Fixed Issues in Cloudera Manager 6.0.0
The following sections describes issue fixed in Cloudera Manager 6.0.0 releases:
- Open Redirect and XSS in Cloudera Manager
- Hard Restart of Cloudera Manager Agents May Cause Subsequent Service Errors
- Logging issue slows down Backup and Disaster Recovery Hive and HDFS Replication jobs
- Cloudera Manager upgrade workflow incorrectly requires deploying some optional management roles
- Microsoft Azure Credentials in Log Files
- Non-production installation of Cloudera Manager on SLES 12 does not work
- Impala and Kudu logs missing from diagnostic bundle
- Services die due to HDFS taking too long to start
- Instances and Hosts page refresh when a command dialog is closed
- Spark cross-realm authentication fails
- Error "Mismatched input PATTERN expecting EOF" the detailUsage page for the Resource Manager
- Upgrading a license finishes on the wrong page
- Open Redirect in Cloudera Manager Add Service
- Kafka broker and MirrorMaker should only listen on the loopback interface for JMX connections
- Remove the IMPALA_ASSIGNMENT_LOCALITY Impala check
- Inconsistent handling of case sensitivity for cluster names in URLs
- HBase Indexer can possibly emit sentry client configs even if sentry isn't directly configured
- GenerateHostCerts command doesn't use passphrase for SSH key auth
- dfs.client.block.write.replace-datanode-on-failure.enable property
- API names
- Cloudera Manager fails to enable Kerberos if TLS is configured
- Cloudera Manager Agent install or upgrade hangs
- CDH did not install Kudu when using packages
- "create" option in nestedUserQueue allocation rule is added to the wrong part of the allocation rules in the fair scheduler configuration
- Display steady fairshare that correspond to weight in YARN Dynamic Resource Pool Configuration
- [oozie] Emit correct port in load balancer urls
- Yarn NodeManager stale due to missing CCgroups
- Upgraded Jetty version
- Impala Dynamic Resource Pools wrongly gives everyone access to root pool (and all child pools)
- YARN Dynamic Resource Pools wrongly gives everyone access to root pool (and all child pools)
Open Redirect and XSS in Cloudera Manager
Technical Service Bulletin 2018-321 (TSB)
Products affected: Cloudera Manager
- 5.15.0 and all earlier releases
Users affected: The following Cloudera Manager roles: “cluster administrator”, “full administrators”, and “configurators”.
Date/time of detection: June 20, 2018
Detected by: Mohit Rawat & Ekta Mittal
Severity (Low/Medium/High): 8.8 High (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Impact: Open redirects can silently redirect a victim to an attacker’s site. XSS vulnerabilities can be used to steal credentials or to perform arbitrary actions as the targeted user.
Immediate action required: Upgrade to Cloudera Manager 5.15.1 or higher
Addressed in release/refresh/patch:
- Cloudera Manager 5.15.1 and higher
- Cloudera Manager 6.0.0
Hard Restart of Cloudera Manager Agents May Cause Subsequent Service Errors
If a “hard restart” or “hard stop” operation is performed on a Cloudera Manager Agent, the restarted agent will erroneously restart roles that existed prior to the restart and, subsequently, 60 days later, these roles may experience errors or be killed.
Affected Versions: All versions of Cloudera Manager 5.x
Cloudera Issue: OPSAPS-43550, TSB-308
Knowledge base: For the latest update on this issue, see the corresponding Knowledge article: TSB 2018-308: Hard Restart of Cloudera Manager Agents May Cause Subsequent Service Errors
Logging issue slows down Backup and Disaster Recovery Hive and HDFS Replication jobs
Fixed the issue described in TSB-289. For more information, see the TSB.
Cloudera Issue: OPSAPS-44160
Cloudera Manager upgrade workflow incorrectly requires deploying some optional management roles
Fixed the issue described in TSB-290 where you could not proceed through the upgrade process without adding certain optional management roles. For more information, see TSB-290.
