Hue Known Issues

High DDL usage in Hue Impala Editor may issue flood of INVALIDATE Calls

Issuing DDL statements using Hue’s Impala editor or invoking Hue’s “Refresh Cache” function in the left-side metadata browser results in Hue issuing INVALIDATE METADATA calls to the Impala service. This call is expensive and can result in a significant system impact, up to and including full system outage, when repeated in sufficient volume. This has been corrected in HUE-8882.

Components affected:
  • Hue
  • Impala
Products affected:
  • Cloudera Enterprise 5
  • Cloudera Enterprise 6
Releases affected:
  • CDH 5.15.1, 5.15.2
  • CDH 5.16.x
  • CDH 6.1.1
  • CDH 6.2.x
  • CDH 6.3.0, 6.3.1, 6.3.2, 6.3.3

Users affected: End-users using Impala editor in Hue.

Severity: High

Impact: Users running DDL statements using the Hue Impala editor or invoking Hue’s Refresh Cache function causes INVALIDATE METADATA commands to be sent to Impala. Impala’s metadata invalidation is an expensive operation and could cause impact on the performance of subsequent queries, hence leading to the potential for significant impact on the entire cluster, including the potential for whole-system outage.

Action required:
  • CDH 6.x customers: Upgrade to CDH 6.3.4 that contains the fix.
  • CDH 5.x customers: Contact Cloudera Support for further assistance.

Apache Issue: HUE-8882

Knowledge Article: For the latest update on this issue see the corresponding Knowledge article: Cloudera Customer Advisory: High DDL usage in Hue Impala Editor may issue flood of INVALIDATE Calls

Hue Silently Disables StartTLS in LDAP Connections

There are two mechanisms to secure communication to an LDAP server. One is to use an ‘ldaps’ connection, where all traffic is encrypted inside a TLS tunnel - much like ‘https’. The other is to use ‘StartTLS’, where traffic begins unencrypted in the “ldap” protocol and then upgrades itself to a TLS connection.

If StartTLS is enabled in the Hue configuration but the ‘ldap_cert’ parameter is not configured, then Hue silently disables StartTLS.

StartTLS will not be used for synchronization or import, even if StartTLS is enabled and the ‘ldap_cert’ parameter is set.

The result is that connections that the administrator assumes to be secured, using StartTLS, are not actually secure.

CVE: CVE-2019-19146

Date/time of detection: 22nd March, 2019

Detected by: Ben Gooley, Cloudera

Severity (Low/Medium/High): 8.8 High CVSS AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Products affected: CDH

Releases affected:
  • CDH 5.x
  • CDH 6.1.0
  • CDH 6.1.1
  • CDH 6.2.0
  • CDH 6.2.1
  • CDH 6.3.0

Users affected: All users who are using StartTLS enabled in the Hue configuration when using LDAP as Authentication Backend to login in Hue.

Impact: Sensitive data exposure.

Immediate action required:
  • Upgrade (recommended): Update to a version of CDH containing the fix.
  • Workaround: Use “ldaps” instead of “ldap” and StartTLS.

Addressed in release/refresh/patch: CDH 6.3.1 and above

Knowledge Article: For the latest update on this issue see the corresponding Knowledge article: TSB 2020-371: Hue Silently Disables StartTLS in LDAP Connections

Hue allows unsigned SAML assertions

If Hue receives an unsigned assertion, it continues to process it as valid. This means it is possible for an end-user to forge or remove the signature and manipulate a SAML assertion to gain access without a successful authentication.

Products affected: Hue, CDH

Releases affected:
  • CDH 5.15.x and earlier
  • CDH 5.16.0, 5.16.1
  • CDH 6.0.x
  • CDH 6.1.x

User affected: All users who are using SAML with Hue.

CVE: CVE-2019-14775

Date/time of detection: January 2019

Detected by: Joel Snape

Severity (Low/Medium/High): High

Impact:

This is a significant security risk as it allows anyone to fake their access validity and therefore access Hue, even if they should not have access. In more detail: if Hue receives an unsigned assertion, it continues to process it as valid. This means it is possible for an end-user to forge or remove the signature and manipulate a SAML assertion to gain access without a successful authentication.

CVE: CVE-2019-14775

Immediate action required:
  • Upgrade (recommended): Upgrade to a version of CDH containing the fix.
  • Workaround: None
Addressed in release/refresh/patch:
  • CDH 5.16.2
  • CDH 6.2.0

Oozie workflows cannot be clicked when opened from Workflows > Editor > Workflows in Hue 3

When you are using Hue 3, you cannot edit an Oozie workflow by clicking it when you navigate to Workflows > Editor > Workflows.

