Known Issues

Ambari 2.7.5 has the following known issues, scheduled for resolution in a future release.

Apache Jira

Cloudera Bug ID

Problem

Solution

N/A

BUG-123500

During the HDP stack upgrade, the existing configurations are merged with the default configurations of the upgraded HDP stack. Properties that have default values are overwritten by new default values from the target stack.

Move the affected keystore files to different location or non-default location and change the property values accordingly.

Affected property	Default value
Atlas: xasecure.policymgr.clientssl.keystore xasecure.policymgr.clientssl.truststore	/usr/hdp/current/atlas-server/conf/`ranger-plugin-keystore.jks` /usr/hdp/current/atlas-server/conf/`ranger-plugin-truststore.jks`
HDFS: Advanced ranger-hdfs-policymgr-ssl xasecure.policymgr.clientssl.keystore xasecure.policymgr.clientssl.truststore Advanced ssl-client ssl.client.keystore.location ssl.client.truststore.location	/usr/hdp/current/hadoop-client/conf/`ranger-plugin-keystore.jks` /usr/hdp/current/hadoop-client/conf/`ranger-plugin-truststore.jks` /etc/security/clientKeys/`keystore.jks` /etc/security/clientKeys/`all.jks`
Hive: xasecure.policymgr.clientssl.keystore xasecure.policymgr.clientssl.truststore	/usr/hdp/current/hive-server2/conf/`ranger-plugin-keystore.jks` /usr/hdp/current/hive-server2/conf/`ranger-plugin-truststore.jks`
HBase: xasecure.policymgr.clientssl.keystore xasecure.policymgr.clientssl.truststore	/usr/hdp/current/hbase-client/conf/`ranger-plugin-keystore.jks` /usr/hdp/current/hbase-client/conf/`ranger-plugin-truststore.jks`
Kafka: xasecure.policymgr.clientssl.keystore xasecure.policymgr.clientssl.truststore	/usr/hdp/current/kafka-broker/config/`ranger-plugin-keystore.jks` /usr/hdp/current/kafka-broker/config/`ranger-plugin-truststore.jks`
Knox: xasecure.policymgr.clientssl.keystore xasecure.policymgr.clientssl.truststore	/usr/hdp/current/knox-server/conf/`ranger-plugin-keystore.jks` /usr/hdp/current/knox-server/conf/`ranger-plugin-truststore.jks`
Ranger: Advanced atlas-tagsync-ssl xasecure.policymgr.clientssl.keystore xasecure.policymgr.clientssl.truststore Advanced ranger-tagsync-policymgr-ssl xasecure.policymgr.clientssl.keystore xasecure.policymgr.clientssl.truststore	/etc/security/serverKeys/`atlas-tagsync-keystore.jks` /etc/security/serverKeys/`atlas-tagsync-mytruststore.jks` /etc/security/serverKeys/`ranger-tagsync-keystore.jks` /etc/security/serverKeys/`ranger-tagsync-mytruststore.jks`
Ranger KMS: xasecure.policymgr.clientssl.keystore xasecure.policymgr.clientssl.truststore	/etc/security/serverKeys/`ranger-plugin-keystore.jks` /etc/security/serverKeys/`ranger-plugin-truststore.jks`
Storm: xasecure.policymgr.clientssl.keystore xasecure.policymgr.clientssl.truststore	`hadoopdev-clientcert.jks` `cacerts-xasecure.jks`
YARN: xasecure.policymgr.clientssl.keystore xasecure.policymgr.clientssl.truststore	{{stack_root}}/current/hadoop-client/conf/`ranger-yarn-plugin-keystore.jks` {{stack_root}}/current/hadoop-client/conf/`ranger-yarn-plugin-truststore.jks`

N/A

BUG-120773

EU: Oozie SC fails java.io.IOException: Error while connecting Oozie server

If Ranger HA and/or Oozie Server HA is configured and a custom composite keytab file is being used, service checks for Ranger and Oozie will fail during the HDP 2.6 to HDP 3.1 Upgrade.

Re-create the custom Ranger and/or Oozie Server keytab files and re-try the service check, or ignore and proceed past the service check.

