Immuta v2022.5.0 Release Notes
Immuta v2022.5.8 was released May 25, 2023.
- The Redshift integration did not properly create views for tables that included column names with special characters.
When users queried those views, they received
column doesn't existerrors.
- When configuring Snowflake object tag ingestion, the connection failed if the host provided was a Snowflake PrivateLink URL.
- Fix to address a race condition that prevented job clusters from starting properly on Databricks runtimes 9.1 and 10.4.
Immuta v2022.5.7 was released April 27, 2023.
- The enhanced subscription policy variable
@hasTagAsAttributedid not unsubscribe users with that attribute from the data source when a matching column tag was removed.
- Running an external catalog sync did not trigger policy updates when only table tags had changed. If users only added or removed table tags, global policy updates were not applied to data sources.
- Snowflake integration:
- Connection validation failed if users created a custom system account role name when setting up the integration.
- Snowflake table grants did not properly update user subscriptions to data sources if their group in Immuta was renamed and the group name was used in an automatic subscription policy.
- If a group's access was revoked from a data source in Immuta (manually or through a policy), table grants was not issuing revokes in Snowflake for members of the group that lost its subscription status, allowing them to still access that data. However, if low row access policies for Snowflake was disabled, all the rows in the data source were appropriately hidden.
Immuta 2022.5.6 was released March 28, 2023.
Immuta v2022.5.6 Bug Fixes
- When using the Immuta CLI to clone and save policies, the logic operator (
OR) selected between multiple tags was not stored; instead,
ORwas always used once the policy was saved. For example, if a policy like "Mask columns tagged
Discovered . PIIand
Discovered . Country . USA" was cloned and then saved with the CLI, the
ORlogic operator was used, and the policy was saved as "
Discovered . PIIor
Discovered . Country . USA".
- When editing a Redshift data source or schema connection, changing the Redshift username could result in the view being unable to be created.
- Users were unable to add S3 data sources through the Immuta API using instance role as the authentication method.
- Fix to repair impact of a recent Databricks Data Explorer change to issue
use catalog hive_metastorecommand on Databricks runtimes older than Databricks runtime 11.x. The Databricks Spark integration now handles this command issued by Databricks Data Explorer.
When using SCIM to sync an identity manager with Immuta, removing a user from a group in the identity manager did not remove the user from that group in the remote database in the following integrations:
This issue could allow that user to retain access to data if they were removed from a group that was granted access by a policy.
If an Advanced DSL policy used the
@columnsTaggedfunction and the policy had multiple conditions, all users were restricted from seeing data.
Unity Catalog clusters: A breaking change in Databricks caused a
wrong number of argumentserror when users ran Unity Catalog queries.
Users were unable to run queries through the query engine.
When Databricks query plans for tables registered in Immuta were too large, Immuta could not process the audit record.
Immuta 2022.5.5 was released March 15, 2023.
Immuta v2022.5.5 Bug Fixes
- The Databricks Spark integration sometimes provided an incomplete list of databases in the Data Explorer UI or in
Databricks clusters after running
- Under rare circumstances, a global data policy using a tag failed to apply to some data sources.
Immuta 2022.5.4 was released March 3, 2023.
Immuta v2022.5.4 Bug Fix
Fix to repair impact of a recent Databricks Data Explorer change to issue
use catalog hive_metastore command on Databricks runtimes older than Databricks runtime 11.x.
The Databricks Spark integration now handles this command issued by Databricks Data Explorer.
Immuta 2022.5.3 was released February 23, 2023.
Immuta v2022.5.3 Bug Fixes
- When applying a global subscription policy that uses the
hasTagAsAttributeenhanced subscription policy variable (for example, "Allow users to subscribe when
@hasTagAsAttribute('AllowedAccess', 'dataSource')on all data sources") to a data source, user access was restricted as expected; however, if the data source tag changed through the Immuta V2 API, access wasn't changed, which could potentially allow users to see data that they shouldn't. Additionally, access wasn't changed if the policy was removed.
- Users could not save configuration changes if they enabled Snowflake table grants after creating the integration.
- Users could not save configuration changes if they edited an existing Snowflake integration.
- Users encountered an
integer out of rangeerror in blob-path tables that had large numbers of S3 objects.
- When users tried to download files larger than 54-60 KB from S3, the files were corrupted.
Immuta 2022.5.2 was released January 23, 2023.
v2022.5.2 Bug Fixes
Snowflake, Redshift, and Azure Synapse integrations:
- If a combined global subscription policy was applied to a data source and a user updated a global data policy (create, update, delete) that also applied to that data source, the data policy was not applied to the data source. Consequently, a user querying that table could see values of masked columns in plaintext.
- If an existing global subscription policy and an existing global data policy applied to the same data source, then modifications to that data source (or the creation of a new data source targeted by those policies), only the global subscription policy was applied to the data source. Consequently, a user querying that table could see values of masked columns in plaintext.
Immuta 2022.5.1 was released January 16, 2023.
v2022.5.1 Bug Fixes
- Data source governance report failed to generate in environments with over 2,300 data sources and 2,000 users.
