Hue Known Issues
High DDL usage in Hue Impala Editor may issue flood of INVALIDATE Calls
Issuing DDL statements using Hue’s Impala editor or invoking Hue’s “Refresh Cache” function in the left-side metadata browser results in Hue issuing INVALIDATE METADATA calls to the Impala service. This call is expensive and can result in a significant system impact, up to and including full system outage, when repeated in sufficient volume. This has been corrected in HUE-8882.
- Hue
- Impala
- Cloudera Enterprise 5
- Cloudera Enterprise 6
- CDH 5.15.1, 5.15.2
- CDH 5.16.x
- CDH 6.1.1
- CDH 6.2.x
- CDH 6.3.0, 6.3.1, 6.3.2, 6.3.3
Users affected: End-users using Impala editor in Hue.
Severity: High
Impact: Users running DDL statements using the Hue Impala editor or invoking Hue’s Refresh Cache function causes INVALIDATE METADATA commands to be sent to Impala. Impala’s metadata invalidation is an expensive operation and could cause impact on the performance of subsequent queries, hence leading to the potential for significant impact on the entire cluster, including the potential for whole-system outage.
- CDH 6.x customers: Upgrade to CDH 6.3.4 that contains the fix.
- CDH 5.x customers: Contact Cloudera Support for further assistance.
Apache Issue: HUE-8882
Knowledge Article: For the latest update on this issue see the corresponding Knowledge article: Cloudera Customer Advisory: High DDL usage in Hue Impala Editor may issue flood of INVALIDATE Calls
Hue Silently Disables StartTLS in LDAP Connections
There are two mechanisms to secure communication to an LDAP server. One is to use an ‘ldaps’ connection, where all traffic is encrypted inside a TLS tunnel - much like ‘https’. The other is to use ‘StartTLS’, where traffic begins unencrypted in the “ldap” protocol and then upgrades itself to a TLS connection.
If StartTLS is enabled in the Hue configuration but the ‘ldap_cert’ parameter is not configured, then Hue silently disables StartTLS.
StartTLS will not be used for synchronization or import, even if StartTLS is enabled and the ‘ldap_cert’ parameter is set.
The result is that connections that the administrator assumes to be secured, using StartTLS, are not actually secure.
CVE: CVE-2019-19146
Date/time of detection: 22nd March, 2019
Detected by: Ben Gooley, Cloudera
Severity (Low/Medium/High): 8.8 High CVSS AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Products affected: CDH
- CDH 5.x
- CDH 6.1.0
- CDH 6.1.1
- CDH 6.2.0
- CDH 6.2.1
- CDH 6.3.0
Users affected: All users who are using StartTLS enabled in the Hue configuration when using LDAP as Authentication Backend to login in Hue.
Impact: Sensitive data exposure.
- Upgrade (recommended): Update to a version of CDH containing the fix.
- Workaround: Use “ldaps” instead of “ldap” and StartTLS.
Addressed in release/refresh/patch: CDH 6.3.1 and above
Knowledge Article: For the latest update on this issue see the corresponding Knowledge article: TSB 2020-371: Hue Silently Disables StartTLS in LDAP Connections
Hue allows unsigned SAML assertions
If Hue receives an unsigned assertion, it continues to process it as valid. This means it is possible for an end-user to forge or remove the signature and manipulate a SAML assertion to gain access without a successful authentication.
Products affected: Hue, CDH
- CDH 5.15.x and earlier
- CDH 5.16.0, 5.16.1
- CDH 6.0.x
- CDH 6.1.x
User affected: All users who are using SAML with Hue.
CVE: CVE-2019-14775
Date/time of detection: January 2019
Detected by: Joel Snape
Severity (Low/Medium/High): High
Impact:
This is a significant security risk as it allows anyone to fake their access validity and therefore access Hue, even if they should not have access. In more detail: if Hue receives an unsigned assertion, it continues to process it as valid. This means it is possible for an end-user to forge or remove the signature and manipulate a SAML assertion to gain access without a successful authentication.
CVE: CVE-2019-14775
- Upgrade (recommended): Upgrade to a version of CDH containing the fix.
