Release 9.0.15.1¶

All 9.x Privacera versions now support Kubernetes versions up to 1.32. For more information, see Compatibility & Versions.

Improved Ranger Metrics Dashboard for Better Performance Monitoring¶

The Ranger Metrics Dashboard has been upgraded to monitor database load times for policystore and tagstore. These enhancements offer enhanced observability, troubleshooting capabilities, and performance optimization for Ranger.

Support for Dynamic Filtering in Unity Catalog Audits¶

This release introduces support for filtering Unity Catalog audits using dynamic filter conditions. You can configure the CONNECTOR_DATABRICKS_UNITY_CATALOG_AUDIT_QUERY_CONDITION property to define custom conditions for filtering audit logs. For more information, see Manage Access Audits.

Improved Rate Limit Handling for Databricks Unity Catalog Connector¶

The Databricks Unity Catalog connector uses the Databricks SCIM API to manage users, groups, and roles. Since the SCIM API enforces rate limits, exceeding them may cause the connector to be throttled. To mitigate this, the connector now detects when a Databricks API request returns a 429 Too Many Requests response and implements a predefined wait time before retrying the request.

Resolved Unexpected Masking Issue on Newly Added Columns in Databricks Unity Catalog Connector¶

Previously, when a new column was added to a table where a user had SELECT permission on all columns, the newly added column's data was unexpectedly masked, even though no masking policy was applied.

This issue has now been fixed, ensuring that users with the necessary permissions can access newly added columns as expected.

Ensuring delete.service.user Property is Honored¶

In Privacera Ranger, when user email addresses were changed from mixed case to lowercase, the Databricks-SQL connector detected this as a change and recreated users in Databricks with the new email address.

Previously, the delete.service.user property was not honored, and users were removed even when the property was set to false. This issue has been resolved, ensuring that users are no longer deleted when the property is correctly configured.

Resolved User Mismatch in Service Group API for DBX-SQL Connector¶

The API for fetching the service group was returning users with their display names, causing a mismatch with users managed by PolicySync, which uses email IDs. This mismatch led to unnecessary updateGroup/updateRole API calls and excessive log entries.

The system now retrieves the corresponding email ID for users and replaces the display name with it to prevent this issue.

Fixes for User and Group Management in PolicySync¶

Previously, groups and roles, along with their mappings, were being created internally even if they were not managed, leading to excessive logging when non-managed users were not found during Principal loading.

Now, groups and roles are only created if they are managed, and unmanaged users are skipped during Principal loading. This change reduces unnecessary log entries.

Known Issue: OPS Connector Requires Configuration Update for New Artifact Storage¶

Users enabling vars.ops-bridge.yml may encounter an issue due to recent changes in the release process. As part of ongoing improvements, artifacts are now managed in a different location with a new versioning approach. This may impact access to certain resources, including the MSK CloudFormation template.

Workaround:

To resolve this issue, create and update the required configuration file:

1. Create and open the vars.ops-bridge-custom.yml file:

   Bash
   1	vi ~/privacera/privacera-manager/config/custom-vars/vars.ops-bridge-custom.yml

2. Add the following configuration and save the file:

   YAML

   1 2 3 4 5 6 7 8 9 10 11

   OPS_CONNECTOR_BASE_DOWNLOAD_URL: "{{PRIVACERA_BASE_DOWNLOAD_URL}}/privacera-ops-connectors/{{OPS_CONNECTORS_VERSION}}" OPS_CONNECTOR_MSK_CLOUDFORMATION_DOWNLOAD_URL: "{{OPS_CONNECTOR_BASE_DOWNLOAD_URL}}/{{OPS_CONNECTOR_MSK_CLOUDFORMATION_NAME}}" OPS_CONNECTOR_MSK_LAMBDA_CODE_BUCKET: "{{ OPS_CONNECTOR_MSK_LAMBDA_CODE_DOWNLOAD_URL | urlsplit('netloc') | regex_replace('^(.*?)\\.s3\\.[^\\.]+\\.amazonaws\\.com$', '\\1') }}" OPS_CONNECTOR_MSK_LAMBDA_CODE_DOWNLOAD_URL: "{{ OPS_CONNECTOR_BASE_DOWNLOAD_URL }}/{{ OPS_CONNECTOR_MSK_LAMBDA_CODE_ZIP_FILE_NAME }}" OPS_CONNECTOR_MSK_LAMBDA_CODE_PATH: "{{ OPS_CONNECTOR_MSK_LAMBDA_CODE_DOWNLOAD_URL | urlsplit('path') | regex_replace('^/', '') }}" OPS_CONNECTOR_EVENT_BRIDGE_CLOUDFORMATION_DOWNLOAD_URL: "{{OPS_CONNECTOR_BASE_DOWNLOAD_URL}}/{{OPS_CONNECTOR_EVENT_BRIDGE_CLOUDFORMATION_NAME}}" OPS_CONNECTOR_EVENT_BRIDGE_LAMBDA_CODE_BUCKET: "{{OPS_CONNECTOR_EVENT_BRIDGE_LAMBDA_CODE_DOWNLOAD_URL | urlsplit('netloc') | regex_replace('^(.*?)\\.s3\\.[^\\.]+\\.amazonaws\\.com$', '\\1') }}" OPS_CONNECTOR_EVENT_BRIDGE_LAMBDA_CODE_DOWNLOAD_URL: "{{OPS_CONNECTOR_BASE_DOWNLOAD_URL}}/{{OPS_CONNECTOR_EVENT_BRIDGE_LAMBDA_CODE_ZIP_FILE_NAME}}" OPS_CONNECTOR_EVENT_BRIDGE_LAMBDA_CODE_PATH: "{{OPS_CONNECTOR_EVENT_BRIDGE_LAMBDA_CODE_DOWNLOAD_URL | urlsplit('path') | regex_replace('^/', '') }}"

Configuring Allowed Users for STS Endpoint Access in EMR¶

This release provides support to configure a list of users who can access the STS endpoint in an EMR cluster.

Fixes for Query Execution Issues on DBR 14.3 LTS and DBR 15.4 LTS¶

This release resolves query execution issues in the Databricks Spark Plugin FGAC for DBR 14.3 LTS and DBR 15.4 LTS. The following queries now executes successfully without any exceptions:

• REFRESH TABLE
• UNCACHE TABLE
• FSCK REPAIR TABLE
• SHOW VIEWS IN <db>
• SHOW FUNCTIONS IN <db>
• SHOW COLUMNS
• DROP NON-EXISTING VIEW

Support for Open Source Trino (OST) Version 472¶

This release adds support for Open Source Trino (OST) version 472.

Support for Starburst Enterprise Version 468-e.x LTS¶

This release adds support for Starburst Enterprise version 468-e.x LTS.