What's new in Cloudera Runtime 7.1.9 SP1 CHF 10

Python 3.9 support for Impala on RHEL 8: Cloudera now provides support for Python 3.9 on RHEL 8 within CDP 7.3.1. This new capability ensures that Impala components dependent on Python libraries function completely and reliably.
Ranger mixed case group comparison: When Ranger Usersync is configured with case conversion and special character replacement using Regular Expression (regex), Ranger Usersync transforms the original user or group names from the source, for example, AD or LDAP, before storing them in the Ranger Admin database. Previously, if a Ranger plugin used the original name during authorization checks, the check failed because the Ranger Admin only recognized the transformed name.
This issue is now fixed. The fix is configurable at the plugin level using the ranger.plugin.<serviceType>.supports.name.transformation property, allowing users to enable or disable transformation based on their environment needs. For more information, see Handling inconsistent username and group name conventions for consistent authorization.
Upgraded Postgresql to 14.16: The embedded Postgres version within Key Trustee Server is upgraded from 14.2 to 14.16.

What's new in Kafka

The LdapLoingModule is blocked by default

The LdapLoginModule (com.sun.security.auth.module.LdapLoginModule) class is blocked by default and can not be used in SASL JAAS configurations. Use the PlainLoginModule (org.apache.kafka.common.security.plain.PlainLoginModule) class for LDAP authentication.

Configurable allow list of URLs for OAuth and LDAP authentication

Two new Java options are introduced for Kafka brokers and Kafka Connect that enable you to specify an allow list of URLs for OAuth and LDAP authentication mechanisms. This gives you stricter control over which URLs can be accessed by Kafka for authentication. The following Java options are introduced:

OAuth – org.apache.kafka.sasl.oauthbearer.allowed.urls
LDAP – com.cloudera.kafka.ldap.allowed.urls

By default these options are empty, which means that a connection to any URL is allowed. The configuration properties you use in Cloudera Manager to set the options is different for Kafka brokers and Kafka Connect. Use the following configuration properties for Kafka brokers and Kafka Connect:

For Kafka brokers, configure the options by adding them to the Additional Broker Java Options Kafka broker property in Cloudera Manager. For example:

-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls=http://www.oauth-example-1.com,http://www.oauth-example-2.com

-Dcom.cloudera.kafka.ldap.allowed.urls=http://www.ldap-example-1.com,http://www.ldap-example-2.com

For Kafka Connect, configure the options by adding them to the EXTRA_ARGS environment variable. The EXTRA_ARGS environment variable is configured by adding it to the Kafka Connect Environment Advanced Configuration Snippet (Safety Valve) property in Cloudera Manager. For example:
```
EXTRA_ARGS=-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls="http://www.oauth-example-1.com,http://www.oauth-example-2.com"
```
```
EXTRA_ARGS=-Dcom.cloudera.kafka.ldap.allowed.urls="http://www.ldap-example-1.com,http://www.ldap-example-2.com"
```

For more information, see:

What's new in Ozone

Ozone configuration recommendations for improved stability

Cloudera recommends you to update the following configurations to improve stability:

ozone.scm.block.deletion.max.retry = 5 (default value is 1024)
hdds.datanode.volume.min.free.space = 20GB (No default value)

Also, if hdds.datanode.volume.min.free.space.percent is configured, make sure that you have removed hdds.datanode.volume.min.free.space.percent from the configurations.