Known issues in Cloudera Data Warehouse on premises 1.5.4 SP2

Review the issues identified in this service pack release of Cloudera Data Warehouse on premises.

DWX-20085: Non-admin user in Cloudera Data Visualization loses all roles and permissions: When a non-admin user who does not belong to any group in Cloudera Management Console logs in to Cloudera Data Visualization for the first time, the user is assigned to the "viz_guest_group" default group in Cloudera Data Visualization and is assigned the "Database Admin" role.
Subsequent logins remove all the groups associated with the user in Cloudera Data Visualization and only the groups that come from SAML assertion are assigned to the user. This can in turn lead to the user losing all privileges on the Cloudera Data Visualization instance.; Add the user to a group using the Cloudera Management Console or through the LDAP server. For more information, see Adding or removing a user from a group.
DWX-20925: Unable to forward Impala audit logs to HDFS: A kinit command in the Impala Coordinator pod, specifically under the audit-logs-fluentd container, fails with the following error - Cryptosystem internal error while getting initial credentials.
As a result, Impala audit logs are not forwarded to HDFS. The issue is caused due to a problem with a chainguard base image.; Perform the following steps to address this issue:

Edit the Impala coordinator statefulset using the following kubectl command or from the ECS/Openshift web UI:
kubectl edit statefulset coordinator -n impala-<virtual warehouse namespace>

Run the following command to add an empty OPENSSL_CONF environment variable to the audit-logs-fluentd container:
- name: OPENSSL_CONF

Save the changes and wait for the Impala coordinator pod to restart.
tip
If there were mistakes made while editing the Impala coordinator statefulset, the coordinator pod may fail to start, causing the Impala Virtual Warehouse to enter the 'Error' state. In such cases, rebuild the Virtual Warehouse to restore it to its original state, and then repeat the steps above.
This workaround is temporary. Since rebuilding the Virtual Warehouse recreates the coordinator statefulset, you will need to reapply these steps after every rebuild.
Case sensitivity issue for Ranger authentication: In Active Directory environments, user and group names are often written in mixed case (for example, 'JohnDoe' or 'AdminGroup') and handled in a case-insensitive manner by Windows. However, Cloudera Base on premises operates in a Linux environment, where names are case-sensitive. To address this, some customers configure Cloudera Base on premises to disable case sensitivity in System Security Service Daemon (sssd) and modify Ranger Usersync settings to convert user and group names to lowercase, ensuring compatibility with Ranger policies.

While this configuration works correctly in Cloudera Base on premises, authorization issues may arise inCloudera Data Warehouse components like Hive and Impala. Cloudera Data Warehouse does not automatically convert group names to lowercase, causing mismatches with Ranger policies that define group names in lowercase. This can result in authorization problems, such as users being unable to access databases, tables, or columns in Hue or remote client shells (impala-shell or jdbc), even though access works correctly in Cloudera Base on premises Hue or remote client shells.; To resolve this issue, enable group name conversion to lowercase in Cloudera Data Warehouse by adding the following Hadoop core-site configuration entries to the hadoop-core-site-default-warehouse configuration file. For Hive Virtual Warehouse, apply the changes to HiveServer2. For Impala Virtual Warehouse, apply the changes to Impala Catalogd, Impala Coordinator, Impala Executor, and Impala StateStored.
Property Name Value
hadoop.security.group.mapping org.apache.hadoop.security.RuleBasedLdapGroupsMapping
hadoop.security.group.mapping.ldap.conversion.rule to_lower
note
This issue only occurs when Cloudera Base on premises is configured to convert names to lowercase, deviating from the default behavior that retains mixed case formatting. Reverting Cloudera Base on premises to its default configuration could resolve the issue but would require modifying Ranger policies, potentially causing downtime and significant effort for production environments. For customers unwilling to make such changes, the Cloudera Data Warehouse workaround is a practical solution.

Property Name	Value
`hadoop.security.group.mapping`	`org.apache.hadoop.security.RuleBasedLdapGroupsMapping`
`hadoop.security.group.mapping.ldap.conversion.rule`	`to_lower`