Issues Fixed in Cloudera Manager 5
The following sections describe issues fixed in each Cloudera Manager 5 release.
- Issues Fixed in Cloudera Manager 5.16.2
- Issues Fixed in Cloudera Manager 5.16.1
- Issues Fixed in Cloudera Manager 5.15.2
- Issues Fixed in Cloudera Manager 5.15.1
- Issues Fixed in Cloudera Manager 5.15.0
- Issues Fixed in Cloudera Manager 5.14.4
- Issues Fixed in Cloudera Manager 5.14.3
- Issues Fixed in Cloudera Manager 5.14.2
- Issues Fixed in Cloudera Manager 5.14.1
- Issues Fixed in Cloudera Manager 5.14.0
- Issues Fixed in Cloudera Manager 5.13.3
- Issues Fixed in Cloudera Manager 5.13.2
- Issues Fixed in Cloudera Manager 5.13.1
- Issues Fixed in Cloudera Manager 5.13.0
- Issues Fixed in Cloudera Manager 5.12.2
- Issues Fixed in Cloudera Manager 5.12.1
- Issues Fixed in Cloudera Manager 5.12.0
- Issues Fixed in Cloudera Manager 5.11.2
- Issues Fixed in Cloudera Manager 5.11.1
- Issues Fixed in Cloudera Manager 5.11.0
- Issues Fixed in Cloudera Manager 5.10.2
- Issues Fixed in Cloudera Manager 5.10.1
- Issues Fixed in Cloudera Manager 5.10.0
- Issues Fixed in Cloudera Manager 5.9.3
- Issues Fixed in Cloudera Manager 5.9.2
- Issues Fixed in Cloudera Manager 5.9.1
- Issues Fixed in Cloudera Manager 5.9
- Issues Fixed in Cloudera Manager 5.8.5
- Issues Fixed in Cloudera Manager 5.8.4
- Issues Fixed in Cloudera Manager 5.8.3
- Issues Fixed in Cloudera Manager 5.8.2
- Issues Fixed in Cloudera Manager 5.8.1
- Issues Fixed in Cloudera Manager 5.8.0
- Issues Fixed in Cloudera Manager 5.7.6
- Issues Fixed in Cloudera Manager 5.7.5
- Issues Fixed in Cloudera Manager 5.7.4
- Issues Fixed in Cloudera Manager 5.7.2
- Issues Fixed in Cloudera Manager 5.7.1
- Issues Fixed in Cloudera Manager 5.7.0
- Issues Fixed in Cloudera Manager 5.6.2
- Issues Fixed in Cloudera Manager 5.6.1
- Issues Fixed in Cloudera Manager 5.6.0
- Issues Fixed in Cloudera Manager 5.5.6
- Issues Fixed in Cloudera Manager 5.5.4
- Issues Fixed in Cloudera Manager 5.5.3
- Issues Fixed in Cloudera Manager 5.5.2
- Issues Fixed in Cloudera Manager 5.5.1
- Issues Fixed in Cloudera Manager 5.5.0
- Issues Fixed in Cloudera Manager 5.4.10
- Issues Fixed in Cloudera Manager 5.4.9
- Issues Fixed in Cloudera Manager 5.4.8
- Issues Fixed in Cloudera Manager 5.4.7
- Issues Fixed in Cloudera Manager 5.4.6
- Issues Fixed in Cloudera Manager 5.4.5
- Issues Fixed in Cloudera Manager 5.4.3
- Issues Fixed in Cloudera Manager 5.4.1
- Issues Fixed in Cloudera Manager 5.4.0
- Issues Fixed in Cloudera Manager 5.3.10
- Issues Fixed in Cloudera Manager 5.3.9
- Issues Fixed in Cloudera Manager 5.3.8
- Issues Fixed in Cloudera Manager 5.3.7
- Issues Fixed in Cloudera Manager 5.3.6
- Issues Fixed in Cloudera Manager 5.3.4
- Issues Fixed in Cloudera Manager 5.3.3
- Issues Fixed in Cloudera Manager 5.3.2
- Issues Fixed in Cloudera Manager 5.3.1
- Issues Fixed in Cloudera Manager 5.3.0
- Issues Fixed in Cloudera Manager 5.2.8
- Issues Fixed in Cloudera Manager 5.2.7
- Issues Fixed in Cloudera Manager 5.2.6
- Issues Fixed in Cloudera Manager 5.2.5
- Issues Fixed in Cloudera Manager 5.2.2
- Issues Fixed in Cloudera Manager 5.2.1
- Issues Fixed in Cloudera Manager 5.2.0
- Issues Fixed in Cloudera Manager 5.1.7
- Issues Fixed in Cloudera Manager 5.1.6
- Fixed Issues in Cloudera Manager 5.1.5
- Fixed Issues in Cloudera Manager 5.1.4
- Issues Fixed in Cloudera Manager 5.1.3
- Issues Fixed in Cloudera Manager 5.1.2
- Issues Fixed in Cloudera Manager 5.1.1
- Issues Fixed in Cloudera Manager 5.1.0
- Fixed Issues in Cloudera Manager 5.0.8
- Fixed Issues in Cloudera Manager 5.0.7
- Fixed Issues in Cloudera Manager 5.0.6
- Fixed Issues in Cloudera Manager 5.0.5
- Issues Fixed in Cloudera Manager 5.0.2
- Issues Fixed in Cloudera Manager 5.0.1
- Issues Fixed in Cloudera Manager 5.0.0
- Issues Fixed in Cloudera Manager 5.0.0 Beta 2
- Issues Fixed in Cloudera Manager 5.0.0 Beta 1
Issues Fixed in Cloudera Manager 5.16.2
The API method "ApiHiveCloudReplicationArguments" is missing for Cloudera Manager 5.15
The Cloudera Manager Python API client released in 5.16.1 missed changes that were introduced in version 5.15, including changes related to Backup and Disaster Recovery (BDR) Hive Replication. Those missing changes have been ported.
Cloudera Bug: OPSAPS-48873
Backup and Disaster Recovery fails if dfs.nameservices is overridden with multiple nameservice names
This fix handles the scenario for multiple nameservices in the dfs.nameservices configuration. Now the feature cross-checks that with the fs.defaultFS configured in core-site.xml.
Cloudera Bug: OPSAPS-48579
Error handling differs between multi-thread and single-thread Hive replication
This fix aligns multi-thread Hive replication error handling with the single-thread case. Multi-thread Hive replication now has the appropriate error types, suppressed by the replication.hive.ignoreTableNotFound and replication.hive.ignoreDataBaseNotFound safety valves implicitly.
Cloudera Bug: OPSAPS-49987
Issues Fixed in Cloudera Manager 5.16.1
Yarn Application Masters fail when a concurrent Deploy Client Configuration job is executed
Yarn Application Masters fail because the container-executor.cfg file is missing when a YARN application is executed concurrently with a Deploy Client Configurations job. The container-executor hierarchy has been moved to /var/lib/yarn-ce, which is not modified by the Deploy Client Configuration command.
- On the Cloudera Manager server host, add the following line to the /etc/default/cloudera-scm-server file:
export CMF_FF_YARN_SAFE_CONTAINER_EXECUTOR_DIR=true
- Restart the Cloudera Manager Server:
service cloudera-scm-server restart
- Restart the NodeManager(s) so they can pick up the new configuration change:
- In the Cloudera Manager Admin console, go to the YARN service.
- Click the Instances tab.
- Select all hosts with the NodeManager Role Type.
- Click .
Cloudera Bug: OPSAPS-24398
Aborting a BDR replication does not stop and issues an empty error
The abort functionality now works as expected.
Cloudera Bug: OPSAPS-39694
HDFS replication fails when reserved raw data is replicated
Fixed an issue with HDFS replication where reserved raw data is replicated with the delete strategy.
Cloudera Bug: OPSAPS-47244
Threshold settings prevent correct configuration
When Threshold settings are saved with values such as Any or Never, a bug in the validation code prevented the user from saving the threshold to a specific value. This is now fixed.
Cloudera Bug: OPSAPS-46657
Gateway roles and Isilon replication jobs
Fixed a bug where Cloudera Manager did not allow Gateway roles for Isilon clusters, which prevented replications jobs from running.
Cloudera Bug: OPSAPS-46154
Save Changes remains enabled after clicking (possible autocomplete issue)
Google Chrome version 66, released on 28 April 2018, introduced behavior changes which can trigger unintended modification of existing configuration values in Cloudera Manager. If a page contains a password field, the browser aggressively applies auto-complete form data to the first text field and first password form fields. These changes are applied without user input or explicit notification (fields are highlighted).
Cloudera Bug: OPSAPS-46118
Spark cross-realm authentication fails
Spark now correctly respects auth_to_local name rules for HDFS services with cross-realm trust configured.
Cloudera Bug: OPSAPS-46103
Host installation or upgrade using key based authentication where private key is protected by passphrase does not work
In Cloudera Manager, host installation and upgrade does not work when using key-based host authentication with SSH where the private key is protected by a passphrase.
Cloudera Bug: OPSAPS-45571
Failures during Cloudera Manager installation or upgrade
Fixed an issue where Cloudera Manager agent installation or upgrade failed due to misconfigured or problematic third-party repositories that were interfering with the process.
Cloudera Bug: OPSAPS-45576
Cloudera Manager should not omit LDAP GROUP_MAPPING passwords from NodeManager
Some sensitive authentication configurations were not emitted for the Yarn Node Manager when using LDAP group mapping. This is now corrected for clusters running CDH 5.5 and higher where encryption is available for those sensitive configurations.
Cloudera Bug: OPSAPS-45440
Upgrading a license finishes on wrong page
The Enable Trial workflow previously finished on the upgrade page, now it goes back to the Home page upon completion.
Cloudera Bug: OPSAPS-45444
Flume uses default values for Kafka TLS settings
Fixed an issue where Flume used default values for Kafka TLS settings. For further details, see the original Known Issue.
Note that this fix causes Flume to be marked as having a stale configuration. To resolve the staleness, restart Flume.
Cloudera Bug: OPSAPS-45669
Cloudera Manager upgrade page load issues in Internet Explorer
The new Cloudera Manager Upgrade page doesn't load in IE9, 10 or 11 due to using a feature that is not supported in IE. This is now fixed in 5.15.1.
Cloudera Bug: OPSAPS-45779
Do not expose configuration history to non-admin users
Users were previously able to go directly to the configuration history and rollback page using the URL, even though the link itself is not visible. This is now protected.
Cloudera Bug: OPSAPS-45781
Incorrect page reloads on Instances and All Hosts paged
The Instances page and the All Hosts page now do not reload when a command finishes.
Cloudera Bug: OPSAPS-45761
Kudu package missing from CDH installation using packages
Fixed an issue where Cloudera Manager did not install Kudu packages when CDH was installed using packages instead of parcels.
Cloudera Bug: OPSAPS-45692
Reports Manager displays incorrectly
When the Reports Manager is not installed, Cloudera Manager Admin Console pages now display correctly and irrelevant links have been removed.
Cloudera Bug: OPSAPS-44873
Cloudera Manager fails when enabling Kerberos if TLS is already configured
When enabling kerberos for a cluster running TLS, the system cannot use the privileged ports ( < 1024). Instead, the wizard will prompt user to use the appropriate port values.
Cloudera Bug: OPSAPS-33345
Kafka JMX connections listen on all interfaces unnecessarily
Kafka broker and MirrorMaker processes now listen on only the loopback interface for JMX connections. This caused Cloudera Manager to report that Kafka had stale configurations.
Cloudera Bug: OPSAPS-47365
BDR replicates Kudu HMS entries as-is
Hive tables created by Kudu are now excluded from Backup and Disaster Recovery replication.
Cloudera Bug: OPSAPS-46549
Restart warnings are incorrect after starting role with outdated configuration
Fixed an issue where some roles that required restarts were not correctly identified after starting a role marked as Started with Outdated Configuration.
Cloudera Bug: OPSAPS-45237
Host inspector should check system user group membership
The new Host Inspector will now warn if user doesn't belong to its own group
Cloudera Bug: OPSAPS-46592
Null Pointer Exception on Cloudera Manager Upgrade Page
Fixed a NPE on the new Cloudera Manager Upgrade page. This only happens when the agent could not retrieve the host status.
