Known Issues in Cloudera Manager 7.2.0
Learn about the known issues in Cloudera Manager 7.2.0, the impact or changes to the functionality, and the workaround.
- OPSAPS-65189: Accessing Cloudera Manager through Knox displays the following error
Bad Message 431 reason: Request Header Fields Too Large
Workaround: Modify the Cloudera Manager Server configuration /etc/default/cloudera-scm-server file to increase the header size from 8 KB, which is the default value, to 65 KB in the Java options as shown below:export CMF_JAVA_OPTS="...existing options... -Dcom.cloudera.server.cmf.WebServerImpl.HTTP_HEADER_SIZE_BYTES=65536 -Dcom.cloudera.server.cmf.WebServerImpl.HTTPS_HEADER_SIZE_BYTES=65536"
Technical Service Bulletins (TSB)
- TSB 2021-481: Lineage is not extracted with Cloudera Manager 7.2.x and 7.3.1 managing CDH6 or CDH5
- Cloudera Manager - Upgrade to Guava 28.1 to avoid CVE-2018-10237 triggered a Guava method version mismatch causing an exception in Navigator Metadata Server. As a result no new lineage and metadata is extracted with Cloudera Manager 7.2.4 and later with CDH6 and CDH5.
- Impact
- Lineage and metadata are no longer updated in Cloudera Navigator after upgrading to Cloudera Manager 7.2.x or Cloudera Manager 7.3.1 when managing CDH5 or CDH6.
- Action required
- Upgrade to the patched release of CM 7.3.1 available as PATCH-4822, or to an upcoming version later than 7.3.1. After upgrade, existing entities will have metadata extracted when extraction resumes and no lineage will be permanently lost.
- Knowledge article
- For the latest update on this issue see the corresponding Knowledge article:
- TSB 2022-507 Certificate expiry issue in CDP
- The Transport Layer Security (TLS) keystore needs to be manually rotated due to an issue with certificate rotation.
- Impact
- The clusters could experience downtime.
- Action required
-
- Workaround if the certificates have not yet expired:
- Back up the existing host keystore from the
directory based on the hostname of the CM server.
Example:
cp -R /etc/cloudera-scm-server/certs/hosts-key-store/example-datalake-1-master0/ /etc/cloudera-scm-server/certs/hosts-key-store/example-datalake-1-master0.backup
-
Copy the keystore from a directory based on the FQDN of the CM server. Example:
cp -Rf /etc/cloudera-scm-server/certs/hosts-key-store/example-datalake-1-master0.domain.site/* /etc/cloudera-scm-server/certs/hosts-key-store/example-datalake-1-master0/
-
Restart the CM server
-
Confirm that OpenSSL now shows a certificate with the expected expiration time. Example:
openssl s_client -connect $(grep "server_host" /etc/cloudera-scm-agent/config.ini | sed s/server_host=//):7182 </dev/null | openssl x509 -text -noout
- Repeat these steps after each host certificate rotation.
- Back up the existing host keystore from the
directory based on the hostname of the CM server.
Example:
- Workaround if the certificates have already expired:
- You must run commands on each host with expired certificates to regenerate new ones.
-
For each affected host (including the Cloudera Manager server host if necessary), let “
<host_FQDN>
” be the fully-qualified domain name of that host:- Run the following command on the Cloudera
Manager server host as
root:
/opt/cloudera/cm-agent/bin/certmanager --location /etc/cloudera-scm-server/certs gen_node_cert --rotate --output=/tmp/<host_FQDN>.tar <host_FQDN>
- Copy
/tmp/<host_FQDN>.tar
to the affected host. - Run the following commands on the
affected host as root:
-
/opt/cloudera/cm-agent/bin/cm install_certs /tmp/<host_FQDN>.tar
-
chmod 755 /var/lib/cloudera-scm-agent/agent-cert/
-
- Run the following command on the Cloudera
Manager server host as
root:
- Restart Cloudera Manager by running the
following command on the Cloudera Manager server host
as
root:
service cloudera-scm-server restart
- Restart the Knox service by running the following commands
on the Cloudera Manager server host as any user,
replacing “
UpdateWithYourUser
” and “UpdateWithYourClusterName
” with the workload user and cluster name, respectively:-
WORKLOAD_USER="UpdateWithYourUser"
-
CM_SERVER="http://$(hostname -f):7180"
-
CM_API_VERSION=$(curl -s -L -k -u ${WORKLOAD_USER} -X GET "${CM_SERVER}/api/version") && echo ${CM_API_VERSION}
-
CM_CLUSTER_NAME=<UpdateWithYourCusterName>
-
KNOX_SERVICE_NAME=$(curl -s -L -k -u ${WORKLOAD_USER} -X GET "${CM_SERVER}/api/${CM_API_VERSION}/clusters/${CM_CLUSTER_NAME}/services/" | awk -F "[ |:|,]" '/name.*knox/ {print $(NF - 1 )}' | sed 's|"||g') && echo ${KNOX_SERVICE_NAME}
-
curl -s -L -k -u ${WORKLOAD_USER} -X POST "${CM_SERVER}/api/${CM_API_VERSION}/clusters/${CM_CLUSTER_NAME}/services/${KNOX_SERVICE_NAME}/commands/restart"
-
- Follow the steps in the above section: “Workaround if the certificates have not yet expired”
- Workaround if the certificates have not yet expired:
- Knowledge article
- For the latest update on this issue, please see the corresponding Knowledge article: TSB 2022-507: Certificate expiry issue in CDP
- TSB 2021-488: Cloudera Manager is vulnerable to Cross-Site-Scripting attack
- Cloudera Manager may be vulnerable to Cross-Site-Scripting vulnerabilities identified by CVE-2021-29243 and CVE-2021-32482. A remote attacker can exploit this vulnerability and execute malicious code in the affected application.
- CVE
-
- CVE-2021-29243
- CVE-2021-32482
- Impact
- This is an XSS issue. An administrator could be tricked to click on a link that may expose certain information such as session cookies.
- Action required
-
-
- Upgrade (recommended)
- Upgrade to a version containing the fix.
-
- Workaround
- None
-
- Knowledge article
- For the latest update on this issue see the corresponding Knowledge article: