Skip to content

Release 9.2.19.1

These are the Rolling Release Notes for Release 9.2.19.1. These release notes are applicable to both Privacera's Self-Managed version and PrivaceraCloud.

πŸ”₯ Breaking Changes

Breaking Changes

Kafka: ZooKeeper mode removed; KRaft mode only

Starting with version 9.2.19.1, ZooKeeper mode is no longer supported for Apache Kafka. Only KRaft mode is supported.

  • Impact: ZooKeeper mode is removed in this release. Deployments on Azure Kubernetes Service (AKS) and Amazon Elastic Kubernetes Service (EKS) that still use ZooKeeper-based Kafka will fail to upgrade successfully.
  • Reason: Privacera Self-Managed 9.2.19.1 adopts Apache Kafka 4.x, which does not support ZooKeeper mode. Metadata management is handled exclusively through the KRaft protocol.
  • Action required: Before upgrading to 9.2.19.1:
    • Migrate Kafka from ZooKeeper mode to KRaft mode.
    • Ensure KAFKA_ENABLE_KRAFT_MODE and all related configuration settings follow the KRaft deployment model.
    • Validate the KRaft setup before initiating the upgrade.
  • More details:

Updated the Default Value for Role Evaluation Method for Masking and RLF in Snowflake Connector

Snowflake PS-Connector: Updated the Default Value for Role Evaluation Method for Masking and RLF

Starting with this version, the default value for CONNECTOR_SNOWFLAKE_USE_CURRENT_AVAILABLE_ROLES (ranger.policysync.connector.0.use.current.available.roles) in the Snowflake Connector is set to true.

  • Impact: This change affects how roles are evaluated for Masking and Row-Level Filtering (RLF) conditions.

  • Action required: Based on your current setup, follow the applicable scenario below:

    1. If the property is not explicity set and you want to continue with new default i.e., current_available_roles(), then:

      • You must Clean the Connector PVC before start upgrading to this version.
      • Alternatively, after upgrading, you can disable and re-enable the existing policies - but this not recommended as this needs to be done for all Masking and Row Level Filter policies
      • There is no need for any configuration change. Once the PVC is cleaned, the upgrade can be started.

    2. If the property is not set and you want to continue using is_role_in_session()
      You must explicitly set CONNECTOR_SNOWFLAKE_USE_CURRENT_AVAILABLE_ROLES=false before upgrading to this version.

    3. If the property is already set to true and you want to continue using current_available_roles()
      You can directly upgrade to this version without any additional steps.

  • More details:

Apache Ranger

Fixed Concurrent Role Updates With Retry and HTTP 409 Conflict

Fixed Concurrent Role Updates With Retry and HTTP 409 Conflict

Fixed an issue where concurrent role updates could fail or produce inconsistent results under load. Role updates now use pre-validation and retry logic for database conflicts. Transient failures are retried with backoff; if retries are exhausted, the API returns HTTP 409 Conflict instead of applying a partial update.

Fixed Stale Tags Returned After Tag Deletion in Tag Enricher

Fixed Stale Tags Returned After Tag Deletion in Tag Enricher

Resolved an issue where deleted tags could still be returned by the Tag Enricher because of a stale in-memory cache during delta merge, especially when tag de-duplication was enabled. During delta merge, tags are now reconciled with the final resource-to-tag mapping, unreferenced tags are removed, and the cached tag set is rebuilt when de-duplication is enabled, so results stay consistent without a manual cache reset, including under frequent create-and-delete workloads.

Apache Ranger Base Image Upgrade

Apache Ranger Base Image Upgrade

Updated the base image to a newer version to remediate security vulnerabilities identified in the CVE report. Additionally, hardened the Graal engine in Ranger plugins to address CVE-2025-59059 related to remote code execution (RCE).

[Pcloud] Added Single Tag per Column Restriction for BigQuery Service Definition

Added Single Tag per Column Restriction for BigQuery Service Definition

The BigQuery Ranger service definition now enforces a single-tag restriction per column. Each column can be associated with only one tag, preventing conflicting tag assignments.

Privacera Discovery

Updated Application Dependencies

Updated Application Dependencies

Upgraded application dependencies to address known security vulnerabilities identified in CVE (Common Vulnerabilities and Exposures) report.

