Release 9.2.29.1¶

Fixed Connector Startup Failure with Azure Key Vault¶

Fixed an issue that could cause connector applications to crash during startup when Runtime was configured on Azure with Azure Key Vault as the secret provider.

Updated Connectors:

• Databricks Unity Catalog
• MSSQL
• Snowflake

PEM Key Normalization for Snowflake Private Key Authentication in Runtime¶

Added support for normalizing PEM private keys that arrive from the portal in non-standard formats (flat single-line or with literal \n sequences). This ensures successful key parsing and authentication when the runtime config client is enabled.

Configurable Truncation of Access Audit Request Data¶

Access audit events can now have their request data truncated before being sent to the Audit Server, preventing large query text from creating oversized audit payloads that the Audit Server rejects. The maximum length is controlled by the audit.req.data.max.chars property, which defaults to 4096 characters (4 KB). Set the property to 0 or a negative value to disable truncation.

Configurable Spool Batch Size for Audit Server Writing¶

The number of audit records read from the spool and sent to the Audit Server per batch is now configurable through xasecure.audit.destination.auditserver.batch.batch.size (default 100), helping keep each batch within the Audit Server's maximum payload size.

Configurable HTTP Timeouts for the Databricks Connector¶

HTTP timeouts for Databricks REST API calls are now configurable through databricks.api.connection.timeout.ms (default 60000 ms) and databricks.api.socket.timeout.ms (default 300000 ms). This prevents the audit loader from waiting indefinitely when the Databricks API is slow or unresponsive.

Fixed Infinite Loop in Databricks Audit Pagination¶

Fixed an issue where the Databricks audit loader could enter an infinite loop during audit pagination when the response indicated more pages were available but the next page token was empty. Pagination now stops in this case, preventing the loader from getting stuck and re-fetching the audit history from the beginning.

Added Support for Default NULL Masking¶

Introduced a configuration flag to enable mask-by-default behavior in masking policies. When true, users not matching any condition in the Databricks Unity Catalog Masking Policy see NULL; when false, they see the original value.

Collibra Tag Sync Connector with Multi-Engine Support¶

The Collibra connector now runs as a tag-only sync connector that reads tags from Collibra and applies them to Ranger (and MDS, when enabled). A single connector instance can push tags to multiple Ranger services — for example Hive, Trino, and Snowflake — based on two mapping properties.

Omni Support for Additional Connectors¶

Added Omni support for the following connectors, enabling integration with the Omni Metadata Service for centralized metadata and governance.

Connectors:

• Databricks SQL Analytics
• AWS Lake Formation
• Amazon Redshift

[MSSQL] Added Support for Purview Qualified Name URL with Instance Name¶

Added support in the MSSQL connector for Purview qualified name URL formats that include an instance name, ensuring SQL Server tags are retrieved correctly.

Age Detection¶

Discovery now supports detection of age values using the AGE pattern and the AGE tag.

The pattern matches numeric age values in common textual formats, and can be used with the AGE_KEYWORD dictionary for stricter column-name-aware detection rules. Tags, patterns, and dictionaries are disabled by default — enable them under Discovery → Tags / Patterns / Dictionaries.

See Using Dictionaries for configuration details.

Gender Detection¶

Discovery now supports detection of gender values using the GENDER pattern and the GENDER tag.

The pattern matches common gender values and abbreviations, and can be used with the GENDER_KEYWORD dictionary for stricter column-name-aware detection rules. Tags, patterns, and dictionaries are disabled by default — enable them under Discovery → Tags / Patterns / Dictionaries.

See Using Dictionaries for configuration details.

Property Name Detection¶

Discovery now supports detection of property and real-estate names using the PROPERTY_NAME_ML_MODEL model and the PROPERTY_NAME tag.

The model validates lot/unit notation and title-case property-name formats while filtering person-name false positives, and can be used with the PROPERTY_NAME_KEYWORD dictionary for stricter column-name-aware detection rules. Tags, models, and dictionaries are disabled by default — enable them under Discovery → Tags / Models / Dictionaries.

See Heuristic Models and Using Dictionaries for configuration details.

Updated Discovery Dependencies¶

Upgraded Discovery dependencies to address known security vulnerabilities identified in the CVE (Common Vulnerabilities and Exposures) report.

Fixed Minor UI Layout Issues¶

Fixed minor UI layout issues across Service Explorer, pop-up menus, the Ranger Tagged Resources table, scheme policy icon, and modal alignment.

Privacera Manager Base Image Upgraded¶

Updated the base image to a newer Debian version to address known security vulnerabilities identified in the CVE (Common Vulnerabilities and Exposures) report.

Audit Spool File Size Control¶

Added a configurable audit spool file size limit AUDITSERVER_RANGER_FILESPOOL_MAX_SIZE_BYTES with automatic rollover support. This prevents oversized spool files, improves audit delivery reliability, and reduces the risk of replay failures caused by request size limits.

Amazon SNS Destination for PolicySync Audits¶

Audit Server can now send PolicySync audits to Amazon SNS, letting you fan out the audit stream to multiple subscribers such as Amazon SQS queues and filter by event type.

