Fixed Issues in Apache Impala

Review the list of Impala issues that are resolved in Cloudera Runtime 7.1.7.

CDPD-24305: Table modifications (insert/delete/update) should be blocked when there are any row-filter/column-masking policies on the table that is enabled for the user. Previously, Impala doesn't block the modifications, which is a bug considering to Hive's behavior. This is fixed in this release to make the behaviour consistent with Hive's.
This issue is resolved.
DOCS-7881: Add HAProxy Examples for SSL Impala:
HAProxy needs reload or restart prior 2.1 when the certificate is changed.
The created cm-auto-host_cert_chain_unenckey.pem should be owned by the haproxy user with 600 or 400 privileges.
The cm-auto-host_unenckey.pem could be removed.
This issue is resolved.
CDPD-19304: The fix upgraded slf4j to 1.7.30 for Impala and it was merged into 7.2.8.x branch and CDH-7.1-maint branch.
This issue is resolved.
CDPD-20456: The fix upgraded jackson to 2.10.5.1 for Impala and it was merged into 7.2.8.x branch and CDH-7.1-maint branch.
This issue is resolved.
CDPD-23692: Fixed a bug that causing catalogd come into an infinite loop when the underlying directories of a table/partition is absent in the filesystem
he bug only exists on cloud filesystems like S3 and ABFS. This issue is resolved.
CDPD-24305: Table modifications(insert/delete/update) should be blocked when there are any row-filter/column-masking policies on the table that is enabled for the user. Previously, Impala does not block the modifications, which is a bug considering Hive's behavior. This is fixed in this release to make the behaviour consistent with Hive.
This issue is resolved.
CDPD-25435: Kudu supports custom Kerberos principals on server-side and custom SASL protocol (service) names on client-side must match the SPN base.
This fix adds configurable flag variable kudu_sasl_protocol_name in Impala so that Impala users can set it and connect to a Kudu cluster with non-default SPNs. This issue is resolved.
CDPD-10444: Update the version of Atlas used by Impala
Resolves the inconsistency between the versions of jackson-databind used by Atlas and Impala so that you no longer see the exception NoClassDefFoundError after the call to QueryEventHookManager#executeQueryCompleteHooks() in Impala.
CDPD-14548 and CDPD-13701: IMPALA-10060: Update PostgreSQL JDBC Driver (pgjdbc) for Impala (CVE-2020-13692).
Upgrades the library, PostgreSQL JDBC Driver (pgjdbc). The previous version 42.2.5 was affected with vulnerability CVE-2020-13692. It is upgraded to version 42.2.14. This issue is now resolved.
IMPALA-77: Impala does not properly handle HDFS viewfs mounts (federated cluster) - Queries fail with "wrong filesystem" error
This issue is fixed in 1.0 by improving the error message.
CDPD-17612: Impala must change default to default_transaction_type=none
This fix retains legacy behavior for impala by setting "default_transactional_type=none" when a cluster is upgraded. This issue is now resolved.
TSB 2021-502: Impala logs the session / operation secret on most RPCs at INFO level

Impala logs contain the session / operation secret. With this information a person who has access to the Impala logs might be able to hijack other users' sessions. This means the attacker is able to execute statements for which they do not have the necessary privileges otherwise. Impala deployments where Apache Sentry or Apache Ranger authorization is enabled may be vulnerable to privilege escalation. Impala deployments where audit logging is enabled may be vulnerable to incorrect audit logging.

Restricting access to the Impala logs that expose secrets will reduce the risk of an attack. Additionally, restricting access to trusted users for the Impala deployment will also reduce the risk of an attack. Log redaction techniques can be used to redact secrets from the logs. For more information, see the Cloudera Manager documentation.

For log redaction, users can create a rule with a search pattern: secret \(string\) [=:].*And the replacement could be for example: secret=LOG-REDACTED

This vulnerability is fixed upstream under IMPALA-10600

Severity
7.5 (High) CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Releases affected
  • CDP Private Cloud Base 7.0.3, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5 and 7.1.6

  • CDP Public Cloud 7.0.0, 7.0.1, 7.0.2, 7.1.0, 7.2.0, 7.2.1, 7.2.2, 7.2.6, 7.2.7, and 7.2.8
  • All CDH 6.3.4 and lower releases

Impact
Unauthorized access
Users affected
Impala users of the affected releases
Action required

Upgrade to a CDP Private Cloud Base or CDP Public Cloud version containing the fix.

Addressed in patch/release/hotfix
  • CDP Private Cloud Base 7.1.7

  • CDP Public Cloud 7.2.9 or higher versions

Knowledge article

For the latest update on this issue see the corresponding Knowledge article: TSB 2021-502: Impala logs the session / operation secret on most RPCs at INFO level

Apache Patch Information

  • IMPALA-10678
  • IMPALA-10600
  • IMPALA-10579