Privacera Kafka

Updated Application Dependencies

Updated Application Dependencies

Upgraded application dependencies to address known security vulnerabilities identified in CVE (Common Vulnerabilities and Exposures) report.

Privacera PKafka

Updated Application Dependencies

Updated Application Dependencies

Upgraded application dependencies to address known security vulnerabilities identified in CVE (Common Vulnerabilities and Exposures) report.

Portal

Security Updates

Security Updates

Addressed multiple vulnerabilities in third-party dependencies and resolved critical and high-severity CVEs identified through security scans, enhancing the platform’s overall security, stability, and reliability.

Known Issue: Portal May Fail to Start on Fresh Installation Due to Database Initialization Failure

Known Issue: Portal May Fail to Start on Fresh Installation Due to Database Initialization Failure

On a fresh installation, the Portal service may fail to start when database initialization does not complete successfully. For impact, workaround, and resolution, see Known Issues – Privacera Portal.

PolicySync Connector

Snowflake Connector – Improved resource loading for On Demand sync

Snowflake Connector – Improved resource loading for On Demand sync

  • Improved Snowflake PolicySync connector discovers and loads resources during On Demand sync so metadata stays aligned with Snowflake when objects are created or recreated under different ownerships.
MSSQL Connector – Fixed Resource Lookup Issue for new Service Def mssql_19

MSSQL Connector – Fixed Resource Lookup Issue for new Service Def mssql_19

  • Fixed Resource Lookup/visibility issue during policy creation in new ranger service def.
Databricks Unity Catalog Connector - Masking-Only ACL Loading Support

Databricks Unity Catalog Connector – Masking-Only ACL Loading Support

  • Introduced a configuration flag to enable masking-only ACL loading.
  • When enabled, access policy ACLs are not loaded, and only masking policies ACLs are loaded.
  • Allows external systems to continue managing access control while Privacera focuses on data masking.
BigQuery Policy Update Optimization

BigQuery Policy Update Optimization

  • Enhanced BigQuery connector to apply only delta changes for policy tags, eliminating redundant permission updates.
  • Added retry handling for RESOURCE_EXHAUSTED errors, resulting in reduced API usage, improved performance, and better resilience against quota limits.
Fix ConcurrentModificationException in BigQuery Connector Tag Reconciliation

Fix ConcurrentModificationException in BigQuery Connector Tag Reconciliation

  • Resolved a concurrency issue in the BigQuery connector where parallel updates to ServiceTagDef during reconciliation caused ConcurrentModificationException.
  • Reconciliation now uses changelog-driven delta updates to ensure serialized processing and consistent tag state.

Privacera Manager

Fixed Databricks Unity Catalog PolicySync startup with On-Demand Sync V2 in multi-connector deployments

Fixed Databricks Unity Catalog PolicySync startup with On-Demand Sync V2 in multi-connector deployments

  • Privacera Manager now sets a default of false for CONNECTOR_DATABRICKS_UNITY_CATALOG_ON_DEMAND_V2_ENABLED, so generated PolicySync configuration always includes a valid policysync.ondemand.v2.enabled value and no longer fails at startup when the flag is omitted on some Unity Catalog connector instances.

Spark Plugin

Added FGAC support for Databricks Runtime 17.3 LTS for PrivaceraCloud

Added FGAC support for Databricks Runtime 17.3 LTS for PrivaceraCloud

  • Introduced FGAC support for Databricks Runtime 17.3 LTS to enable compatibility with the latest versions in PrivaceraCloud.
Added FGAC support for EMR 7.12 and 7.10 for PrivaceraCloud

Added FGAC support for EMR 7.12 and 7.10 for PrivaceraCloud

  • Introduced FGAC support for EMR 7.12 and 7.10 to enable compatibility with the latest versions in PrivaceraCloud.
  • Trino 476 is not supported. For more details, refer to Limitations
Fixed Access Check Bypass in Joins and CTE (WITH clause) use cases in DBR 14X

Fixed Access Check Bypass in Joins and CTE (WITH clause) use cases in DBR 14X

  • Resolved an issue where access control checks were bypassed for queries using LEFT ANTI and LEFT SEMI joins, including cases with CTEs (WITH clause).
  • The issue was caused by disabled handling during a code refactoring. The fix re-enables proper authorization enforcement, and all related join scenarios have been validated through comprehensive test coverage.