Ranger 2.3.0.0 - 2210 (EEP 9.0.0) Release Notes

Apache Ranger is a tool to help you monitor and manage security for the Hadoop components that are included in the HPE Ezmeral Ecosystem Pack. For more information about the Data Fabric implementation of Ranger, see Ranger.

The notes below relate specifically to the HPE Ezmeral Data Fabric distribution of Apache Ranger. You may also be interested in the Apache Ranger home page and the Apache Ranger 2.3.0 changelog.

These release notes contain only HPE-specific information and are not necessarily cumulative in nature. For information about how to use the release notes, see Ecosystem Component Release Notes.

Version 2.3.0.0
Release Date October 2022
HPE Version Interoperability See EEP 9.0.0 Components and OS Support.
Source on GitHub https://github.com/mapr/ranger
GitHub Release Tag 2.3.0.0-eep-900
Maven Artifacts https://repository.mapr.com/maven/
Package Names Navigate to http://package.ezmeral.hpe.com/releases/MEP/, and select your EEP (MEP) and OS to view the list of package names.

New in this Release

This is the first release of the Ranger component. Starting from EEP 9.0.0, the HPE Ezmeral Data Fabric supports Apache Ranger in core release 7.1.0. Ranger is supported for FIPS-enabled nodes. You can use Ranger to create policies that restrict access to Hive Metastore and HiveServer2.

Installation

You can install Ranger by using manual steps or by using the Installer. See these topics:

Fixes

None. This is the first release of the Data Fabric Ranger product.

Known Issues and Limitations

The following table summarizes the known issues:
Issue(s) Description Workaround or Notes
N/A The Ranger component in EEP 9.0.0 cannot be used in a mixed FIPS configuration (a cluster consisting of FIPS and non-FIPS nodes). None.
RAN-161, RAN-169, RAN-177 Applying HiveCLI Policies Issues with HiveCLI and Ranger integration require the user to perform the following steps to get Ranger policies applied in HiveCLI:
  1. Create or update the policy.
  2. Start the HiveCLI session as the cluster admin user, and run some simple queries.
  3. Reconnect from a common user if it was connected during the policy update.
Auditing with Solr and tag-based policies are not supported.
RAN-166 Hive Metastore Auth Enabling/Disabling Automation See "HMS auth enabling" and "disabling" in the documentation. Currently, this function must be performed manually by the user.
RAN-181 Column-Level Access in Hive Metastore Currently in Ranger, you cannot restrict access on the column level in the Hive Metastore.
RAN-171 Column-Level Policies Break the Connection to the Hive Metastore If you have policies that are applied for concrete columns (and not for a wildcard (*)), you might encounter a problem where you cannot connect to the Hive Metastore from any client. To fix this issue, provide access to the corresponding database and table. For example:
  1. Create a policy for db.NONE.
  2. Create a policy for db.table.NONE.
RAN-175 The Ranger Hive service can fail to connect to the Hive Thrift Server on a Kerberos cluster. This happens because Kerberos implements a user format that is different from the format used by non-Kerberos clusters. The difference in user formats causes authentication to fail. Use either of the following workarounds:
RAN-179 Row-Level Filtering and Column Masking in Hive Metastore These features are not supported in Hive Metastore.
RAN-182 Spark Needs Access to the Default Database If you want to connect to your custom database from Spark, you first need to provide access to the default database.
RAN-183 SHOW DATABASES will not be restricted in spark and drill. SHOW TABLES will not be restricted in Drill.
RAN-184, RAN-187, RAN-188 To execute an INSERT if you are integrating with Hive Metastore, you must provide SELECT, UPDATE, and ALTER permissions on the table level. Provide all three permissions. If you provide the SELECT and UPDATE permissions but do not provide the ALTER permission, you will be able to insert a record to a table, but an error message will be generated for the missing ALTER permission.

Resolved Issues

None.