- Unity Catalog token sync job caused
- When Unity Catalog was enabled, users couldn't register data sources from the legacy
Immuta 2022.5.0 was released December 15, 2022.
v2022.5.0 Features and Changes
- Databricks Spark Integration with Unity Catalog Support: Enable Unity Catalog support on Immuta clusters to use the Metastore across your Databricks workspaces and enforce Immuta policies on your data. This integration provides a migration pathway for you to add your tables in Unity Catalog while using Immuta policies. Consequently, when additional Unity Catalog features are available, you will be ready to use them. Databricks SQL policies will continue to be enforced through a view-based method, and interactive cluster policies through the Immuta plugin method.
- Databricks Runtime 11.2 support.
- Write Fewer, Simpler ABAC Policies. Enhanced Subscription Policy Variables (Public Preview) empower users to write fewer, simpler ABAC (Users with Specific Groups/Attributes) policies. Previously, policy writers had to specify groups in separate policies to grant access. With Enhanced Subscription Policy Variables, Immuta's policy engine compares users' groups with data source or column tags in a single policy to determine if there is a match. Users who have a group that matches a tag on a data source or column will be subscribed to that data source.
- Tag Enhancements (Public Preview): Tag enhancements include various UI updates that improve user experience.
- Immuta supports registering data sources that exceed 1600 columns. However, sensitive data discovery and health checks will not run on those data sources.
- The maximum length for the Snowflake role prefix when using Snowflake Table Grants is 50 characters.
- Users cannot enable or disable native impersonation when editing a previously configured integration.
- Collibra integration performance improvements.
- Collibra integration recognizes the implicit relationship between the Database View in Collibra and Immuta data source columns so that tags are properly applied to those columns in Immuta.
- The Immuta V1 API
/dataSourceendpoint returns the remote table name so that users can get the schema and table name of a data source in one API call.
v2022.5.0 Bug Fixes
- The data source Relationships tab only displayed up to 10 associated projects.
- If creating the Immuta database failed in the Snowflake without Snowflake Governance Controls or Databricks SQL integration, the error returned was incorrect.
- Removed historical schema monitoring metrics that contained database connection strings.
- Subqueries that referenced a table that didn't exist never resolved.
- Disabling a Global conditional masking policy on a data source could sometimes disable all policies or none of the policies on the data source.
- If users submitted a Global Policy payload to the API that was missing the
subscriptionTypefrom the actions, the Global Policies page broke when trying to display Subscription Policies.
- Global Subscription Policies that contained the
@hasTagAsAttributevariable caused errors and degraded performance.
- Snowflake with Snowflake Governance Features: Changing a column's masking policy type resulted in errors until users manually synced the policy in Immuta.
- Azure Synapse Analytics: If a user was granted access to around 1300 data sources, access to those tables was delayed.
- Deleting an integration on the App Settings page and saving the configuration caused the Immuta UI to crash.
- Users were unable to query tables that had a policy with a
Limit usage to purpose(s) <ANY PURPOSE>applied to them.
- There were error-handling inconsistencies between the Immuta UI and the database logs.
- When configured with ADFS, the Redshift integration was not creating views for Immuta data sources properly.
- Users were unable to query tables that had a policy with a
- Alternative owners of data sources were not included in the subscription audit records if the data source was created using the Immuta V2 API.
- Snowflake Table Grants: If a user who was added to a Snowflake data source through a group Subscription Policy was removed from a data source, that user could see the columns (without any data) of the table when they queried that data in Snowflake.
- When users edited a Snowflake integration configuration and changed the authentication type to Snowflake External OAuth, the configuration was still saved as Username and Password for the authentication type.
- Users could not create an S3 data source in the Immuta UI when they selected override host in the data source
creation workflow. Doing so caused an
Invalid S3 URLerror.
v2022.5.0 Known Bugs
- Editing a schema project to a database that already exists fails.
- Users cannot create an S3 data source using an instance role using the UI; they must use the API.
v2022.5.0 Deprecations and Breaking Changes
Immuta's upgrade to CentOS 9 has the potential to impact your environment. See the changes described below for guidance.
Your ODBC drivers should use a driver compatible with Enterprise Linux 9 or Red Hat Enterprise Linux 9.
You must run a supported version of Kubernetes (or a recent version of Docker for SND installations). See Supported Software Versions for details.
Single Node Docker Customers: Use at least Docker v20.10.10.
- Use at least Docker v20.10.10 if using Docker as the container runtime.
- Use at least containerd 1.4.10 if using containerd as the container runtime.
CentOS Stream 9 uses OpenSSL 3.0, which has deprecated support for older insecure hashes and TLS versions, such as TLS 1.0 and TLS 1.1. This shouldn't impact you unless you are using an old, insecure certificate. In that case, the certificate will no longer work. See the OpenSSL migration guide for more information.
If you run Immuta 2022.5.x containers in a FIPS-enabled environment, they will now fail. Helm Chart 4.11 contains a
feature for you to override the
openssl.cnf file, which can be used to allow Immuta to run in your environment,
mimicking the CentOS 7 behavior.
The following databases have been removed from the product.
|Database||Deprecation Notice||End of Life (EOL)|
- Amazon EMR workspaces have been removed from the product.
- Cloudera Hadoop (CDH) workspaces have been removed from the product.
Deprecated items remain in the product with minimal support until their end of life date.
|Feature||Deprecation Notice||End of Life (EOL)|
|Teradata Native Lite||2022.5||2023.1|
v2022.5.0 Migration Notes
- All users must be on Immuta version 2020.2 or greater to migrate directly to 2022.5.