Description of Problem: In gateway-site.xml, changing the value of gateway.path to something other than the default 'gateway' is causing errors for some requests, such as trying to access the admin API to get the deployed topologies.

Workaround: Use the default setting (gateway.path=gateway).

Description of Problem: The disk health checker in the NodeManager cannot detect disks with bad sectors. This can lead to situations where application data writes may fail or applications may write data that cannot be read later on. Ultimately, the result is failing and/or slow containers.

Workaround: Use a third party disk monitoring tool that can detect bad disks such as smartctl. Once detected, remove and replace the disk.

Description of Problem: Location of temporary table for CREATE TABLE SELECT broken by HIVE-7079.

Workaround: Currently, there is no workaround available.

Description of Problem: YARN cannot renew/cancel KMS delegation token for jobs because token renewer class for KMS is missing. Without it, YARN defaults to TrivialRenewer for KMS delegation token, resulting in the token not being renewed.

Associated error message: java.io.IOException: Failed to renew token: Kind: kms-dt

Workaround: Rerun job with a new KMS delegation token using addDelegationToken.

HADOOP-11711, ​HADOOP-12158

Description of Problem: You can configure the desired crypto codec implementation class for a given codec through a property such as hadoop.security.crypto.codec.classes.aes.ctr.nopadding in core-site.xml. However, when this property is not configured in core-site.xml, the default value configured in core-default.xml does not get loaded and used without the fix provided by HADOOP-11711.

Associated Error: Deployments will fail to resolve any codecs even when a default value is configured in core-default.xml.

Workaround: Ensure desired codec class is configured in core-site.xml. For example, configure hadoop.security.crypto.codec.classes.<aes.ctr.nopadding> in the following way:

<property>
  <name>hadoop.security.crypto.codec.classes.aes.ctr.nopadding</name>
  <value>org.apache.hadoop.crypto.OpensslAesCtrCryptoCodec, org.apache.hadoop.crypto.JceAesCtrCryptoCodec</value>
  <description>
    Comma-separated list of crypto codec implementations for AES/CTR/NoPadding. 
    The first implementation will be used if available, others are fallbacks.
  </description>
</property>

Description of Problem: CTAS with UNION ALL puts the wrong stats in Tez.

Workaround: Currently, there is no workaround available.

Component Affected: HDFS log

Description of Problem: When the log level is set to INFO, unnecessary DEBUG log messages are generated in namenode and, as a result, namenode performance is degraded.

Workaround: A workaround is to set log level to higher than INFO, such as WARN, so that the unnecessary DEBUG messages will not be generated. As a side effect, this workaround will prevent INFO log messages from printing to the log.

The bug is soon to be addressed by HDFS-9618, which is a very simple log message fix that changes the log level check from INFO to DEBUG since the log message is printed in DEBUG.

Component Affected: HiveMetastore

Description of Problem: In releases prior to HDP 2.5, Hive metastore has limited scalability when ACID is enabled. This is manifested by messages in the metastore log indicating repeated deadlocks in the RDBMS backing the metastore. Eventually the retry limit is exceeded and the metastore operation fails.

Workaround: The only way to mitigate this is to reduce the number of operations against the metastore by making transactions larger.

Description of Problem: Expected results of some queries mismatch with actual result.

Workaround: Ensure that hive.convert.join.bucket.mapjoin.tez is set to false:

set hive.convert.join.bucket.mapjoin.tez = false

Description of Problem: When Hive warehouse permission is set to 750, users jobs, that do not have permission to the default database fails with TOK_TMP_FILE error.

Workaround: Currently, there is no available workaround. However, this issue is addressed in HDP 2.5.0 and will be addressed in the next HDP 2.4 release.

Impact of LDAP Channel Binding and LDAP signing changes in Microsoft Active Directory

Microsoft has introduced changes in LDAP Signing and LDAP Channel Binding to increase the security for communications between LDAP clients and Active Directory domain controllers. These optional changes will have an impact on how 3rd party products integrate with Active Directory using the LDAP protocol.

Workaround

Disable LDAP Signing and LDAP Channel Binding features in Microsoft Active Directory if they are enabled

For more information on this issue, see the corresponding Knowledge article: TSB-2021 405: Impact of LDAP Channel Binding and LDAP signing changes in Microsoft Active Directory

CVE-2020-9492 Hadoop filesystem bindings (ie: webhdfs) allows credential stealing

WebHDFS clients might send SPNEGO authorization header to remote URL without proper verification. A maliciously crafted request can trigger services to send server credentials to a webhdfs path (ie: webhdfs://…) for capturing the service principal

For more information on this issue, see the corresponding Knowledge article: TSB-2021 406: CVE-2020-9492 Hadoop filesystem bindings (ie: webhdfs) allows credential stealing

KMS Load Balancing Provider Fails to invalidate Cache on Key Delete

For more information on this issue, see the corresponding Knowledge article: TSB 2020-434: KMS Load Balancing Provider Fails to invalidate Cache on Key Delete

Corruption of HBase data stored with MOB feature

For more information on this issue, see the corresponding Knowledge article: TSB 2021-465: Corruption of HBase data stored with MOB feature on upgrade from CDH 5 and HDP 2

CVE-2021-27905: Apache Solr SSRF vulnerability with the Replication handler

The Apache Solr ReplicationHandler (normally registered at "/replication" under a Solr core) has a "masterUrl" (also "leaderUrl" alias) parameter. The “masterUrl” parameter is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To help prevent the CVE-2021-27905 SSRF vulnerability, Solr should check these parameters against a similar configuration used for the "shards" parameter.

For more information on this issue, see the corresponding Knowledge article: TSB 2021-497: CVE-2021-27905: Apache Solr SSRF vulnerability with the Replication handler

HBase MOB data loss

HBase tables with the MOB feature enabled may encounter problems which result in data loss.

For more information on this issue, see the corresponding Knowledge article: TSB 2021-512: HBase MOB data loss