Affected Versions: CDH 5.15.x and later CDH 5.x versions

Fixed in Versions: No fix is planned for CDH 6.x as only Hue 4 is available

Cloudera Bug: CDH-70450

Workaround: Switch to Hue 4:

In the Hue user interface, click the Administration menu and select Switch to Hue 4:



Long delay in Impala metadata operations cause a 502 proxy error

A 502 error message appears when an Impala metadata operation, such as an Impala query compilation, takes several minutes. This causes Hue to timeout and throw a 502 error.

Affected Versions: CDH 5.12.x, 5.13.0, 5.13.1

Fixed in Versions: 5.14.0

Cloudera Bug: CDH-57588

Workaround: Configure the ProxyTimeout value parameter using the Advanced Configuration Snippet:
  1. In the Cloudera Manager user interface, locate Hue > Configuration.
  2. Using the search box, search for 'Load Balancer Advanced Configuration Snippet (Safety Valve) for httpd.conf'.
  3. In the resulting text box, insert ProxyTimeout 600 — this allows the Hue Load Balancer 600 seconds until timeout instead of the default 60.
  4. Save and restart the Hue Load Balancer.
  5. Export the results to excel again or rerun the Hive query from Hue UI.

Hue operations randomly fail and display a 502 error

Hue operations randomly fail.

Affected Versions: CDH 5.12.x, 5.13.0

Fixed in Versions: 5.14.0

Workaround: Make configuration changes to the Hue Load Balancer:
  1. Find the Hue Load Balancer host by selecting Host > All Host and search for "Hue Load Balancer"
  2. Navigate to the following directory on the Hue Load Balancer host: /usr/share/cmf/hue/httpd/.
  3. Edit the httpd.conf file and add the following property after the ProxyPass property: SetEnv proxy-intial-not-pooled 1.
  4. Inside the <IfDefine Cloudera_HTTPD_USE_SSL> block under the SSLProtocol property line, add the following properties: 
    SSLPRoxyProtocol all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

Cloudera Bug: CDH-57588

Hue does not start with MySql and Ubuntu 12.04

In Ubuntu 12.04, the pip script file, /usr/lib/python2.7/dist-packages/pkg_resources.py, is unable to resolve required packages.

Affected Versions: All CDH 5 versions.

Cloudera Bug: CDH-54615

Fixed in Versions: No fix is planned. Recommend upgrading from Ubuntu 12.04

Workaround:
  1. Log on to Cloudera Manager and go to Hue > Configuration.
  2. Search for and set Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini: 
    PYTHONPATH=/opt/cloudera/parcels/CDH/lib/hue/build/env/lib/python2.7/site-packages
  3. Click Save Changes and restart Hue.

Hue Load Balancer with TLS fails on peer Cloudera Navigator validation

The Hue load balancer may fail with TLS enabled and Apache HTTPD 2.4 or higher.

Affected Versions: CDH 5.11.0 and lower

Cloudera Bug: CDH-51352

Workaround:
  1. Log on to Cloudera Manager and go to Hue > Configuration.
  2. Search for and set Load Balancer Advanced Configuration Snippet (Safety Valve) for httpd.conf: 
    ProxyPreserveHost Off
  3. Search for and set Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini: 
    [desktop]
use_x_forwarded_host=true
  4. Click Save Changes and restart Hue.

HTTPD 2.4 breaks Hue high availability with SSLProxyPeerCN on

In HTTPD 2.2 and earlier versions, SSLProxyPeerCN is off. In HTTPD 2.4, SSLProxyPeerCN is turned on. This breaks Hue high availability and throws a proxy error.

Affected Versions: CDH 5.11.0 only

Workaround: Disable SSLProxyCheckPeerCN and SSLProxyCheckPeerName in httpd.conf:
  1. Log on to Cloudera Manager and go to Hue > Configuration.
  2. Search for Load Balancer Advanced Configuration Snippet (Safety Valve) for httpd.conf.
  3. Disable proxy peer checks by entering: 
    SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
  4. Click Save changes and restart Hue.

Icons Stop Rendering in IE11 Browser with HTTPS

When you use the back button in IE11 with https, some Hue graphics stop rendering. Add a load balancer to resolve.

Affected Versions: All CDH 5.x versions.

Cloudera Bug: CDH-52950

Workaround: Add a Hue Load Balancer:

  1. Log on to Cloudera Manager and click Hue.
  2. Select Actions > Add Role Instances.
  3. Click Select hosts in the field under Load Balancer.
  4. Select a host and click OK.
  5. Check the Load Balancer box and select Actions for Selected > Start > Start.
  6. Click Save Changes and restart Hue.

Hue does not support the Spark App

Hue does not currently support the Spark application.