Immuta v2022.5.0 Release Notes
Immuta v2022.5.13
Immuta v2022.5.13 was released February 12, 2024.
Bug Fixes
- Immuta could not update a group through SCIM if that group was initially created through SAML before SCIM was enabled in an IAM's configuration.
- Users who had access to many data sources encountered a 500 error when trying to view data sources on the data source or project pages.
Immuta v2022.5.12
Immuta v2022.5.12 was released October 26, 2023.
Bug Fix
Creating a governance report on all data sources failed for instances with more than 10,000 data sources.
Immuta v2022.5.11
Immuta v2022.5.11 was released September 25, 2023.
Bug Fixes
- Global subscription policies that used the
@hasTagAsGroup
or@hasTagAsAttribute
variable were not granting and revoking users' access to tables properly. - When an automatic subscription policy using the
@hasTagAsAttribute
variable was applied to a Snowflake data source, users were not granted access to the table in Snowflake. - When users were automatically removed from a project through an automatic subscription policy, those users still had access to data sources that used that project's purpose in a purpose-based restriction policy.
- Fixes to address issues with conditional masking policies using a custom WHERE clause.
- Data source health status warning messages were not properly displayed for views.
- Fixes to address slow or unresponsive Immuta instances.
Immuta v2022.5.10
Immuta v2022.5.10 was released August 10, 2023.
Bug Fixes
- Fix to address an issue that prevented Snowflake data sources from being created when table names contained a single quote.
- Fix to address column detection error on Snowflake data sources:
TypeError: Cannot read properties of null
. - Bulk adding Redshift data sources and then updating policies applied to those data sources sometimes did not update the views to reflect the policy changes in Redshift.
- Native Snowflake policies and grants were not properly synced when users performed
CREATE OR REPLACE
on a table. - If OAuth was used as the authentication method, users encountered an error when creating a data source with schema monitoring enabled or enabling schema monitoring for an existing data source.
- Fix to address the impact of a recent Databricks change that caused a
NoSuchFieldException
error when querying data on Databricks clusters with Unity Catalog enabled. - If whitespaces trailed or prefixed a project name when creating a Google BigQuery data source, the view was not created in Google BigQuery.
- Immuta data sources were inconsistently linked to the Snowflake external catalog when automatically ingesting Snowflake object tags.
- Fix to address an issue that caused schema detection to fail in Snowflake when using Snowflake External OAuth for authentication.
- Members with timed access to a data source in Immuta could still query data in Snowflake after their access had been revoked in Immuta.
- If a Snowflake integration was configured with a Snowflake catalog, users could not configure another external catalog because the test connection button remained disabled.
- Removing users from a group in Okta did not remove them from that group in Immuta.
- Vulnerabilities addressed:
CVE-2023-30861
CVE-2023-32681
CVE-2023-37920
CVE-2023-38704
Immuta v2022.5.9
Immuta v2022.5.9 was released June 29, 2023.
Bug Fixes
- Data sources created through the Immuta V2 API could not be deleted through the UI.
- Enhanced policy variables in subscription policies did not work with Snowflake table grants enabled.
- Fix to address the configuration of Snowflake keyPair with Snowflake integrations.
- Fix to address re-enabling disabled integrations.
Immuta v2022.5.8
Immuta v2022.5.8 was released May 25, 2023.
Bug Fixes
- The Redshift integration did not properly create views for tables that included column names with special characters.
When users queried those views, they received
column doesn't exist
errors. - When configuring Snowflake object tag ingestion, the connection failed if the host provided was a Snowflake PrivateLink URL.
- Fix to address a race condition that prevented job clusters from starting properly on Databricks runtimes 9.1 and 10.4.
- Vulnerability:
CVE-2023-32314
Immuta v2022.5.7
Immuta v2022.5.7 was released April 27, 2023.
Bug Fixes
- The enhanced subscription policy variable
@hasTagAsAttribute
did not unsubscribe users with that attribute from the data source when a matching column tag was removed. - Running an external catalog sync did not trigger policy updates when only table tags had changed. If users only added or removed table tags, global policy updates were not applied to data sources.
- Snowflake integration:
- Connection validation failed if users created a custom system account role name when setting up the integration.
- Snowflake table grants did not properly update user subscriptions to data sources if their group in Immuta was renamed and the group name was used in an automatic subscription policy.
- If a group's access was revoked from a data source in Immuta (manually or through a policy), table grants was not issuing revokes in Snowflake for members of the group that lost its subscription status, allowing them to still access that data. However, if low row access policies for Snowflake was disabled, all the rows in the data source were appropriately hidden.
Immuta v2022.5.6
Immuta 2022.5.6 was released March 28, 2023.
Immuta v2022.5.6 Bug Fixes
- When using the Immuta CLI to clone and save policies, the logic operator (
AND
orOR
) selected between multiple tags was not stored; instead,OR
was always used once the policy was saved. For example, if a policy like "Mask columns taggedDiscovered . PII
andDiscovered . Country . USA
" was cloned and then saved with the CLI, theOR
logic operator was used, and the policy was saved as "Discovered . PII
orDiscovered . Country . USA
". - When editing a Redshift data source or schema connection, changing the Redshift username could result in the view being unable to be created.
