Release 9.2.27.1¶

Introduced Flag to Control the Deny-by-Default Feature in EMR with FGAC Plugin¶

Introduced a flag to control the Deny-by-Default feature in EMR with FGAC Plugin. For more details, refer to Deny unsupported SQL primitives by default on EMR.

[PrivaceraCloud] Added Trino Support for EMR 7.12¶

Added Trino support for EMR 7.12.

[PrivaceraCloud] Added Support for Starburst Enterprise Version 479-e LTS¶

• This release adds support for Starburst Enterprise version 479-e LTS.
• The Trino plugin now runs on JDK 24.
• For the supported version matrix, refer to Supported Runtime Versions.

[PrivaceraCloud] Added Support for Open Source Trino Version 480¶

• This release adds support for Open Source Trino (OST) runtime version 480.
• The Trino plugin now runs on JDK 24.
• For the supported version matrix, refer to Supported Runtime Versions.

[PrivaceraCloud] Added Support for Trino JDK Compatibility with Versions Lower Than 17¶

Fixed a compatibility issue introduced by the JDK 21 upgrade in the Privacera Trino Plugin, ensuring Trino deployments work correctly across all Trino versions running on JDK 17.

Updated DB Client for Ops Server Initialization¶

Replaced mysql with mariadb during Ops Server database initialization to ensure successful privacera_ops_db creation and prevent CrashLoopBackOff during fresh installations.

Fixed REVOKE Policy Metadata Version Mismatch on Role Updates¶

• Fixed an issue where updating roles in a policy (for example, removing and adding IAM roles in the same change) produced duplicate PolicySync responses because REVOKE actions used the previous policy version while GRANT actions used the latest version.
• REVOKE actions now resolve the current policy version, name, and labels from updated permissions, including when the removed principal is no longer present in the current ACL map.

Enhanced MSSQL PolicySync Audit Tracing and Error Visibility¶

Enhanced MSSQL PolicySync auditing to display actual SQL error messages for failed operations and provide complete end-to-end tracing information in ACCESS audit events. Audit records now include operation status, error message, policy metadata, command details (cmd/cmdType), and execution time, improving troubleshooting and aligning MSSQL auditing with the latest PolicySync audit model.

Updated PolicySync Dependencies¶

Upgraded PolicySync dependencies to address known security vulnerabilities identified in the CVE (Common Vulnerabilities and Exposures) report.

Updated Connectors:

• Databricks SQL
• Redshift

PolicySync Base Image Upgraded¶

Updated the PolicySync base image to a newer Debian version to address known security vulnerabilities identified in the CVE report.

Updated Connectors:

• Databricks SQL
• Redshift

Fixed Formula Injection Vulnerability In Report Export (CVE-2024-55532)¶

Fixed a formula injection vulnerability (CVE-2024-55532) in Ranger policy exports (Excel, CSV, JSON) and Access Audit CSV exports. Cell values beginning with special characters (=, +, -, @) are now sanitized to prevent them from being interpreted as executable formulas during export.

Solr 10 Upgrade (Apache Ranger)¶

Upgraded SolrJ and its related Solr dependencies to version 10.0.0 across all Ranger components to modernize client management and maintain software compatibility.

Enhanced SSL Password Security¶

Fixed an issue where SSL password validation failed when using supported special characters in Privacera Manager. SSL password validation now correctly enforces the defined set of allowed and disallowed special characters.

• Allowed characters: #, !, @, ?, *
• Disallowed characters: ', \, $, &, ₹

Solr 10 Upgrade (Audit Server)¶

Upgraded SolrJ and its related Solr dependencies to version 10.0.0. This update modernizes Solr client management to address known security vulnerabilities and improve overall system compatibility.

HTTP Access Logging¶

Added HTTP access logging for the Audit Server. Access requests are now written to a dedicated, rolling access.log file in the logs directory. These logs now include trace and span identifiers to simplify request tracing and troubleshooting.

[PrivaceraCloud] Added Early Warning Alerts for Expiring Access Keys¶

The system now sends early warnings when access keys are close to expiring, along with a stronger alert once a key has fully expired. This helps teams renew keys on time and prevents unexpected interruptions.

[Self-Managed] Fixed Lake Formation Catalogs Not Showing in Service Explorer¶

Service Explorer now lists all catalogs in multi-catalog Lake Formation setups, letting users pick a catalog and view its databases.

[Self-Managed] Removed Unused Default User Account¶

Removed an old default user account that was no longer in use, keeping the system tidy and avoiding confusion from leftover accounts that serve no purpose.

Cross-Project GCP Scoping and BigQuery Audit Ingestion¶

Cross-project datazones are now correctly applied for GCS and GBQ in both realtime and offline scans. BigQuery audit ingestion now supports GCP's migrated audit-log format, processing events under the new bigquery_dataset, bigquery_table, and bigquery_project resource types parsed from protoPayload.metadata/BigQueryAuditMetadata for real-time scanning and lineage.

Row-Level Filtering (RLF) Expression Merge Improvements¶

Fixed several issues with RLF expression merging logic:

• IS NULL / IS NOT NULL conditions on the same column are now correctly merged using OR
• Public group RLF expressions are now properly merged with other available RLF results by the Ranger plugin
• Fixed incorrect AND/OR merge behavior when AND appears on the right-hand side of an RLF expression

Improvement: Faster and easier onboarding of new connector services¶

• Streamlined how the metadata service tracks each connector's resource hierarchy so that adding support for a new connector service is now significantly simpler.
• New connector services can be enabled with minimal effort, reducing turnaround time for future integrations.

Diagnostics Server Support on Runtime Planes¶

The Diagnostics Server can now run as a system application on the runtime plane. This enables built-in diagnostics capabilities for both the runtime agent and individual connectors.

Automatic DNS Management for Runtime Plane Ingresses [EKS Only]¶

The runtime agent now supports automatic DNS management for runtime plane ingresses. When enabled, AWS Route 53 DNS records are automatically created and maintained for ingresses within the runtime plane namespace.

GCP Support for Runtime Planes¶

You can now deploy runtime planes on your Google Kubernetes Engine (GKE) clusters.

Runtime Plane — Custom Configurations¶

You can now add custom key-value pairs at the Runtime Configuration level. These Kubernetes-related configurations apply universally across all connectors. To see the full list of supported custom keys, see Kubernetes Configurations - Custom Property Keys.

Usersync Support on Runtime Plane¶

Usersync is now supported on the runtime plane, allowing you to synchronize user data between external systems and Privacera. Supported identity provider connectors include:

• LDAP/AD
• Entra ID