Known Issues in Ozone
Learn about the known issues in Ozone, the impact or changes to the functionality, and the workaround.
- CDPD-15268:Uploading a key using the S3 Multi-part upload API into an Ozone encryption zone (TDE-enabled bucket) is not currently supported. The key upload will fail with an exception.
- None
- CDPD-15362:When files and directories stored in Ozone are deleted via Hadoop filesystem shell -rm command using o3fs or ofs scheme, they will not be moved to trash even if fs.trash.interval is set to >0 on the client. Instead, they are deleted immediately.
- None
- CDPD-15330:
- A network partitioned Ozone Manager (OM) in an OM HA cluster, if in a leader state before partition and does not step down as leader, can serve stale reads.
- CDPD-15266:When Ozone Manager (OM) HA is enabled, not all older OM Ratis logs are purged. Similarly, for DataNode, old Ratis logs may not be purged. This can lead to older logs consuming the disk space.
- For OM, you must manually delete the OM Ratis logs from the Ratis storage directory location defined by the ozone.om.ratis.storage.dir property. You must only delete the logs older than the already purged logs.
- CDPD-15602: Creating or deleting keys with a trailing forward slash (/) in the name is not supported via the Ozone shell or the S3 REST API. Such keys are internally treated as directories by the Ozone service for compatibility with the Hadoop filesystem interface. This will be supported in a later release of CDP.
- You can create or delete keys via the Hadoop Filesystem interface, either programmatically or via the filesystem Hadoop shell. For example, `ozone fs -rmdir <dir>`.
Technical Service Bulletins
- TSB 2021-523: Multiple CVEs - Ozone security identified and addressed
- The following CVEs have been addressed:
CVE link CVE title Affects versions CVE-2021-36372 Original block tokens are persisted and can be retrieved 7.1.3 until 7.1.6 CVE-2021-39231 Missing authentication/authorization on internal RPC endpoints 7.1.3 until 7.1.6 CVE-2021-39232 Missing admin check for SCM related admin commands 7.1.3 until 7.1.5 CVE-2021-39233 Container-related datanode operations can be called without authorization 7.1.3 until 7.1.6 CVE-2021-39234 Raw block data can be read bypassing ACL/authorization 7.1.3 until 7.1.6 CVE-2021-39235 Access mode of block tokens are not enforced 7.1.3 until 7.1.5 CVE-2021-39236 Owners of the S3 tokens are not validated 7.1.3 until 7.1.5 CVE-2021-41532 Unauthenticated access to Ozone Recon HTTP endpoints 7.1.3 until 7.1.7 - Knowledge article
- For the latest update on this issue see the corresponding Knowledge article: TSB 2021-523: Multiple CVEs - Ozone security identified and addressed