when concurrent sessions updated or deleted the same policy, role, or tag. Tasks scheduled to run after the main transaction (for example, policy label updates, role version updates, and tag version updates) are now processed correctly, preventing infinite loops and ensuring that database errors no longer require a Ranger restart to recover.
CDPD-80625: Improved exception handling for RAZ GCP HMAC keys
7.3.2
Resolved an issue in the RAZ GCP HMAC key generation lifecycle by ignoring transient storage exceptions and retrying key retrieval a few times, and improved related logging. This makes HMAC key creation and deletion more reliable for GCP RAZ integrations.
CDPD-79459: RMS full-sync fails with unsupported Hive table location schemes
7.3.2
Previously, Ranger RMS full-sync could fail with an exception when Hive table locations were stored on file systems that RMS does not support (for example, Azure abfss), causing full-sync to stop before completion.

This issue has been fixed by skipping unsupported file schema types when processing table and database metadata during RMS full-sync and delta-sync. Ranger RMS ACL synchronization now continues for supported file schemes, and locations on unsupported file systems are not mapped; instead, an informational message is logged in the RMS server logs.

CDPD-78321: Performance fixes for Ozone plugin
7.3.2
Fixed the following performance issues observed while evaluating policies for multi-level resources:
  • RANGER-4893: Improves policy evaluation for multi level resource hierarchies.
  • RANGER-4922: Reduces time to find tags associated with multi-level resources.
CDPD-78151: Added configuration to control append mode for HDFS audit writes
7.3.2
A new configuration parameter was added to Ranger to control whether APPEND mode is used when writing audits to HDFS after errors or exceptions. Previously, Ranger would attempt to append to existing HDFS audit files in such cases (falling back to WRITE mode if append was not possible) to avoid generating a large number of small audit files. With this change, administrators can explicitly enable or disable the use of APPEND mode for HDFS audit writes, allowing better control over audit file handling in specific deployment scenarios.
CDPD-77949: CSV injection vulnerability during CSV/Excel export from Ranger Admin
7.3.2
Fixed an issue that could allow CSV injection during CSV and Excel exports from Ranger Admin (CVE-2024-55532). The export of Ranger policies to CSV/Excel has been removed from the Ranger Admin UI, and the affected export APIs have been deprecated.
CDPD-76633: Ranger RMS server throws ConcurrentModificationException
7.3.2
Previously, the Ranger RMS server could enter an unrecoverable error state with a ConcurrentModificationException when large service resource mappings were downloaded to the NameNode while Hive metadata changes were being applied. This could lead to follow‑on errors when fetching resource‑mapping deltas and no clear path to restore the RMS server to a normal state.

The fix ensures that RMS now uses a shallow copy of the service resource mappings before applying deltas, so the mappings are not modified while they are being serialized for download, preventing the ConcurrentModificationException and stabilizing RMS behavior under concurrent load.