Cloudera Bug: OPSAPS-46616
Upgrade to CDH 5.15.1 fails with CM 5.15.1 and OpenJDK
Cloudera Bug: OPSAPS-47620
Issues Fixed in Cloudera Manager 5.15.2
Restart Warnings are incorrect after starting a role with an outdated configuration
Fixed an issue where some roles that required restarts were not correctly identified after starting a role marked as "Started with Outdated Configuration".
Cloudera Bug: OPSAPS-47775, OPSAPS-47493
Releases affected: 5.13, 5.14, 5.15
Upgrade to CDH 5.15.1 fails with CM 5.15.1 and OpenJDK
Cloudera Bug: OPSAPS-47620
Kafka JMX connections listen on all interfaces unnecessarily
Kafka broker and MirrorMaker processes now listen on only the loopback interface for JMX connections. This caused Cloudera Manager to report that Kafka had stale configurations.
Cloudera Bug: OPSAPS-47365
Flume uses default values for Kafka TLS settings
Fixed an issue where Flume used default values for Kafka TLS settings. For further details, see the original Known Issue.
Note that this fix causes Flume to be marked as having a stale configuration. To resolve the staleness, restart Flume.
Cloudera Bug: OPSAPS-45669
Issues Fixed in Cloudera Manager 5.15.1
Cloudera Manager read-only user can access sensitive cluster information
Fixed an issue where, due to a security vulnerability, a Cloudera Manager read-only user can access sensitive cluster information.
For the latest update on this issue, see the corresponding Knowledge article:
TSB 2018-306: Cloudera Manager Information Disclosure
Cloudera Bug: OPSAPS-45688
Open Redirect and XSS in Cloudera Manager
Technical Service Bulletin 2018-321 (TSB)
One type of page in Cloudera Manager uses a returnUrl parameter to redirect the user to another page in Cloudera Manager once a wizard is completed. The validity of this parameter was not checked. As a result, the user could be automatically redirected to an attacker’s external site or perform a malicious JavaScript function that results in cross-site scripting (XSS).
With this fix, Cloudera Manager no longer allows any value in the returnUrl parameter with patterns such as http://, https://, //, or javascript. The only exceptions to this rule are the SAML login/logout URLs, since they are explicitly configured and are not passed via the returnUrl parameter.
Products affected: Cloudera Manager
Releases affected:
- 5.15.0 and all earlier releases
Users affected: The following Cloudera Manager roles: “cluster administrator”, “full administrators”, and “configurators”.
Date/time of detection: June 20, 2018
Detected by: Mohit Rawat & Ekta Mittal
Severity (Low/Medium/High): 8.8 High (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Impact: Open redirects can silently redirect a victim to an attacker’s site. XSS vulnerabilities can be used to steal credentials or to perform arbitrary actions as the targeted user.
CVE: CVE-2018-15913
Immediate action required: Upgrade to Cloudera Manager 5.15.1 or higher
Addressed in release/refresh/patch:
- Cloudera Manager 5.15.1 and higher
- Cloudera Manager 6.0.0
Flume uses default values for Kafka TLS settings
Fixed an issue where Flume used default values for Kafka TLS settings. For further details, see the original Known Issue.
Note that this fix causes Flume to be marked as having a stale configuration. To resolve the staleness, restart Flume.
Cloudera Bug: OPSAPS-45669
Abort Installation button causes errors
Abort Installation button causes errors When installing or upgrading hosts using the Upgrade or Installation wizards, when the ""abort"" link is clicked an error message is displayed. (waiting for answer in comments)
Cloudera Bug: OPSAPS-45655
Host Inspector reports identical JDK versions as different.
The Host Inspector was reporting JDKs installed with a different installation path as different JDK versions.
Cloudera Bug: OPSAPS-44931
Upgrading a license finishes on wrong page
The Enable Trial workflow previously finished on the upgrade page, now it goes back to the Home page upon completion.
Cloudera Bug: OPSAPS-45444
Cloudera Manager should not omit LDAP GROUP_MAPPING passwords from NodeManager
Some sensitive authentication configurations were not emitted for the Yarn Node Manager when using LDAP group mapping. This is now corrected for clusters running CDH 5.5 and higher where encryption is available for those sensitive configurations.
