Skip to content

Upgrade Apache Ranger from 2.6.0 to 2.8.0#7437

Open
aajisaka wants to merge 2 commits intoapache:masterfrom
aajisaka:update-ranger
Open

Upgrade Apache Ranger from 2.6.0 to 2.8.0#7437
aajisaka wants to merge 2 commits intoapache:masterfrom
aajisaka:update-ranger

Conversation

@aajisaka
Copy link
Copy Markdown
Member

@aajisaka aajisaka commented May 8, 2026
edited
Loading

Why are the changes needed?

Upgrade Apache Ranger from 2.6.0 to 2.8.0 to fix GHSA-c87w-642h-m97h

Ranger 2.8.0 restructured its audit modules: ranger-plugins-audit is now empty and the core audit functionality moved to ranger-audit-core, with destination-specific modules split out separately. Update the dependency declarations and exclusions accordingly.

How was this patch tested?

Printed the dependencies by mvn dependency:tree and confirmed unnecessary transitive dependencies are excluded.

Before

[INFO] +- org.apache.ranger:ranger-plugins-common:jar:2.6.0:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.20.1:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.20.1:compile
[INFO] |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.20.1:compile
[INFO] |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.20.1:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.20.1:compile
[INFO] |  |     \- javax.xml.bind:jaxb-api:jar:2.2.12:compile
[INFO] |  +- com.nimbusds:nimbus-jose-jwt:jar:10.0.1:compile
[INFO] |  +- commons-lang:commons-lang:jar:2.6:compile
[INFO] |  +- net.minidev:json-smart:jar:2.4.10:compile
[INFO] |  |  \- net.minidev:accessors-smart:jar:2.4.9:compile
[INFO] |  |     \- org.ow2.asm:asm:jar:9.3:compile
[INFO] |  \- org.apache.commons:commons-text:jar:1.10.0:compile
[INFO] +- org.apache.ranger:ranger-plugin-classloader:jar:2.6.0:compile
[INFO] +- org.apache.ranger:ranger-plugins-audit:jar:2.6.0:compile
[INFO] |  +- io.airlift:aircompressor:jar:0.27:compile
[INFO] |  +- org.apache.commons:commons-configuration2:jar:2.8.0:compile
[INFO] |  +- org.apache.orc:orc-shims:jar:1.5.8:compile
[INFO] |  \- org.eclipse.jetty:jetty-client:jar:9.4.57.v20241219:compile
[INFO] |     +- org.eclipse.jetty:jetty-http:jar:9.4.57.v20241219:compile
[INFO] |     |  \- org.eclipse.jetty:jetty-util:jar:9.4.57.v20241219:compile
[INFO] |     \- org.eclipse.jetty:jetty-io:jar:9.4.57.v20241219:compile
[INFO] +- org.apache.ranger:ranger-plugins-cred:jar:2.6.0:compile
[INFO] |  \- org.apache.commons:commons-compress:jar:1.26.2:compile

After

[INFO] +- org.apache.ranger:ranger-plugins-common:jar:2.8.0:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-core:jar:2.20.1:compile
[INFO] |  +- com.fasterxml.jackson.core:jackson-databind:jar:2.20.1:compile
[INFO] |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.20.1:compile
[INFO] |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.20.1:compile
[INFO] |  |  \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.20.1:compile
[INFO] |  +- com.google.code.findbugs:jsr305:jar:3.0.2:compile
[INFO] |  +- com.nimbusds:nimbus-jose-jwt:jar:10.0.1:compile
[INFO] |  +- net.minidev:json-smart:jar:2.4.10:compile
[INFO] |  |  \- net.minidev:accessors-smart:jar:2.4.9:compile
[INFO] |  |     \- org.ow2.asm:asm:jar:9.3:compile
[INFO] |  +- org.apache.commons:commons-lang3:jar:3.18.0:compile
[INFO] |  +- org.apache.commons:commons-text:jar:1.10.0:compile
[INFO] |  +- org.apache.ranger:ranger-authz-api:jar:2.8.0:compile
[INFO] |  \- org.apache.ranger:ugsync-util:jar:2.8.0:compile
[INFO] |     +- com.google.code.gson:gson:jar:2.9.0:compile
[INFO] |     +- com.sun.xml.bind:jaxb-core:jar:3.0.0:compile
[INFO] |     |  +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.2:compile
[INFO] |     |  |  \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile
[INFO] |     |  \- com.sun.activation:jakarta.activation:jar:2.0.0:compile
[INFO] |     +- com.sun.xml.bind:jaxb-impl:jar:3.0.0:compile
[INFO] |     \- javax.xml.bind:jaxb-api:jar:2.3.1:compile
[INFO] |        \- javax.activation:javax.activation-api:jar:1.2.0:compile
[INFO] +- org.apache.ranger:ranger-plugin-classloader:jar:2.8.0:compile
[INFO] +- org.apache.ranger:ranger-audit-core:jar:2.8.0:compile
[INFO] |  \- io.airlift:aircompressor:jar:0.27:compile
[INFO] +- org.apache.ranger:ranger-plugins-cred:jar:2.8.0:compile
[INFO] |  \- org.apache.commons:commons-compress:jar:1.26.2:compile

Was this patch authored or co-authored using generative AI tooling?

Co-authored-by: Claude Code (Claude Opus 4.6)

@aajisaka aajisaka mentioned this pull request May 8, 2026
Open
@aajisaka @claude
Upgrade Apache Ranger from 2.6.0 to 2.8.0
b6df618 
Ranger 2.8.0 restructured its audit modules: ranger-plugins-audit is
now empty and the core audit functionality moved to ranger-audit-core,
with destination-specific modules split out separately. Update the
dependency declarations and exclusions accordingly.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

kind:build kind:documentation Documentation is a feature! module:authz module:extensions module:spark

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@aajisaka