Release 2.1.1 Available

Joshua-Trees-haiku

Release Notes

Apache Ozone 2.1.1 is a patch release that addresses critical bugs and security issues discovered in Ozone 2.1.0. Upgrade is strongly recommended for all 2.1.0 users.

Critical Bug Fixes (Upgrade Strongly Recommended)

HDDS-14858 — OM requests fail on JDK 11 with ClassNotFoundException: java.lang.constant.Constable

OM request fails with ClassNotFoundException: java.lang.constant.Constable.

Impact: If you run Ozone 2.1.0 on JDK 11 or lower, OM operations such as ozone sh key put can fail with:

RemoteException: java/lang/constant/Constable
Caused by: java.lang.ClassNotFoundException: java.lang.constant.Constable

Who is affected: Anyone on 2.1.0 + JDK ≤ 11. This is a regression from AspectJ bytecode generation referencing JDK 12+ APIs.

Action: Upgrade to 2.1.1 if you cannot move to JDK 17+.

HDDS-14778 — ozone-filesystem-shaded protobuf corruption breaks ofs:// clients

ozone-filesystem-shaded relocates/corrupts protobuf descriptor binary.

Impact: With TRACE logging enabled, Ozone filesystem client operations via ofs:// can fail at class load time:

ExceptionInInitializerError at OzoneManagerProtocolProtos.
Caused by: InvalidProtocolBufferException: Protocol message tag had invalid wire type

Root cause: Over-broad Maven shade relocation rules (io, kotlin, info, etc.) corrupted protobuf descriptor bytes inside the shaded JAR. The bug is latent and can reappear after proto changes.

Who is affected: Users of ozone-filesystem-shaded (Hadoop/OFS integration), especially with debug/trace logging.

Action: Upgrade to 2.1.1 and rebuild/redeploy shaded client JARs.

Security / Authorization Behavior Changes

HDDS-14898 & HDDS-14894 — Missing ACL checks on S3 multipart APIs

Impact: Behavior change (tightening). ListParts and ListMultipartUploads previously had no ACL checks. They now enforce authorization like other S3 APIs.

Who is affected:

STS users with narrowly scoped tokens (e.g., PutObject-only) that previously could call these APIs
Any workflow that relied on implicit access via multipart upload ownership

Action: After upgrade, verify multipart upload workflows and STS session policies. Previously "working" calls may now return 403 Access Denied.

HDDS-15064 — Ranger/STS S3 action–aware authorization

Impact: API/authorization model change for STS + Apache Ranger integration.

Adds s3Action to RequestContext so Ranger can restrict permissions by specific S3 action (e.g., distinguish s3:PutObjectTagging from s3:DeleteObjectTagging)
OzoneGrant now carries a Set of allowed S3 actions for inline policies

Who is affected: Clusters using STS temporary credentials with Ranger. Authorization becomes more granular; tokens may grant less access than before when S3 actions are explicitly scoped.

Action: Coordinate with your Ranger/Ozone plugin team. This was backported specifically so Ranger can consume it upstream in 2.1.1.

HDDS-14366 — Log4j2 bump to 2.25.3 (CVE-2025-68161)

Impact: Fixes TLS hostname verification bypass in Log4j2 Socket Appender (MITM risk for remote log shipping).

Who is affected: Only if you use Log4j2 Socket Appender over TLS with hostname verification enabled. Most clusters are unaffected unless they ship logs this way.

Notable Operational Fixes

HDDS-14368 — Recon shows wrong pipelines per container

Impact: Recon UI/API incorrectly showed all pipelines for every container instead of the container's actual WRITE pipeline.

Action: Upgrade if you rely on Recon for container/pipeline troubleshooting.

HDDS-13069 — S3 Gateway shutdown error

Impact: S3 Gateway logged an IllegalStateException from Weld/Jetty during admin webserver shutdown. Shutdown could appear to fail even though the process was stopping.

Action: Cosmetic/operational fix; shutdown now completes cleanly (error is caught and logged).

Changelog

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Fixed

Fixed OM requests failing on JDK 11 with ClassNotFoundException: java.lang.constant.Constable. (HDDS-14858)
Fixed protobuf descriptor corruption in ozone-filesystem-shaded that broke ofs:// clients. (HDDS-14778)
Fixed Recon showing wrong pipelines for containers. (HDDS-14368)
Fixed S3 Gateway shutdown error from Weld/Jetty admin webserver. (HDDS-13069)

Changed

Added ACL checks for S3 ListParts and ListMultipartUploads APIs. (HDDS-14898, HDDS-14894)
Added S3 action–aware authorization for STS + Ranger integration. (HDDS-15064)

Security

Bumped Log4j2 to 2.25.3 to fix CVE-2025-68161. (HDDS-14366)

Downloads

Download tar.gz (checksum, signature)
Download src (checksum, signature)

Documentation

Ozone 2.1.1 Documentation

Release Date: 2026 Jun 21

Release Notes​

Critical Bug Fixes (Upgrade Strongly Recommended)​

HDDS-14858 — OM requests fail on JDK 11 with ClassNotFoundException: java.lang.constant.Constable​

HDDS-14778 — ozone-filesystem-shaded protobuf corruption breaks ofs:// clients​

Security / Authorization Behavior Changes​

HDDS-14898 & HDDS-14894 — Missing ACL checks on S3 multipart APIs​

HDDS-15064 — Ranger/STS S3 action–aware authorization​

HDDS-14366 — Log4j2 bump to 2.25.3 (CVE-2025-68161)​

Notable Operational Fixes​

HDDS-14368 — Recon shows wrong pipelines per container​

HDDS-13069 — S3 Gateway shutdown error​

Changelog​

Fixed​

Changed​

Security​

Downloads​

Documentation​