Cloudera Bug: OPSAPS-45440
Do not expose configuration history to non-admin users
Users were previously able to go directly to the configuration history and rollback page using the URL, even though the link itself is not visible. This is now protected.
Cloudera Bug: OPSAPS-45781
Cloudera Manager upgrade page load issues in Internet Explorer
The new Cloudera Manager Upgrade page doesn't load in IE9, 10 or 11 due to using a feature that is not supported in IE. This is now fixed in 5.15.1.
Cloudera Bug: OPSAPS-45779
Gateway roles and Isilon replication jobs
Fixed a bug where Cloudera Manager did not allow Gateway roles for Isilon clusters, which prevented replications jobs from running.
Cloudera Bug: OPSAPS-46154
Cloudera Backup and Disaster Recovery cannot import Hive metadata
Fixed a bug where Cloudera Backup and Disaster Recovery could not import Hive metadata that included a Partitioned View with a null StorageDescriptor.
Cloudera Bug: OPSAPS-45900
Threshold settings prevent correct configuration
When Threshold settings are saved with values such as Any or Never, a bug in the validation code prevented the user from saving the threshold to a specific value. This is now fixed.
Cloudera Bug: OPSAPS-46657
Incorrect page reloads on Instances and All Hosts paged
The Instances page and the All Hosts page now do not reload when a command finishes.
Cloudera Bug: OPSAPS-45761
Null Pointer Exception on Cloudera Manager Upgrade Page
Fixed a NPE on the new Cloudera Manager Upgrade page. This only happens when the agent could not retrieve the host status.
Cloudera Bug: OPSAPS-46616
Spark cross-realm authentication fails
Spark now correctly respects auth_to_local name rules for HDFS services with cross-realm trust configured.
Cloudera Bug: OPSAPS-46103
Yarn Application Masters fail when a concurrent Deploy Client Configuration job is executed
Yarn Application Masters fail because the container-executor.cfg file is missing when a YARN application is executed concurrently with a Deploy Client Configurations job. The container-executor hierarchy has been moved to /var/lib/yarn-ce, which is not modified by the Deploy Client Configuration command.
- On the Cloudera Manager server host, add the following line to the /etc/default/cloudera-scm-server file:
export CMF_FF_YARN_SAFE_CONTAINER_EXECUTOR_DIR=true
- Restart the Cloudera Manager Server:
service cloudera-scm-server restart
- Restart the NodeManager(s) so they can pick up the new configuration change:
- In the Cloudera Manager Admin console, go to the YARN service.
- Click the Instances tab.
- Select all hosts with the NodeManager Role Type.
- Click .
Cloudera Bug: OPSAPS-24398
Cloudera Manager does not list any CDH package options other than "custom"
When doing a package installation or upgrade of CDH, no versions of CDH5 are shown in the Cloudera Manager Admin Console.
Cloudera Bug: OPSAPS-45732
Issues Fixed in Cloudera Manager 5.15.0
Cloudera Manager read-only user can access sensitive cluster information
Fixed an issue where, due to a security vulnerability, a Cloudera Manager read-only user can access sensitive cluster information.
For the latest update on this issue, see the corresponding Knowledge article:
TSB 2018-306: Cloudera Manager Information Disclosure
Cloudera Bug: OPSAPS-45688
Cross-site scripting vulnerability in Cloudera Manager
Fixed the cross-site vulnerability described in TSB-2018-285 (XSS Scripting Vulnerability in Cloudera Manager). For more information, see the Known Issue description
Cloudera Bug: DOCS-3186
Cannot install or start Cloudera Manager on SLES12
Fixed an issue where Path A (non-production) installations of Cloudera Manager do not work on SLES version 12.
See TSB-279 for more information.
Cloudera Bug: OPSAPS-44284
Extra entries in the Manage Host Override dialog
Fixed an issue where duplicate hostnames appeared when editing configuration overrides for Host level configurations.
Cloudera Bug: OPSAPS-44814
Cloudera logo disappears in Upgrade Wizard
Fixed an issue where the Cloudera Manager logo might not get refreshed in the browser automatically when upgrading from Cloudera Manager 5.10 to 5.11 or higher. This issue caused the logo to disappear.