Improved Audit Delivery Reliability¶

Added support for Ranger audit spool file size controls to reduce oversized audit payloads and prevent audit delivery backlogs caused by request size limit violations.

Configurable Maximum Payload Size¶

The maximum allowable payload size of data sent to the Audit Server is now configurable using the AUDITSERVER_MAX_CONTENT_LENGTH_MB property. The default value is 100 MB.

For configuration steps, see Configure Maximum Payload Size for Audit Server.

Updated Apache Solr Dependencies¶

Upgraded Apache Solr dependencies to address known security vulnerabilities identified in the CVE (Common Vulnerabilities and Exposures) report.

Updated Apache Zookeeper Dependencies¶

Upgraded Apache Zookeeper dependencies to address known security vulnerabilities identified in the CVE (Common Vulnerabilities and Exposures) report.

Updated Grafana Image¶

Upgraded Grafana dependencies to address known security vulnerabilities identified in the CVE (Common Vulnerabilities and Exposures) report.

Updated Prometheus Image¶

Upgraded Prometheus dependencies to address known security vulnerabilities identified in the CVE (Common Vulnerabilities and Exposures) report.

Updated Opentelemetry-collector Image¶

Upgraded Opentelemetry-collector dependencies to address known security vulnerabilities identified in the CVE (Common Vulnerabilities and Exposures) report.

Updated Post Install Job Image¶

Upgraded Post Install Job dependencies to address known security vulnerabilities identified in the CVE (Common Vulnerabilities and Exposures) report.

Updated Privacera Kafka Application Dependencies¶

Upgraded application dependencies to address known security vulnerabilities identified in the CVE (Common Vulnerabilities and Exposures) report.

Updated Privacera PKafka Application Dependencies¶

Upgraded application dependencies to address known security vulnerabilities identified in the CVE (Common Vulnerabilities and Exposures) report.

PCloud Parity for JDK24 Changes¶

Upgraded Privacera Schema and SaaS Keeper to the latest Scheme Server.

Runtime Plane — Additional Connectors¶

The following connectors now support deployment and management through the Runtime Plane in the Privacera portal (Settings → Runtime Plane):

• GCP BigQuery
• Databricks SQL Analytics
• AWS Lake Formation (Supported in EKS Only)
• Amazon Redshift

Supported connectors (cumulative):

• Microsoft SQL Server (MSSQL)
• Databricks Unity Catalog (DBX UC)
• Snowflake
• GCP BigQuery
• Databricks SQL Analytics
• AWS Lake Formation (Supported in EKS Only)
• Amazon Redshift

Runtime Plane Setup Improvements¶

Setup options on the Runtime Plane details page now dynamically adjust based on the plane's deployment status:

• Not yet deployed: Users can retrieve fresh installation instructions to provision the Runtime Agent.
• Already running: The Regenerate action now exclusively refreshes the Runtime Agent API key; full installation instructions are no longer reissued.
• Connectors: New connectors cannot be added until the Runtime Plane is fully operational.

Inactive Agent Warning Banner¶

A warning banner appears when a Runtime Plane agent becomes inactive, alerting users that connectors may not behave as expected until the agent is restarted.

Scoped API Keys and Gateway Authorization¶

API keys can now be created with explicit scopes so each key grants only the permissions it needs.

• Scoped key creation — When you generate an API key, you assign one or more scopes that define what the key can access.
• Gateway enforcement — The API server gateway applies role-based authorization on every protected API route and rejects requests when the key lacks the required scope.
• Reduced attack surface — If a key is compromised or misused, it cannot access APIs outside its granted permissions, significantly limiting potential security impacts.

Managed Identity Client ID Validation for Azure Key Vault¶

Fixed a missing validation to ensure that the Managed Identity Client ID is required when Azure Key Vault is selected as the secret provider on Azure Runtime Planes.

Gateway Security Hardening for Runtime¶

Enhanced infrastructure security by restricting external access exclusively to intended runtime endpoints. Internal management endpoints are no longer reachable via the external gateway. Existing runtime agent operations remain unaffected.

Resource Name Length Validation¶

The portal now validates the character length of Runtime Plane and connector names during creation or updates. If a name exceeds the supported limit, an immediate error message is displayed. This prevents unexpected failures later during deployment.

Additional UserSync Connector Support¶

Added support for the following UserSync connectors:

• Okta
• SCIM 2.0
• SCIM Server

Fixed Config Client Issues with Misconfiguration of Secret Manager¶

Fixed an issue where Secret Manager configuration errors were silently ignored, causing connectors to start with missing or empty settings and fail later with ambiguous errors. Connectors now fail immediately with a clear error message if their configuration cannot be fully loaded, making issues easier to diagnose.

SSO Permissions for Runtime Plane Access¶

Fixed an issue where SSO-authenticated Sys-Admin users were blocked from accessing and managing Runtime Planes in the Admin Portal.

Spurious Config Version Bumps and Pod Restarts¶

Fixed an issue where configuration version bumps and unnecessary pod restarts were triggered on every Runtime Manager restart, even when the deployment configuration remained unchanged.