Thanks Wei-Chiu for leading the 2.1.1 release!

On Tue, 23 Jun 2026 at 02:35, Wei-Chiu Chuang <[email protected]> wrote:

> Hello all,
>
> We are excited to announce the release of Apache Ozone 2.1.1!
>
> https://ozone.apache.org/release-notes/2.1.1
> Documentation:
> https://ozone.apache.org/docs/
>
> Docker image:
> https://hub.docker.com/r/apache/ozone/tags
>
> Javadoc:
> https://javadoc.io/doc/org.apache.ozone
>
> Github release page
> https://github.com/apache/ozone/releases/tag/ozone-2.1.1
> Critical bug fixes (upgrade strongly recommended)HDDS-14858
> <https://issues.apache.org/jira/browse/HDDS-14858> — OM requests fail on
> JDK 11 with ClassNotFoundException: java.lang.constant.Constable
>
> Impact: If you run Ozone 2.1.0 on JDK 11 or lower, OM operations such
> as ozone sh key put can fail with:
>
> RemoteException: java/lang/constant/ConstableCaused by:
> java.lang.ClassNotFoundException: java.lang.constant.Constable
>
> Who is affected: Anyone on 2.1.0 + JDK ≤ 11. This is a regression from
> AspectJ bytecode generation referencing JDK 12+ APIs.
>
> Action: Upgrade to 2.1.1 if you cannot move to JDK 17+.
> HDDS-14778 <https://issues.apache.org/jira/browse/HDDS-14778> —
> ozone-filesystem-shaded protobuf
> corruption breaks ofs:// clients
>
> Impact: With TRACE logging enabled, Ozone filesystem client operations
> via ofs:// can fail at class load time:
>
> ExceptionInInitializerError at OzoneManagerProtocolProtos.Caused by:
> InvalidProtocolBufferException: Protocol message tag had invalid wire type
>
> Root cause: Over-broad Maven shade relocation rules (io, kotlin, info,
> etc.) corrupted protobuf descriptor bytes inside the shaded JAR. The bug is
> latent and can reappear after proto changes.
>
> Who is affected: Users of ozone-filesystem-shaded (Hadoop/OFS integration),
> especially with debug/trace logging.
>
> Action: Upgrade to 2.1.1 and rebuild/redeploy shaded client JARs.
> Security / authorization behavior changesHDDS-14898
> <https://issues.apache.org/jira/browse/HDDS-14898> & HDDS-14894
> <https://issues.apache.org/jira/browse/HDDS-14894> — Missing ACL checks on
> S3 multipart APIs
>
> Impact: Behavior change (tightening). ListParts and
> ListMultipartUploads previously
> had no ACL checks. They now enforce authorization like other S3 APIs.
>
> Who is affected:
>
>    -
>
>    STS users with narrowly scoped tokens (e.g., PutObject-only) that
>    previously could call these APIs
>    -
>
>    Any workflow that relied on implicit access via multipart upload
>    ownership
>
> Action: After upgrade, verify multipart upload workflows and STS session
> policies. Previously “working” calls may now return 403 Access Denied.
> HDDS-15064 <https://issues.apache.org/jira/browse/HDDS-15064> — Ranger/STS
> S3 action–aware authorization
>
> Impact: API/authorization model change for STS + Apache Ranger integration.
>
>    -
>
>    Adds s3Action to RequestContext so Ranger can restrict permissions by
>    specific S3 action (e.g.,
>    distinguish s3:PutObjectTagging from s3:DeleteObjectTagging)
>    -
>
>    OzoneGrant now carries a Set of allowed S3 actions for inline policies
>
> Who is affected: Clusters using STS temporary credentials with Ranger.
> Authorization becomes more granular; tokens may grant less access than
> before when S3 actions are explicitly scoped.
>
> Action: Coordinate with your Ranger/Ozone plugin team. This was backported
> specifically so Ranger can consume it upstream in 2.1.1.
> HDDS-14366 <https://issues.apache.org/jira/browse/HDDS-14366> — Log4j2
> bump
> to 2.25.3 (CVE-2025-68161
> <https://github.com/advisories/GHSA-vc5p-v9hr-52mj>)
>
> Impact: Fixes TLS hostname verification bypass in Log4j2 Socket Appender
> (MITM
> risk for remote log shipping).
>
> Who is affected: Only if you use Log4j2 Socket Appender over TLS with
> hostname verification enabled. Most clusters are unaffected unless they
> ship logs this way.
> Notable operational fixes (lower severity)HDDS-14368
> <https://issues.apache.org/jira/browse/HDDS-14368> — Recon shows wrong
> pipelines per container
>
> Impact: Recon UI/API incorrectly showed all pipelines for every container
> instead of the container’s actual WRITE pipeline.
>
> Action: Upgrade if you rely on Recon for container/pipeline
> troubleshooting.
> HDDS-13069 <https://issues.apache.org/jira/browse/HDDS-13069> — S3 Gateway
> shutdown error
>
> Impact: S3 Gateway logged an IllegalStateException from Weld/Jetty during
> admin webserver shutdown. Shutdown could appear to fail even though the
> process was stopping.
>
> Action: Cosmetic/operational fix; shutdown now completes cleanly (error is
> caught and logged).
>

Reply via email to