Thanks Wei-Chiu for leading the 2.1.1 release! On Tue, 23 Jun 2026 at 02:35, Wei-Chiu Chuang <[email protected]> wrote:
> Hello all, > > We are excited to announce the release of Apache Ozone 2.1.1! > > https://ozone.apache.org/release-notes/2.1.1 > Documentation: > https://ozone.apache.org/docs/ > > Docker image: > https://hub.docker.com/r/apache/ozone/tags > > Javadoc: > https://javadoc.io/doc/org.apache.ozone > > Github release page > https://github.com/apache/ozone/releases/tag/ozone-2.1.1 > Critical bug fixes (upgrade strongly recommended)HDDS-14858 > <https://issues.apache.org/jira/browse/HDDS-14858> — OM requests fail on > JDK 11 with ClassNotFoundException: java.lang.constant.Constable > > Impact: If you run Ozone 2.1.0 on JDK 11 or lower, OM operations such > as ozone sh key put can fail with: > > RemoteException: java/lang/constant/ConstableCaused by: > java.lang.ClassNotFoundException: java.lang.constant.Constable > > Who is affected: Anyone on 2.1.0 + JDK ≤ 11. This is a regression from > AspectJ bytecode generation referencing JDK 12+ APIs. > > Action: Upgrade to 2.1.1 if you cannot move to JDK 17+. > HDDS-14778 <https://issues.apache.org/jira/browse/HDDS-14778> — > ozone-filesystem-shaded protobuf > corruption breaks ofs:// clients > > Impact: With TRACE logging enabled, Ozone filesystem client operations > via ofs:// can fail at class load time: > > ExceptionInInitializerError at OzoneManagerProtocolProtos.Caused by: > InvalidProtocolBufferException: Protocol message tag had invalid wire type > > Root cause: Over-broad Maven shade relocation rules (io, kotlin, info, > etc.) corrupted protobuf descriptor bytes inside the shaded JAR. The bug is > latent and can reappear after proto changes. > > Who is affected: Users of ozone-filesystem-shaded (Hadoop/OFS integration), > especially with debug/trace logging. > > Action: Upgrade to 2.1.1 and rebuild/redeploy shaded client JARs. > Security / authorization behavior changesHDDS-14898 > <https://issues.apache.org/jira/browse/HDDS-14898> & HDDS-14894 > <https://issues.apache.org/jira/browse/HDDS-14894> — Missing ACL checks on > S3 multipart APIs > > Impact: Behavior change (tightening). ListParts and > ListMultipartUploads previously > had no ACL checks. They now enforce authorization like other S3 APIs. > > Who is affected: > > - > > STS users with narrowly scoped tokens (e.g., PutObject-only) that > previously could call these APIs > - > > Any workflow that relied on implicit access via multipart upload > ownership > > Action: After upgrade, verify multipart upload workflows and STS session > policies. Previously “working” calls may now return 403 Access Denied. > HDDS-15064 <https://issues.apache.org/jira/browse/HDDS-15064> — Ranger/STS > S3 action–aware authorization > > Impact: API/authorization model change for STS + Apache Ranger integration. > > - > > Adds s3Action to RequestContext so Ranger can restrict permissions by > specific S3 action (e.g., > distinguish s3:PutObjectTagging from s3:DeleteObjectTagging) > - > > OzoneGrant now carries a Set of allowed S3 actions for inline policies > > Who is affected: Clusters using STS temporary credentials with Ranger. > Authorization becomes more granular; tokens may grant less access than > before when S3 actions are explicitly scoped. > > Action: Coordinate with your Ranger/Ozone plugin team. This was backported > specifically so Ranger can consume it upstream in 2.1.1. > HDDS-14366 <https://issues.apache.org/jira/browse/HDDS-14366> — Log4j2 > bump > to 2.25.3 (CVE-2025-68161 > <https://github.com/advisories/GHSA-vc5p-v9hr-52mj>) > > Impact: Fixes TLS hostname verification bypass in Log4j2 Socket Appender > (MITM > risk for remote log shipping). > > Who is affected: Only if you use Log4j2 Socket Appender over TLS with > hostname verification enabled. Most clusters are unaffected unless they > ship logs this way. > Notable operational fixes (lower severity)HDDS-14368 > <https://issues.apache.org/jira/browse/HDDS-14368> — Recon shows wrong > pipelines per container > > Impact: Recon UI/API incorrectly showed all pipelines for every container > instead of the container’s actual WRITE pipeline. > > Action: Upgrade if you rely on Recon for container/pipeline > troubleshooting. > HDDS-13069 <https://issues.apache.org/jira/browse/HDDS-13069> — S3 Gateway > shutdown error > > Impact: S3 Gateway logged an IllegalStateException from Weld/Jetty during > admin webserver shutdown. Shutdown could appear to fail even though the > process was stopping. > > Action: Cosmetic/operational fix; shutdown now completes cleanly (error is > caught and logged). >