Cloudera Issue: OPSAPS-44629
Microsoft Azure Credentials in Log Files
Fixed an issue where Microsoft Azure credentials might appear in Hive audit logs.
Cloudera Issue: CDH-56241
Non-production installation of Cloudera Manager on SLES 12 does not work
Fixed an issue where the non-production installation of Cloudera Manager did not work on SLES 12.
Impala and Kudu logs missing from diagnostic bundle
Fixed an issue where Impala and Kudu logs were missing from the diagnostic bundle if their log directories have broken symlinks.
Cloudera Issue: OPSAPS-41194
Services die due to HDFS taking too long to start
Fixed an issue where HDFS takes a long time to come up after a restart, causing some dependent services to fail to start.
Cloudera Issue: CDH-54889
Instances and Hosts page refresh when a command dialog is closed
Fixed an issue where the Instances and All Hosts pages reloads reload when a command finishes.
Cloudera Issue: OPSAPS-45761
Spark cross-realm authentication fails
Spark now correctly respects auth_to_local name rules for HDFS services with cross-realm trust configured.
Cloudera Issue: OPSAPS-46103
Error "Mismatched input PATTERN expecting EOF" the detailUsage page for the Resource Manager
Fixed the issue where a user sees an error message about Mismatched input PATTERN.
Cloudera Issue: OPSAPS-42437
Upgrading a license finishes on the wrong page
The Enable Trial workflow previously ended up on the upgrade page. Now it goes to the Home page upon completion.
Cloudera Issue: OPSAPS-45444
Open Redirect in Cloudera Manager Add Service
Fixed an issue where Cloudera Manager redirected to arbitrary URLs upon the completion of a workflow. Cloudera Manager now limits it to paths on the same host/port
Cloudera Issue: OPSAPS-46681
Kafka broker and MirrorMaker should only listen on the loopback interface for JMX connections
Kafka broker and MirrorMaker processes now listen on only the loopback interface for JMX connections. The fix causes Kafka brokers and MirrorMaker to be marked as stale after upgrading to Cloudera Manager 6.0.0 or later.
Perform a rolling restart of Kafka brokers and MirrorMaker.
Cloudera Issue: OPSAPS-46633
Remove the IMPALA_ASSIGNMENT_LOCALITY Impala check
This check was removed.
Cloudera Issue: OPSAPS-46807
Inconsistent handling of case sensitivity for cluster names in URLs
Fixed an issue where cases sensitivity for cluster names was not handled consistently with the API, mainly related to the cluster name. For examp.e, the end point "/api/v6/clusters/cluster 1/services" and "/api/v6/clusters/Cluster 1/services" are equivalent.
Cloudera Issue: OPSAPS-43691
HBase Indexer can possibly emit sentry client configs even if sentry isn't directly configured
On a KeyValue Store Indexer service, Sentry was enabled if the Solr dependency was using Sentry, even if the KeyValue Store Indexer was set to none in its Sentry dependency configuration. This is now corrected for CDH 5.14 or higher clusters.
After upgrading Cloudera Manager, clusters on CDH 5.14 or higher will be marked as stale if you have Sentry enabled for Solr but not enabled for KeyValue Store Indexer. If you are affected by this issue, restart the stale services to apply the fix.
Cloudera Issue: OPSAPS-43695
GenerateHostCerts command doesn't use passphrase for SSH key auth
When using the generateHostCerts command API, the password field was being used instead of the passphrase field for SSH keypair-based authentication. This is now fixed so that the userName and password fields are used for username/password authentication, and the privateKey and passphrase fields are used for keypair-based authentication.
Cloudera Issue: OPSAPS-45514
HBase will respect HDFS settings for dfs.client.block.write.replace-datanode-on-failure.
