Ranger 2.3.0.0 - 2210 (EEP 9.0.0) Release Notes
Apache Ranger is a tool to help you monitor and manage security for the Hadoop components that are included in the HPE Ezmeral Ecosystem Pack. For more information about the Data Fabric implementation of Ranger, see Ranger.
The notes below relate specifically to the HPE Ezmeral Data Fabric distribution of Apache Ranger. You may also be interested in the Apache Ranger home page and the Apache Ranger 2.3.0 changelog.
These release notes contain only HPE-specific information and are not necessarily cumulative in nature. For information about how to use the release notes, see Ecosystem Component Release Notes.
| Version | 2.3.0.0 |
| Release Date | October 2022 |
| HPE Version Interoperability | See EEP 9.0.0 Components and OS Support. |
| Source on GitHub | https://github.com/mapr/ranger |
| GitHub Release Tag | 2.3.0.0-eep-900 |
| Maven Artifacts | https://repository.mapr.com/maven/ |
| Package Names | Navigate to http://package.ezmeral.hpe.com/releases/MEP/, and select your EEP (MEP) and OS to view the list of package names. |
New in this Release
This is the first release of the Ranger component. Starting from EEP 9.0.0, the HPE Ezmeral Data Fabric supports Apache Ranger in core release 7.1.0. Ranger is supported for FIPS-enabled nodes. You can use Ranger to create policies that restrict access to Hive Metastore and HiveServer2.
Installation
- Installing Ranger (manual steps)
- Installing Ranger Using the Installer
Fixes
None. This is the first release of the Data Fabric Ranger product.
Known Issues and Limitations
The following table summarizes the known issues:| Issue(s) | Description | Workaround or Notes |
|---|---|---|
| N/A | The Ranger component in EEP 9.0.0 cannot be used in a mixed FIPS configuration (a cluster consisting of FIPS and non-FIPS nodes). | None. |
| RAN-161, RAN-169, RAN-177 | Applying HiveCLI Policies | Issues with HiveCLI and Ranger integration require the user to perform the
following steps to get Ranger policies applied in HiveCLI:
|
| RAN-166 | Hive Metastore Auth Enabling/Disabling Automation | See "HMS auth enabling" and "disabling" in the documentation. Currently, this function must be performed manually by the user. |
| RAN-181 | Column-Level Access in Hive Metastore | Currently in Ranger, you cannot restrict access on the column level in the Hive Metastore. |
| RAN-171 | Column-Level Policies Break the Connection to the Hive Metastore | If you have policies that are applied for concrete columns (and not for a
wildcard (*)), you might encounter a problem where you cannot connect to the Hive
Metastore from any client. To fix this issue, provide access to the corresponding
database and table. For example:
|
| RAN-175 | The Ranger Hive service can fail to connect to the Hive Thrift Server on a Kerberos cluster. This happens because Kerberos implements a user format that is different from the format used by non-Kerberos clusters. The difference in user formats causes authentication to fail. | Use either of the following workarounds:
|
| RAN-179 | Row-Level Filtering and Column Masking in Hive Metastore | These features are not supported in Hive Metastore. |
| RAN-182 | Spark Needs Access to the Default Database | If you want to connect to your custom database from Spark, you first need to provide access to the default database. |
| RAN-183 | SHOW DATABASES will not be restricted in spark and drill. SHOW TABLES will not be restricted in Drill. | |
| RAN-184, RAN-187, RAN-188 | To execute an INSERT if you are integrating with Hive Metastore, you must provide SELECT, UPDATE, and ALTER permissions on the table level. | Provide all three permissions. If you provide the SELECT and UPDATE permissions but do not provide the ALTER permission, you will be able to insert a record to a table, but an error message will be generated for the missing ALTER permission. |
Resolved Issues
None.