Skip to content

You are viewing documentation for Immuta version 2022.5.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

cancel

Immuta v2022.5.0 Release Notes

Immuta v2022.5.8

Immuta v2022.5.8 was released May 25, 2023.

Bug Fixes

  • The Redshift integration did not properly create views for tables that included column names with special characters. When users queried those views, they received column doesn't exist errors.
  • When configuring Snowflake object tag ingestion, the connection failed if the host provided was a Snowflake PrivateLink URL.
  • Fix to address a race condition that prevented job clusters from starting properly on Databricks runtimes 9.1 and 10.4.
  • Vulnerability: CVE-2023-32314

Immuta v2022.5.7

Immuta v2022.5.7 was released April 27, 2023.

Bug Fixes

  • The enhanced subscription policy variable @hasTagAsAttribute did not unsubscribe users with that attribute from the data source when a matching column tag was removed.
  • Running an external catalog sync did not trigger policy updates when only table tags had changed. If users only added or removed table tags, global policy updates were not applied to data sources.
  • Snowflake integration:
    • Connection validation failed if users created a custom system account role name when setting up the integration.
    • Snowflake table grants did not properly update user subscriptions to data sources if their group in Immuta was renamed and the group name was used in an automatic subscription policy.
    • If a group's access was revoked from a data source in Immuta (manually or through a policy), table grants was not issuing revokes in Snowflake for members of the group that lost its subscription status, allowing them to still access that data. However, if low row access policies for Snowflake was disabled, all the rows in the data source were appropriately hidden.

Immuta v2022.5.6

Immuta 2022.5.6 was released March 28, 2023.

Immuta v2022.5.6 Bug Fixes

  • When using the Immuta CLI to clone and save policies, the logic operator (AND or OR) selected between multiple tags was not stored; instead, OR was always used once the policy was saved. For example, if a policy like "Mask columns tagged Discovered . PII and Discovered . Country . USA" was cloned and then saved with the CLI, the OR logic operator was used, and the policy was saved as "Discovered . PII or Discovered . Country . USA".
  • When editing a Redshift data source or schema connection, changing the Redshift username could result in the view being unable to be created.
  • Users were unable to add S3 data sources through the Immuta API using instance role as the authentication method.
  • Fix to repair impact of a recent Databricks Data Explorer change to issue use catalog hive_metastore command on Databricks runtimes older than Databricks runtime 11.x. The Databricks Spark integration now handles this command issued by Databricks Data Explorer.

  • When using SCIM to sync an identity manager with Immuta, removing a user from a group in the identity manager did not remove the user from that group in the remote database in the following integrations:

    • Snowflake
    • Redshift
    • Synapse

    This issue could allow that user to retain access to data if they were removed from a group that was granted access by a policy.

  • If an Advanced DSL policy used the @columnsTagged function and the policy had multiple conditions, all users were restricted from seeing data.

  • Unity Catalog clusters: A breaking change in Databricks caused a wrong number of arguments error when users ran Unity Catalog queries.

  • Users were unable to run queries through the query engine.

  • When Databricks query plans for tables registered in Immuta were too large, Immuta could not process the audit record.

Immuta v2022.5.5

Immuta 2022.5.5 was released March 15, 2023.

Immuta v2022.5.5 Bug Fixes

  • The Databricks Spark integration sometimes provided an incomplete list of databases in the Data Explorer UI or in Databricks clusters after running SHOW DATABASES.
  • Under rare circumstances, a global data policy using a tag failed to apply to some data sources.

Immuta v2022.5.4

Immuta 2022.5.4 was released March 3, 2023.

Immuta v2022.5.4 Bug Fix

Fix to repair impact of a recent Databricks Data Explorer change to issue use catalog hive_metastore command on Databricks runtimes older than Databricks runtime 11.x. The Databricks Spark integration now handles this command issued by Databricks Data Explorer.

Immuta v2022.5.3

Immuta 2022.5.3 was released February 23, 2023.

