Skip to main content

Privacera Documentation

Table of Contents

Known Issues in Privacera Platform Release 8.1, Date: 2023-08-11

The following are known issues in the Platform 8.1 release:

PolicySync pod crashes with RocksDB corruption

Symptoms:

The PolicySync application state shows initialising but in loop. The log will indicate org.rocksdb.RocksDBExceptionerrors in backend and the pods in tenant namespace will be in “crashloopbackoff“ status.

Workaround:

  1. Determine the exact pod that is running PolicySync. On Kubernetes, for EKS/AKS, the connector name starts with connector. On Docker, for EKS/AKS, the connector name starts with privacera-policysync.

  2. Login to that pod.

  3. Run the following commands:

    cd /workdir/policysync/rocksdb/
rm -rf ./*

  4. Logout of the pod.

  5. Delete the pod. This causes a new instance of the pod to be started.

PolicySync pod not applying policies correctly

Symptoms

Customers who upgrade from version 7.8.0.1 might come across resource access problems due to certain policies.

Workaround

To resolve this, you can enable or disable the relevant policy. If the issues persist, a recommended solution is to clear the RocksDB and restart the pod. If additional help is needed, Privacera support team is available for assistance. The root cause of the problem lies in the default value of the flag. ROCKSDB_BEST_EFFORTS_RECOVERY, that was set to true in version rel_7.8.0.1 to address RocksDB corruption issues in PolicySync. However, this has caused a regression where PolicySync recreates all data upon restart, which was not intended. To rectify this behavior, the flag's value has been set to false in version rel_8.1.0.1.

PEG v2 cannot connect to Discovery

Symptom: The Privacera Discovery service cannot connect to the Privacera Encryption Gateway (PEG) v2. The log shows the following exception:

2023-06-08 13:35:53,751 [pool-137-thread-3] ERROR com.privacera.encryption.scheme.source.PegServerSchemeSource:58 - Failed to getSchemeByContext error=Unexpected response for  POST:https://peg:6869/api/peg/scheme/scheme_by_context, Return status: -1, responseBody=null
com.privacera.http.client.PrivaceraHttpException: null
at com.privacera.http.client.RESTHttpClient.executeRequest(RESTHttpClient.java:562)
at com.privacera.http.client.RESTHttpClient.sendPostRequest(RESTHttpClient.java:504)
at com.privacera.http.client.RESTHttpClient.sendPostRequest(RESTHttpClient.java:482)
at com.privacera.encryption.scheme.source.PegServerSchemeSource.getSchemeByContext(PegServerSchemeSource.java:54)
at com.privacera.encryption.EncryptionNativeClient.getSchemeByContext(EncryptionNativeClient.java:537)
at com.privacera.v2.discovery.consumer.simple.EncryptionConsumer.fetchSchemeUsingPeg2(EncryptionConsumer.java:2257)
at com.privacera.v2.discovery.etl.SparkETLManager.encryptUsingSparkV2(SparkETLManager.java:855)
at com.privacera.v2.discovery.etl.SparkETLManager.encryptUsingSpark(SparkETLManager.java:742)
.
.
.	at java.lang.Thread.run(Thread.java:750)

Workaround: In Privacera Manager's ~/privacera/privacera-manager/custom-vars/vars.discovery.yml, set the following property:

DISCOVERY_PEGV2_URL="<hostname_or_IP_address_and_port_of_PEG v2_server>"

such as https://pegv2:6869

Be sure to update Privacera Manager after adding this property.

No retry mechanism for PolicySync validity period

Symptom: If for some reason policy validity for a specific date/time fails to process the policies, there is no retry mechanism for the same.

Workaround:: To disable the affected policies.

Ranger pod keeps restarting with "logs as" for a fresh installation

Ranger Password change utility is being executed by some other host. If Ranger all admins user password is not being changed by some other host, then manually delete the entry from ranger database table x_db_version_h table where version is DEFAULT_ALL_ADMIN_UPDATE.

Workaround: Login to Ranger DB and delete entry in x_db_version_h table that has version as DEFAULT_ALL_ADMIN_UPDATE and restart the Ranger.

