Known Issues in Ozone

Learn about the known issues in Ozone, the impact or changes to the functionality, and the workaround.

CDPD-15268:: Uploading a key using the S3 Multi-part upload API into an Ozone encryption zone (TDE-enabled bucket) is not currently supported. The key upload will fail with an exception.; None
CDPD-15602: Creating or deleting keys with a trailing forward slash (/) in the name is not supported via the Ozone shell or the S3 REST API. Such keys are internally treated as directories by the Ozone service for compatibility with the Hadoop filesystem interface. This will be supported in a later release of CDP.: You can create or delete keys via the Hadoop Filesystem interface, either programmatically or via the filesystem Hadoop shell. For example, ozone fs -rmdir <dir>.
CDPD-21837:: Adding new Ozone Manager (OM) role instances to an existing cluster will cause the cluster to behave erratically. It can possibly cause split-brain between the Ozone Managers or crash them.; Adding new OM roles to an existing cluster is currently not supported and there is no workaround.
OPSAPS-59647:: Ozone has an optional role where it can deploy a pre-configured Prometheus instance. This prometheus instance's default port '9090' conflicts with HBase Thrift Server's port. Hence, one of the components will fail to start if they are on the same host.; The prometheus port is a directly editable field on the CM UI, with the name 'ozone.prometheus.http-port'. This can be changed to a non conflicting port.
CDPD-24321:: On a secure cluster with Kerberos enabled, the Recon dashboard shows a value of zero for volumes, buckets, and keys.; Enable kerberos authentication for HTTP web consoles, if not already enabled, by configuring the ozone.security.http.kerberos.enabled property on Cloudera Manager.

Add om/_HOST@REALM,recon/_HOST@REALM to ozone.administrators as an advanced configuration snippet by configuring the Ozone Service Advanced Configuration Snippet (Safety Valve) for ozone-conf/ozone-site.xml property on Cloudera Manager.

Technical Service Bulletins

TSB 2021-523: Multiple CVEs - Ozone security identified and addressed: The following CVEs have been addressed:

CVE link CVE title Affects versions

CVE-2021-36372 Original block tokens are persisted and can be retrieved 7.1.3 until 7.1.6

CVE-2021-39231 Missing authentication/authorization on internal RPC endpoints 7.1.3 until 7.1.6

CVE-2021-39232 Missing admin check for SCM related admin commands 7.1.3 until 7.1.5

CVE-2021-39233 Container-related datanode operations can be called without authorization 7.1.3 until 7.1.6

CVE-2021-39234 Raw block data can be read bypassing ACL/authorization 7.1.3 until 7.1.6

CVE-2021-39235 Access mode of block tokens are not enforced 7.1.3 until 7.1.5

CVE-2021-39236 Owners of the S3 tokens are not validated 7.1.3 until 7.1.5

CVE-2021-41532 Unauthenticated access to Ozone Recon HTTP endpoints 7.1.3 until 7.1.7
Knowledge article: For the latest update on this issue see the corresponding Knowledge article: TSB 2021-523: Multiple CVEs - Ozone security identified and addressed

CVE link	CVE title	Affects versions
CVE-2021-36372	Original block tokens are persisted and can be retrieved	7.1.3 until 7.1.6
CVE-2021-39231	Missing authentication/authorization on internal RPC endpoints	7.1.3 until 7.1.6
CVE-2021-39232	Missing admin check for SCM related admin commands	7.1.3 until 7.1.5
CVE-2021-39233	Container-related datanode operations can be called without authorization	7.1.3 until 7.1.6
CVE-2021-39234	Raw block data can be read bypassing ACL/authorization	7.1.3 until 7.1.6
CVE-2021-39235	Access mode of block tokens are not enforced	7.1.3 until 7.1.5
CVE-2021-39236	Owners of the S3 tokens are not validated	7.1.3 until 7.1.5
CVE-2021-41532	Unauthenticated access to Ozone Recon HTTP endpoints	7.1.3 until 7.1.7