- Workaround: None
- CDH 5.16.2
- CDH 6.2.0
Oozie workflows cannot be clicked when opened from Workflows > Editor > Workflows in Hue 3
When you are using Hue 3, you cannot edit an Oozie workflow by clicking it when you navigate to
.Affected Versions: CDH 5.15.x and later CDH 5.x versions
Fixed in Versions: No fix is planned for CDH 6.x as only Hue 4 is available
Cloudera Bug: CDH-70450
Workaround: Switch to Hue 4:
In the Hue user interface, click the Administration menu and select Switch to Hue 4:
Long delay in Impala metadata operations cause a 502 proxy error
A 502 error message appears when an Impala metadata operation, such as an Impala query compilation, takes several minutes. This causes Hue to timeout and throw a 502 error.
Affected Versions: CDH 5.12.x, 5.13.0, 5.13.1
Fixed in Versions: 5.14.0
Cloudera Bug: CDH-57588
- In the Cloudera Manager user interface, locate .
- Using the search box, search for 'Load Balancer Advanced Configuration Snippet (Safety Valve) for httpd.conf'.
- In the resulting text box, insert ProxyTimeout 600 — this allows the Hue Load Balancer 600 seconds until timeout instead of the default 60.
- Save and restart the Hue Load Balancer.
- Export the results to excel again or rerun the Hive query from Hue UI.
Hue operations randomly fail and display a 502 error
Hue operations randomly fail.
Affected Versions: CDH 5.12.x, 5.13.0
Fixed in Versions: 5.14.0
- Find the Hue Load Balancer host by selecting and search for "Hue Load Balancer"
- Navigate to the following directory on the Hue Load Balancer host: /usr/share/cmf/hue/httpd/.
- Edit the httpd.conf file and add the following property after the ProxyPass property: SetEnv proxy-intial-not-pooled 1.
- Inside the <IfDefine Cloudera_HTTPD_USE_SSL> block under the SSLProtocol property line, add the following
properties:
SSLPRoxyProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
Cloudera Bug: CDH-57588
Hue does not start with MySql and Ubuntu 12.04
In Ubuntu 12.04, the pip script file, /usr/lib/python2.7/dist-packages/pkg_resources.py, is unable to resolve required packages.
Affected Versions: All CDH 5 versions.
Cloudera Bug: CDH-54615
Fixed in Versions: No fix is planned. Recommend upgrading from Ubuntu 12.04
- Log on to Cloudera Manager and go to .
- Search for and set Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini:
PYTHONPATH=/opt/cloudera/parcels/CDH/lib/hue/build/env/lib/python2.7/site-packages
- Click Save Changes and restart Hue.
Hue Load Balancer with TLS fails on peer Cloudera Navigator validation
The Hue load balancer may fail with TLS enabled and Apache HTTPD 2.4 or higher.
Affected Versions: CDH 5.11.0 and lower
Cloudera Bug: CDH-51352
- Log on to Cloudera Manager and go to .
- Search for and set Load Balancer Advanced Configuration Snippet (Safety Valve) for httpd.conf:
ProxyPreserveHost Off
- Search for and set Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini:
[desktop] use_x_forwarded_host=true
- Click Save Changes and restart Hue.
HTTPD 2.4 breaks Hue high availability with SSLProxyPeerCN on
In HTTPD 2.2 and earlier versions, SSLProxyPeerCN is off. In HTTPD 2.4, SSLProxyPeerCN is turned on. This breaks Hue high availability and throws a proxy error.
Affected Versions: CDH 5.11.0 only
- Log on to Cloudera Manager and go to .
- Search for Load Balancer Advanced Configuration Snippet (Safety Valve) for httpd.conf.
- Disable proxy peer checks by entering:
SSLProxyCheckPeerCN off SSLProxyCheckPeerName off
- Click Save changes and restart Hue.
Icons Stop Rendering in IE11 Browser with HTTPS
When you use the back button in IE11 with https, some Hue graphics stop rendering. Add a load balancer to resolve.
Affected Versions: All CDH 5.x versions.
Cloudera Bug: CDH-52950
Workaround: Add a Hue Load Balancer:
- Log on to Cloudera Manager and click Hue.
- Select .
- Click Select hosts in the field under Load Balancer.
- Select a host and click OK.
- Check the Load Balancer box and select .
- Click Save Changes and restart Hue.
Hue does not support the Spark App
Hue does not currently support the Spark application.