Release 9.2.16.1¶

Added Ranger Metrics Initial Delay and Related Properties¶

Exposed Ranger metrics cache configuration in Ranger Admin to allow tuning of initial delay and related behavior.

You can now configure the following properties in the Ranger Admin YAML:

• ranger.metrics.cache.enabled
• ranger.metrics.cache.interval.seconds
• ranger.metrics.cache.intx.sleep.ms
• ranger.metrics.cache.initial.delay.seconds

For more information, see Ranger Admin Prometheus / Metrics Configuration Properties.

Fixed 504 Gateway Timeout During Role Grant for Large User/Group/Role Sets¶

Resolved an issue where the role grant API (/service/public/v2/api/roles/grant) returned 504 Gateway Timeout errors when processing large user, group, or role sets. This fix includes:

• Optimization of batch delete size
• Improved batching for cleanup and recreation of mapping tables Additionally, the default value of BATCH_DELETE_BATCH_SIZE has been updated.

Flag-Based Control for Policy Evaluation Order for Masking and RLF for Snowflake and Databricks Unity Catalog¶

Added a flag-based control to configure the policy evaluation order for masking and RLF policies in the Snowflake and Databricks Unity Catalog connectors.

Logging Library Upgrades for Lake Formation Connector¶

Upgraded logging dependencies in PolicySync Lakeformation connector to current stable versions. These updates improve logging stability and performance and align with supported, non–end-of-life releases.

Improved Database Policy Handling in Lake Formation Connector¶

Improved handling of database policies in the Lake Formation connector to ensure that Privacera database policies with table wildcards no longer grant database-level permissions.

Added On-Demand V2 Resource Sync Support via Azure Event Hub for Databricks Unity Catalog¶

• Enabled On-Demand V2 resource sync for the Databricks Unity Catalog connector using Azure Event Hub.
• For more information, refer Configure Event-Driven On-Demand Sync for Databricks Unity Catalog Connector.

Improved Concurrency Handling for BigQuery Masking Tag Propagation¶

Enhanced the BigQuery connector to handle concurrent tag and masking policy operations more reliably, ensuring consistent masking tag application and preventing failures caused by duplicate or missing tags.

Omni Migration - PolicySync MSSQL Connector¶

• Added Omni support for the MSSQL PolicySync connector, enabling integration with the Omni Metadata Service for centralized metadata and governance.

Fixed Issue with Implicit Grant Permission Revocation in Unity Catalog Connector¶

Fixed an issue where implicit grant permissions were not revoked correctly for the Unity Catalog connector.

Added FGAC, OLAC_FGAC Support for Databricks Runtime 17.3 LTS¶

Introduced FGAC, OLAC_FGAC support for Databricks Runtime 17.3 LTS to enable compatibility with the latest LTS environment.

Introduced a Plugin to Distribute JWT and Privacera Tokens¶

Introduced a plugin that helps in distributing the JWT Tokens and Privacera Token from the Driver to Executors. This helps in avoiding the JWTTokenNotFoundException during the execution of the Spark Job. It is supported only for OLAC Deployments with JWT Authentication Configured.

The feature is supported for:

• Apache Spark OLAC - refer to Enable Distributor Plugin for Apache Spark
• Databricks OLAC - refer to Enable Distributor Plugin for Databricks
• EMR OLAC - refer to Enable Distributor Plugin for EMR

Fixed Spark-SQL Startup Failure on EMR 7.8.0 with Glue Catalog¶

Addressed an issue where spark-sql could fail to start on EMR 7.8 when initializing the Glue metastore client, resulting in an SSL handshake error. This fix ensures successful initialization of the Glue catalog and stable spark-sql startup.

Configure Deny Policy Dominance for Trino¶

Added support to configure whether deny policies take precedence over allow policies for operations such as SHOW TABLES in Trino. When enabled, an explicit deny policy overrides any matching allow policy, ensuring fine-grained exclusions are enforced within broadly permitted resource scopes. This setting is disabled by default.

This feature is supported for:

• Open Source Trino — refer to Configure Deny Policy Dominance
• Starburst Trino — refer to Configure Deny Policy Dominance
• Trino on EMR — refer to Configure Deny Policy Dominance for Trino on EMR

Fixed Column-Level Access Control for Trino¶

Fixed an issue where all columns in a table were visible even when permissions were granted only for specific columns. Column-level access control is now correctly enforced, ensuring users can only see the columns they have been explicitly permitted to access.

Property to Configure STS Token Expiry Buffer¶

Introduced a new property to configure the STS Token expiry buffer for a configured profile. The default value is 60 seconds. This will help in ensuring that the STS Token is refreshed before it expires and the session is not interrupted.

Fixed Custom-Properties Files Being Copied into DataServer¶

• Fixed an issue where files in config/custom-properties (were copied into the DataServer Kubernetes config map).
• The JWT public-key copy now runs only when a JWT public key filename is set and the path points to an actual file.

PEG Server: Grafana Dashboards for Service and Performance Monitoring¶

• Service dashboard: Pod details, HTTP request/response and error-rate metrics, and 5-minute error alerts.
• Performance dashboard: Throughput, latency percentiles (P50–P99.99), and error rate for capacity planning and troubleshooting.

Data Explorer – Improved Resource Selection¶

Fixed an issue where adding a resource after searching in Data Explorer could sometimes select the wrong database for certain data sources. This has been corrected to ensure the right database is always used, so resource inclusion and scanning now work reliably.