- Users were unable to add S3 data sources through the Immuta API using instance role as the authentication method.
- Fix to repair impact of a recent Databricks Data Explorer change to issue
use catalog hive_metastore
command on Databricks runtimes older than Databricks runtime 11.x. The Databricks Spark integration now handles this command issued by Databricks Data Explorer. -
When using SCIM to sync an identity manager with Immuta, removing a user from a group in the identity manager did not remove the user from that group in the remote database in the following integrations:
- Snowflake
- Redshift
- Synapse
This issue could allow that user to retain access to data if they were removed from a group that was granted access by a policy.
-
If an Advanced DSL policy used the
@columnsTagged
function and the policy had multiple conditions, all users were restricted from seeing data. -
Unity Catalog clusters: A breaking change in Databricks caused a
wrong number of arguments
error when users ran Unity Catalog queries. -
Users were unable to run queries through the query engine.
-
When Databricks query plans for tables registered in Immuta were too large, Immuta could not process the audit record.
Immuta v2022.5.5
Immuta 2022.5.5 was released March 15, 2023.
Immuta v2022.5.5 Bug Fixes
- The Databricks Spark integration sometimes provided an incomplete list of databases in the Data Explorer UI or in
Databricks clusters after running
SHOW DATABASES
. - Under rare circumstances, a global data policy using a tag failed to apply to some data sources.
Immuta v2022.5.4
Immuta 2022.5.4 was released March 3, 2023.
Immuta v2022.5.4 Bug Fix
Fix to repair impact of a recent Databricks Data Explorer change to issue
use catalog hive_metastore
command on Databricks runtimes older than Databricks runtime 11.x.
The Databricks Spark integration now handles this command issued by Databricks Data Explorer.
Immuta v2022.5.3
Immuta 2022.5.3 was released February 23, 2023.
Immuta v2022.5.3 Bug Fixes
- When applying a global subscription policy that uses the
@hasTagAsGroup
orhasTagAsAttribute
enhanced subscription policy variable (for example, "Allow users to subscribe when@hasTagAsAttribute('AllowedAccess', 'dataSource')
on all data sources") to a data source, user access was restricted as expected; however, if the data source tag changed through the Immuta V2 API, access wasn't changed, which could potentially allow users to see data that they shouldn't. Additionally, access wasn't changed if the policy was removed. - Users could not save configuration changes if they enabled Snowflake table grants after creating the integration.
- Users could not save configuration changes if they edited an existing Snowflake integration.
- Users encountered an
integer out of range
error in blob-path tables that had large numbers of S3 objects. - When users tried to download files larger than 54-60 KB from S3, the files were corrupted.
- Vulnerabilities:
CVE-2022-32149
CVE-2022-23491
Immuta v2022.5.2
Immuta 2022.5.2 was released January 23, 2023.
v2022.5.2 Bug Fixes
-
Snowflake, Redshift, and Azure Synapse integrations:
- If a combined global subscription policy was applied to a data source and a user updated a global data policy (create, update, delete) that also applied to that data source, the data policy was not applied to the data source. Consequently, a user querying that table could see values of masked columns in plaintext.
- If an existing global subscription policy and an existing global data policy applied to the same data source, then modifications to that data source (or the creation of a new data source targeted by those policies), only the global subscription policy was applied to the data source. Consequently, a user querying that table could see values of masked columns in plaintext.
-
Vulnerability:
CVE-2022-40899
Immuta v2022.5.1
Immuta 2022.5.1 was released January 16, 2023.
v2022.5.1 Bug Fixes
- Data source governance report failed to generate in environments with over 2,300 data sources and 2,000 users.
- Unity Catalog token sync job caused
ERR_INVALID_ARG_TYPE
error. - When Unity Catalog was enabled, users couldn't register data sources from the legacy
hive_metastore
. - Vulnerability:
CVE-2022-23529
Immuta v2022.5.0
Immuta 2022.5.0 was released December 15, 2022.
v2022.5.0 Features and Changes
- Databricks Spark Integration with Unity Catalog Support: Enable Unity Catalog support on Immuta clusters to use the Metastore across your Databricks workspaces and enforce Immuta policies on your data. This integration provides a migration pathway for you to add your tables in Unity Catalog while using Immuta policies. Consequently, when additional Unity Catalog features are available, you will be ready to use them. Databricks SQL policies will continue to be enforced through a view-based method, and interactive cluster policies through the Immuta plugin method.
- Databricks Runtime 11.2 support.
- Write Fewer, Simpler ABAC Policies. Enhanced Subscription Policy Variables (Public Preview) empower users to write fewer, simpler ABAC (Users with Specific Groups/Attributes) policies. Previously, policy writers had to specify groups in separate policies to grant access. With Enhanced Subscription Policy Variables, Immuta's policy engine compares users' groups with data source or column tags in a single policy to determine if there is a match. Users who have a group that matches a tag on a data source or column will be subscribed to that data source.
- Tag Enhancements (Public Preview): Tag enhancements include various UI updates that improve user experience.
