Okera Version 2.18 Release Notes

This topic provides Release Notes for all 2.18 versions of Okera.

2.18.1 (5/3/2023)

• Added support for Apache's release of Spark 3.3.1. Support for EMR's release of Spark 3.3.1 (EMR 6.10) to follow later.
• Updated the Okera Spark3 connector to address a new incompatibility resulting from a Databricks library change in Okera-supported Databricks runtime versions 9.1 LTS and later.
• Added support for Okera built-in functions in internal view definitions. Updated SQL statement evaluation for the internal views. Fixed logic for processing subqueries with WHERE clauses.
• We now support more expressions in uri grants and we also now support using user_attribute fns in HAVING clause of uri grants.
• Added support for Databricks-Connect client.
• Improved auto-tagging status display with continuous dataset polling.
• Added a new hive-site flag called okera.hms.allow-non-standard-partitions that avoids erroring out when non-standard partitioning structures are found. Please turn this flag on carefully as this can affect data quality.
• Removed OKERA_QTL_CACHING environment variable.
• Fixed the tagging behavior for URIs such that tag assignments now cascade to sub paths.

Security Vulnerabilities (CVEs/CWEs) Addressed

Okera uses Snyk and GitHub Advanced Security for security vulnerability scanning.

• CVE-2022-41723: Denial of Service (DoS)
• CVE-2023-0464: Improper Certificate Validation
• CVE-2023-0465: Improper Certificate Validation
• CVE-2023-0466: Improper Certificate Validation
• CVE-2023-27533: Arbitrary Code Injection
• CVE-2023-27534: Directory Traversal
• CVE-2023-27535: Improper Authentication
• CVE-2023-27536: Improper Authentication
• CVE-2023-27537: Double Free
• CVE-2023-27538: Improper Authentication
• CVE-2023-28484: CVE-2023-28484
• CVE-2023-29469: CVE-2023-29469
• CVE-2023-30535: Arbitrary Code Execution

2.18.0 (4/13/2023)

Bug Fixes and Improvements

• Fixed parsing issue that caused the IS_FOLLOWER cluster parameter to default to true when set to the value “false”
• In Okera Web UI it's now possible for users who have any access on any role to see the roles page. Previously, this required the MANAGE_PERMISSIONS or MANAGE_GROUPS permissions on a role.
• We added a step to the External JWT validation process to extract the username from the custom claim, user claim, or default claim in the server JSON response or JWT token. If a custom claim is present in the JSON response, the username is extracted and returned. If not, we check the JWT token for the username. If the custom claim is not found in either JSON response or JWT token, we check the sub claim in both the JSON response and the JWT token for the username.
• We now allow using several columns_with_attribute functions in a permission.
• When username/token authentication is used in presto plugin, we now ignore case difference in username from the token and username that was supplied.
• Fixed issue causing presidio container failures in some environments
• OkeraEnsemble (OkeraFS) now works with all file formats supported by Okera (Parquet, Csv, Avro, Orc, Delta) on Databricks. We also are not requiring setting any additional configuration values except for OKERA_ENABLE_OKERA_FS=true anymore.