Release 9.2.21.1¶

Added Support for Privacera TagSync in D2P Environment¶

• Introduced support for Privacera TagSync in the D2P environment.
• Enables successful synchronization of tags from Privacera to Ranger in D2P setups.
• TagSync can now authenticate with Ranger via Privacera Manager configuration.

Fixed Missing Capture of Previous User Attribute Values in Ranger Admin Audit Logs¶

Fixed an issue where Ranger admin audits did not capture the previous values of user additional attributes during updates.

Updated Grafana Image¶

Upgraded Grafana dependencies to address known security vulnerabilities identified in CVE(Critical Vulnerabilities and Exposures) report.

Security Updates¶

Resolved newly identified CVEs and addressed additional vulnerabilities in third-party dependencies.

Fixed Cross-Project Resource Exclusion Issue¶

Resolved cross-project scoping issue to ensure resource exclusion rules are remain isolated within their respective projects.

Updated Application Dependencies¶

Upgraded application dependencies to address known security vulnerabilities identified in CVE (Common Vulnerabilities and Exposures) report.

Added Support for Apache Spark Connect Spark 4.0.2 and 4.1.1¶

• Introduced support for Apache Spark Connect for Spark 4.0.2 and 4.1.1, enabling secure client-server connectivity to a remote Spark cluster.
• For prerequisites and configuration details, refer to Apache Spark OLAC – Spark Connect.

Added OLAC Support for EMR 7.10 and 7.12¶

• Introduced OLAC support for EMR 7.10 and 7.12 for both Self-Managed and PrivaceraCloud, enabling compatibility with newer EMR environments.
• Trino is not supported on EMR 7.12. For more information, refer to AWS EMR access – Limitations.

Handled the Case Where the Date Header in Spark Plugin Was not Updated Even After a Skew Was Detected¶

• Fixed the issue which caused the request to fail with 403 RequestTimeTooSkewed error, by handling the case where the Date Header was not updated even after a skew was detected.

Fix for Multipart Upload Path Handling in Session Policy¶

• Fixed an issue in multipart upload handling where x-amz-copy-source paths without a leading slash were not processed correctly.
• Updated the logic to support both path formats and ensure required permissions are properly added to the session policy, preventing access failures.

Fix NoSuchMethodException When Invoking resignForRetry Method in Spark Plugin¶

Fixed a NoSuchMethodException that occurred when invoking the resignForRetry method in the Spark Plugin.

[PrivaceraCloud only] Added support for EMR Trino JDK compatibility (JDK < 21)¶

EMR Trino clusters were failing for EMR version below 7.2.0 due to JDK upgrade to version 21 in Privacera Trino Plugin. Now a fix has been added to ensure Trino working with EMR version below 7.2.0.

Updated Application Dependencies¶

Upgraded application dependencies to address known security vulnerabilities identified in CVE (Common Vulnerabilities and Exposures) report.

Updated Application Dependencies¶

Upgraded application dependencies to address known security vulnerabilities identified in CVE (Common Vulnerabilities and Exposures) report.

Runtime Environments¶

Managing connectors is now easier. You can deploy and manage connectors entirely through the PrivaceraCloud Portal UI—no manual configuration required.

How it works: The Kubernetes namespace in your cluster where Privacera services run is called the Runtime Plane. Deployment and lifecycle management are handled directly from the portal, streamlining your operational workflow.

Current support:

• Deployment mode: PrivaceraCloud Data-Plane
• Supported connectors: Microsoft SQL Server (MSSQL), Databricks Unity Catalog (DBX UC), and Snowflake

Support for additional connectors and deployment modes is planned for upcoming releases.

Getting started: Contact Privacera Support to enable this feature for your account. Then navigate to Settings → Runtime Environments to begin.

Security Zone Isolation - Restrict Cross-Zone Visibility in Data Catalog and Policy Management¶

Introduced zone-aware visibility in Privacera so users only see catalog resources and policies from their assigned Security Zone(s).

Zone Admins now have read-only, zone-scoped Data Catalog access without requiring global admin or Ranger admin elevation.

The UI now hides other zones and unrelated resources to prevent cross-zone metadata exposure and reduce clutter.

Introduced New API for Resource Type to Get Resource Mapping¶

The Omni Metadata Service API retrieves tag-to-resource mappings at a specific resource type level (for example, TABLE). Results are limited to the requested resource type.

The API supports both full (snapshot) and incremental (delta) retrieval, along with cursor-based pagination to handle large datasets efficiently.

If there are no updates since the last request, the API returns 304 Not Modified, avoiding response payload, reducing data transfer, and improving performance.

This enhancement simplifies client integration and improves efficiency for use cases requiring tag data scoped to a specific resource type.

SCIM Server Cache Rebuild¶

Correct cache rebuild in SCIM Server when server context is enabled.

Base Image Upgraded¶

Updated the base image to a newer Debian version to address known security vulnerabilities identified in CVE report.

Update Application Dependencies¶

Upgraded application dependencies to address known security vulnerabilities identified in CVE (Common Vulnerabilities and Exposures) report.

Audit Fluentd Base Image Upgraded¶

Updated the Audit Fluentd base image to a newer Debian version to address known security vulnerabilities identified in CVE report.

Azure AD OAuth Support for Databricks Unity Catalog Connector Using AzureTenantId¶

• Introduced an Azure OAuth mechanism for Azure Databricks that authenticates with Azure AD service principal credentials, with configuration support including AzureTenantId.
• Existing Databricks OAuth (OIDC) and personal access token (PAT) authentication flows remain supported and unchanged.
• Upgraded the Databricks JDBC driver to version 3.3.1.
• For more information, refer to Azure AD (Entra ID) OAuth authentication for Databricks Unity Catalog.

Base Image Upgraded¶

Updated the base image to a newer Debian version to address known security vulnerabilities identified in the CVE report for Snowflake and Databricks Unity Catalog.

MSSQL – Disable Access Management¶

• Added a configuration flag to disable access management. When enabled, access policy ACLs are not loaded (only masking ACLs are applied), and access policies created in Privacera will not grant permissions.
• This allows external systems to handle access control, while Privacera is used solely for data masking.
• For configuration details, see Load only masking ACLs.

Databricks Unity Catalog – Disable Access Management¶

• Added a configuration flag to disable access management. When enabled, access policy ACLs are not loaded (only masking ACLs are applied), and access policies created in Privacera will not grant permissions.
• This allows external systems to handle access control, while Privacera is used solely for data masking.
• For configuration details, see Load only masking ACLs.

Diagnostics Server and Client Enhancements¶

Both Diagnostics Server and Client are migrated Diagnostics Base image to a new ChainGuard image.