Immuta v2022.5.3 Bug Fixes

  • When applying a global subscription policy that uses the @hasTagAsGroup or hasTagAsAttribute enhanced subscription policy variable (for example, "Allow users to subscribe when @hasTagAsAttribute('AllowedAccess', 'dataSource') on all data sources") to a data source, user access was restricted as expected; however, if the data source tag changed through the Immuta V2 API, access wasn't changed, which could potentially allow users to see data that they shouldn't. Additionally, access wasn't changed if the policy was removed.
  • Users could not save configuration changes if they enabled Snowflake table grants after creating the integration.
  • Users could not save configuration changes if they edited an existing Snowflake integration.
  • Users encountered an integer out of range error in blob-path tables that had large numbers of S3 objects.
  • When users tried to download files larger than 54-60 KB from S3, the files were corrupted.
  • Vulnerabilities:
    • CVE-2022-32149
    • CVE-2022-23491

Immuta v2022.5.2

Immuta 2022.5.2 was released January 23, 2023.

v2022.5.2 Bug Fixes

  • Snowflake, Redshift, and Azure Synapse integrations:

    • If a combined global subscription policy was applied to a data source and a user updated a global data policy (create, update, delete) that also applied to that data source, the data policy was not applied to the data source. Consequently, a user querying that table could see values of masked columns in plaintext.
    • If an existing global subscription policy and an existing global data policy applied to the same data source, then modifications to that data source (or the creation of a new data source targeted by those policies), only the global subscription policy was applied to the data source. Consequently, a user querying that table could see values of masked columns in plaintext.

  • Vulnerability: CVE-2022-40899

Immuta v2022.5.1

Immuta 2022.5.1 was released January 16, 2023.

v2022.5.1 Bug Fixes

  • Data source governance report failed to generate in environments with over 2,300 data sources and 2,000 users.
  • Unity Catalog token sync job caused ERR_INVALID_ARG_TYPE error.
  • When Unity Catalog was enabled, users couldn't register data sources from the legacy hive_metastore.
  • Vulnerability: CVE-2022-23529

Immuta v2022.5.0

Immuta 2022.5.0 was released December 15, 2022.

v2022.5.0 Features and Changes

  • Databricks Spark Integration with Unity Catalog Support: Enable Unity Catalog support on Immuta clusters to use the Metastore across your Databricks workspaces and enforce Immuta policies on your data. This integration provides a migration pathway for you to add your tables in Unity Catalog while using Immuta policies. Consequently, when additional Unity Catalog features are available, you will be ready to use them. Databricks SQL policies will continue to be enforced through a view-based method, and interactive cluster policies through the Immuta plugin method.
  • Databricks Runtime 11.2 support.
  • Write Fewer, Simpler ABAC Policies. Enhanced Subscription Policy Variables (Public Preview) empower users to write fewer, simpler ABAC (Users with Specific Groups/Attributes) policies. Previously, policy writers had to specify groups in separate policies to grant access. With Enhanced Subscription Policy Variables, Immuta's policy engine compares users' groups with data source or column tags in a single policy to determine if there is a match. Users who have a group that matches a tag on a data source or column will be subscribed to that data source.
  • Tag Enhancements (Public Preview): Tag enhancements include various UI updates that improve user experience.
  • Immuta supports registering data sources that exceed 1600 columns. However, sensitive data discovery and health checks will not run on those data sources.
  • The maximum length for the Snowflake role prefix when using Snowflake Table Grants is 50 characters.
  • Users cannot enable or disable native impersonation when editing a previously configured integration.
  • Collibra integration performance improvements.
  • Collibra integration recognizes the implicit relationship between the Database View in Collibra and Immuta data source columns so that tags are properly applied to those columns in Immuta.
  • The Immuta V1 API /dataSource endpoint returns the remote table name so that users can get the schema and table name of a data source in one API call.