Cloudera Issue: OPSAPS-36611
- hiverserver2_load_balancer has been changed to hiveserver2_load_balancer
- hbase_client_java_opts has been changed to hdfs_client_java_opts
- hbase_active_master_detecton_window has been changed to hbase_active_master_detection_window
- hdfs_active_namenode_detecton_window has been changed to hdfs_active_namenode_detection_window
- mapreduce_active_jobtracker_detecton_window has been changed to mapreduce_active_jobtracker_detection_window
- yarn_active_resourcemanager_detecton_window has been changed to yarn_active_resourcemanager_detection_window
The hiverserver2_load_balancer change affects Hive services when HiveServer 2 is configured for High Availability.
The hdfs_client_java_opts parameter configures the Client Java Configuration Options, found under the HDFS Gateway role configuration.
The other parameters tune the behavior of health test checking for the HBase Master, HDFS NameNode, MapReduce JobTracker, and YARN ResourceManager respectively.
Any API scripts or cluster templates referencing the old names will need to be updated to use the new names.
Cloudera Issue: OPSAPS-33266, OPSAPS-39223, and OPSAPS-24569
Cloudera Manager fails to enable Kerberos if TLS is configured
Fixed an issue where the wizard for Kerberos fails if TLS is enabled. When enabling Kerberos to a cluster running TLS, the system cannot use the privileged ports ( <1024). Instead, the wizard will prompt the user to use the appropriate port values.
Cloudera Issue: OPSAPS-33345
Cloudera Manager Agent install or upgrade hangs
During Cloudera Manager agent installs or upgrades, Cloudera Manager accesses both Cloudera and non-Cloudera repositories. Fixed an issue where the installation or upgrade could hang due to a misconfigured or problematic third party repository.
Cloudera Issue: OPSAPS-45576
CDH did not install Kudu when using packages
Fixes an issue where Cloudera Manager did not install Kudu packages when CDH was installed using packages instead of parcels.
Cloudera Issue: OPSAPS-45692
"create" option in nestedUserQueue allocation rule is added to the wrong part of the allocation rules in the fair scheduler configuration
- root.[pool name].username
Cloudera Issue: OPSAPS-42803
Display steady fairshare that correspond to weight in YARN Dynamic Resource Pool Configuration
Two columns are added to the Dynamic Resources Pool Configuration 'Resource Pool' table - Fair Share Cpu and Memory. These display the resources allocated to each pool, based on the % of resources allocated via their fair share weights. If min resources are specified for pools, the fair share values will not accurately reflect resource allocation. These values are displayed only for pools that do not have any sub-pools.
Cloudera Issue: OPSAPS-45188
[oozie] Emit correct port in load balancer urls
The 'oozie_load_balancer' CM configuration parameter has been changed. Previously it was specified as '<hostname>:<port>' format. In CM 5.15 and later the format is simply '<hostname>'. As this format change is incompatible, please note that any client reading this value via API should also read as necessary the load balancer port configuration parameters ('oozie_load_balancer_http_port' and 'oozie_load_balancer_https_port'); the correct port parameter to use depends on whether SSL is enabled (value of 'oozie_use_ssl')
Cloudera Issue: OPSAPS-43846
Yarn NodeManager stale due to missing CCgroups
Fixed an issue when using YARN with CGroups. The YARN NodeManager may show as being stale due to System Resources even when it is not. The diff of it will show named-cpu as having changed even when it was not modified.
Cloudera Issue: OPSAPS-43973
Upgraded Jetty version
Jetty updated to version 9.4.6.v20170531 to fix CVE-2017-9735.
Cloudera Issue: OPSAPS-42317
Impala Dynamic Resource Pools wrongly gives everyone access to root pool (and all child pools)
Fixed an issue where all users had access to all Impala resource pools if no users or groups were specified in the root pool. Now, no users get access to a pool if no users or groups is specified.
Cloudera Issue: OPSAPS-45046
YARN Dynamic Resource Pools wrongly gives everyone access to root pool (and all child pools)
Fixed an issue where all users had access to all YARN resource pools if no users or groups were specified in the root pool. Now, no users get access to a pool if no users or groups is specified.
Cloudera Issue: OPSAPS-44949