Discovery Compliance policy using literal giving inconsistent behaviour

Symptoms: Due to PEG V2 revamp and performance fixes there is a caching mechanism added in PEG for better performance. On Discovery side, while fetching schemes if you update the policy to use Literal and then disable that option or keep it enabled schemes is keeping the literal values cached. Even for Non-literal policy Literal is getting applied and causing issues.

Workaround: Create schemes with format type as literal and DONOT use the Literal checkbox from the Privacera Portal UI.

Add the --enable-pass-through mode for new NGINX controller installation

Symptom

When the ssl-passthrough feature is not enabled, the services attempting to connect to Ranger from external sources or through the external plugin URL to retrieve data will not function properly.

Workaround

Prior to the deployment of the NGINX Ingress controller using Privacera Manager (PM), a minor modification needs to be made in the controller file to enable the ssl-passthrough feature.

After setting up the custom-vars, but before running PM update, perform following steps:

  1. Run the following command to change directory:

    cd ~/privacera/privacera-manager/ansible/privacera-docker/roles/templates/nginx-ingress-controller/kubernetes

  2. Run the following command to edit values.yml file:

    vi values.yml

    1. Add following property and save the file.

        extraArgs: 
    enable-ssl-passthrough: ""

      values.yml file with existing properties

      values.yml file with new properties

      controller:
  service:
    annotations:
{% if K8S_NGINX_INGRESS_CONTROLLER_DEFAULT_ANNOTATIONS != "" %}
{% for def_annotations in K8S_NGINX_INGRESS_CONTROLLER_DEFAULT_ANNOTATIONS %}
{% if def_annotations != "" %}
      {{ def_annotations }}
{% endif %}
{% endfor %}
{% endif %}
{% if K8S_NGINX_INGRESS_CONTROLLER_ANNOTATION_LOADBALANCER_ANNOTATION != "" %}
      {{K8S_NGINX_INGRESS_CONTROLLER_ANNOTATION_LOADBALANCER_ANNOTATION}}
{% endif %}
{% if K8S_NGINX_INGRESS_CONTROLLER_EXTRA_ANNOTATIONS != "" %}
{% for annotations in K8S_NGINX_INGRESS_CONTROLLER_EXTRA_ANNOTATIONS %}
{% if annotations != "" %}
      {{ annotations }}
{% endif %}
{% endfor %}
{% endif %}
{% if NGINX_CONTROLLER_CUSTOM_NODEPORT_ENABLE == "true" %}
    nodePorts:
      http: {{NGINX_CONTROLLER_HTTP_NODEPORT}}
      https: {{NGINX_CONTROLLER_HTTPS_NODEPORT}}
{% endif %}
      controller:
  service:
    annotations:
{% if K8S_NGINX_INGRESS_CONTROLLER_DEFAULT_ANNOTATIONS != "" %}
{% for def_annotations in K8S_NGINX_INGRESS_CONTROLLER_DEFAULT_ANNOTATIONS %}
{% if def_annotations != "" %}
      {{ def_annotations }}
{% endif %}
{% endfor %}
{% endif %}
{% if K8S_NGINX_INGRESS_CONTROLLER_ANNOTATION_LOADBALANCER_ANNOTATION != "" %}
      {{K8S_NGINX_INGRESS_CONTROLLER_ANNOTATION_LOADBALANCER_ANNOTATION}}
{% endif %}
{% if K8S_NGINX_INGRESS_CONTROLLER_EXTRA_ANNOTATIONS != "" %}
{% for annotations in K8S_NGINX_INGRESS_CONTROLLER_EXTRA_ANNOTATIONS %}
{% if annotations != "" %}
      {{ annotations }}
{% endif %}
{% endfor %}
{% endif %}
{% if NGINX_CONTROLLER_CUSTOM_NODEPORT_ENABLE == "true" %}
    nodePorts:
      http: {{NGINX_CONTROLLER_HTTP_NODEPORT}}
      https: {{NGINX_CONTROLLER_HTTPS_NODEPORT}}
{% endif %}
  extraArgs: 
    enable-ssl-passthrough: ""

  3. Run the following command to change directory to PM:

    cd ~/privacera/privacera-manager