N/A N/A Unable to install HDF over HDP when HDF URL is not behind the paywall. If HDF URL is not behind the paywall, then you must select the disableCredentialsAutocompleteForRepoUrls option on http://$AMBARI_SERVER:8080/#/experimental

N/A

BUG-121044

Storm service check failed after disabling kerberos

We should create ZooKeeper superuser and remove/change permissions for credentials znode. Here are the detailed steps:

export ZK_CLASSPATH=/etc/zookeeper/conf/:/usr/hdp/current/zookeeper-server/lib/*:/usr/hdp/current/zookeeper-server/* 
java -cp $ZK_CLASSPATH org.apache.zookeeper.server.
auth.DigestAuthenticationProvider super:super123

where super:super123 is the user:password pair. We will get digest in output:

super:super123->super:UdxDQl4f9v5oITwcAsO9bmWgHSI=

Update "zookeeper-env template" property on ZooKeeper service page with adding following line:
```
export SERVER_JVMFLAGS="$SERVER_JVMFLAGS -Dzookeeper.
DigestAuthenticationProvider.superDigest=super:UdxDQl4f9v5oITwcAsO9bmWgHSI="
```

User should replace proposed digest with got one in previous step.

Restart all required services.

Login to any node with ZooKeeper Client and connect to ZooKeeper console:
```
/usr/hdp/current/zookeeper-client/bin/zkCli.sh -server <zookeeperServerHostFQDN>:2181
```

Remove/change permissions for credential znode. User should use value of Storm's storm.zookeeper.root property instead <stormRoot>:
```
delete /<stormRoot>/credentials
```
or update permissions to available-to-all:
```
setAcl /<stormRoot>/credentials world:anyone:cdrwa
```

After following the steps mentioned above Storm service check starts to pass.

N/A BUG-120925 Hbase Service check fails after upgrading to Ambari 2.7.5.0 Make sure HDFS service is fully started and then restart the HBase service.

N/A BUG-105092 Oozie service check failure on HA cluster during EU If Ranger HA and/or Oozie Server HA is configured and a custom composite keytab file is being used, service checks for Ranger and Oozie will fail during the HDP 2.6 to HDP 3.0 Upgrade.

N/A

BUG-113993

On a cluster on which security was enabled in the past, if it is disabled, metrics collector start fails with an error.

Clear out the data on the znode specified in ams-hbase-site:zookeeper.znode.parent.

If AMS is in embedded mode, this can be done by deleting the directory as specified in the ams-hbase-site property 'HBase ZooKeeper Property DataDir'.
If AMS is in distributed mode, this can be done by deleting the znode in cluster zookeeper using zkCli.
Instead of deleting the znode, changing the value of the znode from /ams-hbase-unsecure to something like /ams-hbase-unsecure-new is also OK.

N/A BUG-121151 Smartsense service does not start when upgrading from Ambari 2.7.1 (or older) to 2.7.4 on Debian 9 with openssl 1.1.0k installed. Disable starting of SmartSense services pre-upgrade. SmartSense services can only be started once upgrade to Ambari 2.7.4.0 is successful.

N/A BUG-113753 YARN Application Timeline Server (ATSV2) fails when restarting after making any configuration changes on a viewfs enabled cluster. Restart Timeline Service V2.0 Reader if HDFS is restarted.

N/A BUG-122551 Submitting the storm-starter-topologies*.jar script might fail because the storm starter script tries to transform the JAR according to the client.jartransformer.class configuration parameter. The starter script does not handle the failure as expected. When the transformation fails, the client.jartransformer.class configuration parameter must be changed or set to be empty.

N/A BUG-122408 Oozie is found to be down post downgrade after a non finalized upgrade from HDP-3.0.1.0 to HDP-3.1.5.0. Downgrade completes succesfully but Oozie is down post downgrade. N/A

N/A

BUG-122579

Disable HSI and Enable HSI is failing.

Enable HSI on any host using Hive Configs -> Enable Interactive Query, HSI is installed and it starts. Restart services with stale configurations.

Next, disable HSI by toggling the Interactive Query button. Enable HSI on another host.

HSI fails to start.

Use to following procedure to enable HIS:

su hdfs.
Authenticate with hdfs principal: kinit -k -t /etc/security/keytabs/hdfs.headless.keytab hdfs@EXAMPLE.COM
Delete the Keytab from HDFS: hdfs dfs -rm /user/hive/.yarn/keytabs/hive/hive.service.keytab
Restart Hive.

N/A BUG-123417 The no_proxy='.example.com' format (starting with .) does not work and causes <urlopen error Tunnel connection failed: 403 Tunnel Forbidden> error. This error can show up in multiple places of the product in multiple forms, like an alert of Grafana accessibility, or LDAP configuration error at Ambari setup, and so on. Set the no_proxy env var accordingly.