v2022.5.0 Bug Fixes

  • The data source Relationships tab only displayed up to 10 associated projects.
  • If creating the Immuta database failed in the Snowflake without Snowflake Governance Controls or Databricks SQL integration, the error returned was incorrect.
  • Removed historical schema monitoring metrics that contained database connection strings.
  • Subqueries that referenced a table that didn't exist never resolved.
  • Policies:
    • Disabling a Global conditional masking policy on a data source could sometimes disable all policies or none of the policies on the data source.
    • If users submitted a Global Policy payload to the API that was missing the subscriptionType from the actions, the Global Policies page broke when trying to display Subscription Policies.
    • Global Subscription Policies that contained the @hasTagAsAttribute variable caused errors and degraded performance.
    • Snowflake with Snowflake Governance Features: Changing a column's masking policy type resulted in errors until users manually synced the policy in Immuta.
  • Azure Synapse Analytics: If a user was granted access to around 1300 data sources, access to those tables was delayed.
  • Deleting an integration on the App Settings page and saving the configuration caused the Immuta UI to crash.
  • Redshift:
    • Users were unable to query tables that had a policy with a Limit usage to purpose(s) <ANY PURPOSE> applied to them.
    • There were error-handling inconsistencies between the Immuta UI and the database logs.
    • When configured with ADFS, the Redshift integration was not creating views for Immuta data sources properly.
  • Alternative owners of data sources were not included in the subscription audit records if the data source was created using the Immuta V2 API.
  • Snowflake Table Grants: If a user who was added to a Snowflake data source through a group Subscription Policy was removed from a data source, that user could see the columns (without any data) of the table when they queried that data in Snowflake.
  • When users edited a Snowflake integration configuration and changed the authentication type to Snowflake External OAuth, the configuration was still saved as Username and Password for the authentication type.
  • Users could not create an S3 data source in the Immuta UI when they selected override host in the data source creation workflow. Doing so caused an Invalid S3 URL error.
  • Vulnerabilities:
    • CVE-2022-3517
    • CVE-2022-37616
    • CVE-2022-39299
    • CVE-2022-39353

v2022.5.0 Known Bugs

  • Editing a schema project to a database that already exists fails.
  • Users cannot create an S3 data source using an instance role using the UI; they must use the API.

v2022.5.0 Deprecations and Breaking Changes

CentOS Upgrade

Immuta's upgrade to CentOS 9 has the potential to impact your environment. See the changes described below for guidance.

ODBC Drivers

Your ODBC drivers should use a driver compatible with Enterprise Linux 9 or Red Hat Enterprise Linux 9.

Container Runtimes

You must run a supported version of Kubernetes (or a recent version of Docker for SND installations). See Supported Software Versions for details.

  • Single Node Docker Customers: Use at least Docker v20.10.10.

  • Kubernetes Customers:

OpenSSL 3.0

CentOS Stream 9 uses OpenSSL 3.0, which has deprecated support for older insecure hashes and TLS versions, such as TLS 1.0 and TLS 1.1. This shouldn't impact you unless you are using an old, insecure certificate. In that case, the certificate will no longer work. See the OpenSSL migration guide for more information.

FIPS Environments

If you run Immuta 2022.5.x containers in a FIPS-enabled environment, they will now fail. Helm Chart 4.11 contains a feature for you to override the openssl.cnf file, which can be used to allow Immuta to run in your environment, mimicking the CentOS 7 behavior.

Removed Databases

The following databases have been removed from the product.

Database Deprecation Notice End of Life (EOL)
Custom 2022.3 2022.5
KDB 2022.3 2022.5
MariaDB 2022.3 2022.5
Persisted 2022.3 2022.5

Removed Features

  • Amazon EMR workspaces have been removed from the product.
  • Cloudera Hadoop (CDH) workspaces have been removed from the product.

Deprecated Features

Deprecated items remain in the product with minimal support until their end of life date.

Feature Deprecation Notice End of Life (EOL)
Apache Hive 2022.5 2023.1
SAP Hana 2022.5 2023.1
Teradata Native Lite 2022.5 2023.1
Vertica 2022.5 2023.1

v2022.5.0 Migration Notes

  • All users must be on Immuta version 2020.2 or greater to migrate directly to 2022.5.