- Immuta supports registering data sources that exceed 1600 columns. However, sensitive data discovery and health checks will not run on those data sources.
- The maximum length for the Snowflake role prefix when using Snowflake Table Grants is 50 characters.
- Users cannot enable or disable native impersonation when editing a previously configured integration.
- Collibra integration performance improvements.
- Collibra integration recognizes the implicit relationship between the Database View in Collibra and Immuta data source columns so that tags are properly applied to those columns in Immuta.
- The Immuta V1 API
/dataSource
endpoint returns the remote table name so that users can get the schema and table name of a data source in one API call.
v2022.5.0 Bug Fixes
- The data source Relationships tab only displayed up to 10 associated projects.
- If creating the Immuta database failed in the Snowflake without Snowflake Governance Controls or Databricks SQL integration, the error returned was incorrect.
- Removed historical schema monitoring metrics that contained database connection strings.
- Subqueries that referenced a table that didn't exist never resolved.
- Policies:
- Disabling a Global conditional masking policy on a data source could sometimes disable all policies or none of the policies on the data source.
- If users submitted a Global Policy payload to the API that was missing the
subscriptionType
from the actions, the Global Policies page broke when trying to display Subscription Policies. - Global Subscription Policies that contained the
@hasTagAsAttribute
variable caused errors and degraded performance. - Snowflake with Snowflake Governance Features: Changing a column's masking policy type resulted in errors until users manually synced the policy in Immuta.
- Azure Synapse Analytics: If a user was granted access to around 1300 data sources, access to those tables was delayed.
- Deleting an integration on the App Settings page and saving the configuration caused the Immuta UI to crash.
- Redshift:
- Users were unable to query tables that had a policy with a
Limit usage to purpose(s) <ANY PURPOSE>
applied to them. - There were error-handling inconsistencies between the Immuta UI and the database logs.
- When configured with ADFS, the Redshift integration was not creating views for Immuta data sources properly.
- Users were unable to query tables that had a policy with a
- Alternative owners of data sources were not included in the subscription audit records if the data source was created using the Immuta V2 API.
- Snowflake Table Grants: If a user who was added to a Snowflake data source through a group Subscription Policy was removed from a data source, that user could see the columns (without any data) of the table when they queried that data in Snowflake.
- When users edited a Snowflake integration configuration and changed the authentication type to Snowflake External OAuth, the configuration was still saved as Username and Password for the authentication type.
- Users could not create an S3 data source in the Immuta UI when they selected override host in the data source
creation workflow. Doing so caused an
Invalid S3 URL
error. - Vulnerabilities:
CVE-2022-3517
CVE-2022-37616
CVE-2022-39299
CVE-2022-39353
v2022.5.0 Known Bugs
- Editing a schema project to a database that already exists fails.
- Users cannot create an S3 data source using an instance role using the UI; they must use the API.
v2022.5.0 Deprecations and Breaking Changes
Rocky Linux Upgrade
Immuta's upgrade to Rocky Linux 9 has the potential to impact your environment. See the changes described below for guidance.
ODBC Drivers
Your ODBC drivers should use a driver compatible with Enterprise Linux 9 or Red Hat Enterprise Linux 9.
Container Runtimes
You must run a supported version of Kubernetes (or a recent version of Docker for SND installations). See Supported Software Versions for details.
-
Single Node Docker Customers: Use at least Docker v20.10.10.
-
Kubernetes Customers:
- Use at least Docker v20.10.10 if using Docker as the container runtime.
- Use at least containerd 1.4.10 if using containerd as the container runtime.
OpenSSL 3.0
CentOS Stream 9 uses OpenSSL 3.0, which has deprecated support for older insecure hashes and TLS versions, such as TLS 1.0 and TLS 1.1. This shouldn't impact you unless you are using an old, insecure certificate. In that case, the certificate will no longer work. See the OpenSSL migration guide for more information.
FIPS Environments
If you run Immuta 2022.5.x containers in a FIPS-enabled environment, they will now fail. Helm Chart 4.11 contains a
feature for you to override the openssl.cnf
file, which can be used to allow Immuta to run in your environment,
mimicking the CentOS 7 behavior.
Removed Databases
The following databases have been removed from the product.
Database | Deprecation Notice | End of Life (EOL) |
---|---|---|
Custom | 2022.3 | 2022.5 |
KDB | 2022.3 | 2022.5 |
MariaDB | 2022.3 | 2022.5 |
Persisted | 2022.3 | 2022.5 |
Removed Features
- Amazon EMR workspaces have been removed from the product.
- Cloudera Hadoop (CDH) workspaces have been removed from the product.
Deprecated Features
Deprecated items remain in the product with minimal support until their end of life date.
Feature | Deprecation Notice | End of Life (EOL) |
---|---|---|
Apache Hive | 2022.5 | 2023.1 |
Metrics tab and query tab on data source view page | 2022.5 | 2023.2 |
SAP Hana | 2022.5 | 2023.1 |
Teradata Native Lite | 2022.5 | 2023.1 |
Vertica | 2022.5 | 2023.1 |
v2022.5.0 Migration Notes
- All users must be on Immuta version 2020.2 or greater to migrate directly to 2022.5.