CDPD-75532: Remove self node from the resourceTrie only if it has no children, no evaluators and no wildcard-evaluators
7.3.2
When two policies have a common subset of resources and are defined on the same user (or subset of users, through groups or direct users), if one of these policies is modified (on anything: name, resource, user), it is the only one in effect during access evaluation, until a restart of the underlying service.
This issue has been fixed now.
CDPD-74403: Fixed hardcoded parcel path and sql driver in authzmigrator
7.3.2
Fixed an issue where the authzmigrator/authz-export.sh script failed with NoClassDefFoundError: javax/jdo/JDOHelper when a custom parcel directory or non‑default database driver was used. The script now uses the Cloudera Manager parcel directory configuration instead of a hard‑coded Cloudera parcel path and automatically selects the appropriate JDBC driver based on the database flavor.
CDPD-73935: Fixed an issue where Ranger “federated user” accounts could log in and perform operations
7.3.2
Ranger now validates the federated user type and prevents these external, data‑sharing users from logging in to Ranger, ensuring they are used only for metrics, access history, and audit purposes related to data‑sharing features.
CDPD-73779: Support a new user type for external users from Data Sharing
7.3.2
Fixed an issue where Ranger did not distinguish users created by the Data Catalog external user registration process from other external users. Ranger now supports a new Federated User type in the Ranger Admin UI to represent users originating from Data Sharing (Data Catalog), in addition to the existing Internal and External user types.
CDPD-71673: Security Zone policies version increment issue
7.3.2
This fix addresses an issue where updating a resource caused the associated Security Zone policy version to increment by two instead of one.
CDPD-71563: Issue in dedupTag() method
7.3.2
Fixed a logical flaw in Ranger tag de-duplication that could incorrectly remove valid tags during the dedupTag() operation, preventing policy evaluation failures.
CDPD-69631: Disable Atlas service under the policy permission of tag-based policy
7.3.2
Fixed an issue where the Ranger UI incorrectly allowed selecting the Atlas service in tag-based policy permissions, even though tag-based policies are not supported for Atlas. The Atlas service option is now disabled in tag-based policy permissions to prevent misconfiguration.
CDPD-68970: Fixed an inconsistency between the Ranger UI and Policy Creation API
7.3.2
The Policy Creation API now validates input and fails policy creation if the policy contains only empty values or includes [""] or ["null"] in policyItem users, groups, or roles, aligning API behavior with the Ranger UI.
CDPD-68500: Ranger policy create/update accepts duplicate group names
7.3.2
Previously, Ranger allowed duplicate group and role entries to be added to policies when using the public policy API (/service/public/v2/api/policy), even though the Ranger UI blocked such duplicates. This caused policies created or updated via the API to contain repeated group or role names. The API has been updated to remove duplicate user, group, and role entries during policy creation and update, ensuring consistent behavior with the Ranger UI.
CDPD-68297: REST endpoints do not prevent duplicate values for a resource
7.3.2
REST-based policy creation in Ranger now prevents duplicate values for a resource. Previously, REST API calls could create policies with duplicate resource values (for example, a database list like [test_db1, test_db1]), which could result in multiple policies for the same resource. Policy validation has been updated to reject such requests and require all values for a given resource to be unique.
CDPD-67359: Permissions issues while trying to access folders in Hue file browser
7.3.2
Fixed an issue in the Hue File Browser where accessing S3 directories with more than 1000 objects whose names contained the “=” character failed with a “Cannot Access: <s3 Path>” error. The S3 marker parameter encoding has been corrected so that directories with 1000+ such keys can now be listed successfully through RAZ.
CDPD-67269: Support multiple resource sets in a policy
7.3.2
Improved Ranger policy evaluation to fully support multiple resource sets within a single policy, aligning Cloudera Ranger behavior with the upstream Apache Ranger RANGER-3796 enhancement.
CDPD-62008: Ranger ABAC now supports internal user and group attributes
7.3.2
Resolved an issue where Ranger ABAC policies could not leverage certain internal user and group attributes. ABAC policies can now use the following internal attributes for access control, masking, and row-filtering decisions: syncSource, isInternal, and emailAddress.
CDPD-40734: User allowed to insert data into a hive table when there is a deny policy on a table column
7.3.2
A user is allowed to enter data into a table even if there is a deny policy present on one of the table columns.

This issue has been fixed now.

OPSAPS-75602: Issue with RANGER_C719 CSD becoming stale after upgrading Cloudera Manager
7.3.2
Fixed an issue where the RANGER_C719 CSD could become stale after upgrading Cloudera Manager from 7.13.1.600 with Cloudera 7.1.9 to 7.13.2.0 by fixing the following:
  • OPSAPS-73498: Added Cloudera Manager side ranger-trino integration changes.
  • OPSAPS-73152: Improved Ranger Admin Diagnostic collection command from Cloudera Manager scripts.
OPSAPS-75556: After upgrade from 7.1.9 to 7.3.2.0 dataset field type is set to boolean in solr managed-schema
7.3.2
Fixed an issue where, after upgrading from Cloudera 7.1.9 to 7.3.2, the datasets field in the ranger_audits Solr collection schema was incorrectly set to the boolean type instead of key_lower_case with multiValued="true". This schema mismatch caused Ranger Admin to fail to load the Access Audit page on upgraded clusters. The upgrade process now updates the ranger_audits Solr schema so that the datasets field is created with the correct type and behaves consistently with fresh 7.3.2 deployments.
OPSAPS-71619: Removed the mandatory validation for ranger.ldap.user.dnpattern
7.3.2
Previously, when LDAP was configured as the external authentication type for Ranger Admin, the ranger.ldap.user.dnpattern parameter was mandatory. If it was not set, the Ranger Admin service failed to start, even though this parameter is rarely required and is ignored when LDAP bind DN/password and user search parameters are configured. This has been fixed by removing the mandatory validation for ranger.ldap.user.dnpattern, so the parameter is now optional and the service can start without requiring a dummy value.
OPSAPS-69156: Fixed an issue with Java add-opens/add-modules/add-exports options
7.3.2
Cloudera Manager components now consistently use the --add-opens=, --add-modules=, and --add-exports= syntax for Java options. This avoids cases where options passed via JAVA_TOOL_OPTIONS could be rejected (for example when using --add-opens or --add-exports without =), improving compatibility across different Java runtimes.
OPSAPS-67197: Ranger RMS server shows as healthy without service being accessible
7.3.2
Previously, Cloudera Manager reported the Ranger RMS server as healthy based only on the RMS process (PID), even when the RMS web service was not fully initialized and the service was inaccessible. The health check logic has been updated to use a Cloudera Manager web alert that verifies the Ranger RMS RMS web endpoint instead of relying solely on the PID. This allows Cloudera Manager to more accurately detect when RMS is not accessible and helps users identify RMS availability issues faster.