Cloudera Bug: OPSAPS-44676
Errors thrown for Hive replications managed by a single Cloudera Manager
Fixed an issue where an exception is thrown when collecting replication diagnostics for a Hive replication schedule between two clusters managed by a single Cloudera Manager.
Cloudera Bug: OPSAPS-45197
YARN NodeManager stale due to missing CGroups
Fixed an issue where the YARN NodeManager may show as being stale due to System Resources even when it is not. The named-cpu value may show as changed even though it was not modified.
Cloudera Bug: OPSAPS-43973
Warning message "Cloud file creation time does not match saved time" in S3 replication
Fixed multiple false warning log message issue during HDFS-S3 restore operation.
Cloudera Bug: OPSAPS-43681
Concurrent Hive replications on different Hives fail with clashing command error
Fixed an issue that caused Hive replications to fail due to conflicting Hive replication schedules when there are two clusters managed by the same Cloudera Manager.
Cloudera Bug: OPSAPS-43652
Impala Dynamic Resource Pools access
Fixed an issue where Cloudera Manager did not generate the aclSubmitApps element in the fair-scheduler.xml file when a user did not specify any user or groups for the root pool. Cloudera Manager now automatically generates aclSubmitAppswith a space character. This change means the default is no access for all users.
Cloudera Bug: OPSAPS-45046
Cannot start CM5.13.1 after one-click manual install on SLES12 SP2
This fix upgrades the PostgreSQL JDBC driver. The new JDBC driver only supports PostgreSQL versions 8.2 and higher. RHEL5 defaults to PostgreSQL 8.1.
- Download Postgresql 9.0-802 JDBC4: https://jdbc.postgresql.org/download/postgresql-9.0-802.jdbc4.jar
- Copy it as /usr/share/java/postgresql-connector-java.jar and then install the server.
Cloudera Bug: OPSAPS-43624
AvroTypeException preventing Cloudera Manager Agent from connecting to the Cloudera Manager Server
Fixed an issue where an agent heartbeat fails and leads to the agent not connecting to the Cloudera Manager Server.
Cloudera Bug: OPSAPS-44971
Host Templates Regression on CM 5.13.x or 5.14
Fixed an issue where the Apply Host Template feature in the Add Host wizard was broken.
Cloudera Bug: OPSAPS-45334
Agent stops heartbeating due to Avro parsing errors.
Fixed an issue where, under certain conditions, the Cloudera Manager Agent stops heart beating with the Cloudera Manager Server due to Avro RPC parsing errors.
Cloudera Bug: OPSAPS-45282
Error "Mismatched input PATTERN expecting EOF" on the Detail Usage page of the Resource Manager
Fixed an issue where a user sees an error message about Mismatched input PATTERN.
Cloudera Bug: OPSAPS-42437
Agent exception "Could not evaluate resource {u'hard_limit': 500, u'soft_limit': 300}: 'unicode' object has no attribute 'items'"
Fixes an issue in Cloudera Manager agent where cgroup soft and hard memory limits were not applied on the host.
Cloudera Bug: OPSAPS-45229
Host installation or upgrade using key based authentication where private key is protected by passphrase does not work
In Cloudera Manager, host installation and upgrade does not work when using key-based host authentication with SSH where the private key is protected by a passphrase.
Cloudera Bug: OPSAPS-45571
Backup and Disaster Recovery replication fails between two clusters when data is copied from one encryption zone to another when using CDH 5.12.0 or higher
Fixed an issue where replication fails when two clusters use HDFS HA, and the nameservice names are the same.
Both the source and destination clusters must upgrade to a release that contains the fix.
Cloudera Bug: OPSAPS-43556
Fixed in: Cloudera Manager 5.15.0, 5.14.3, 5.13.3
Logging issue slows down Hive and HDFS Replication jobs
Fixed an issue that occurred when using Cloudera Manager for cross-cluster replication of HDFS and Hive. Unnecessary warning logs are printed during the initial phase of replication (‘copy listing’). These logs were printed for each and every file that Cloudera Backup and Disaster Recovery (BDR) copies. This causes very verbose log output which slows down this phase of the replication job and can affect overall replication times considerably. This happens only when both source and target clusters are running Cloudera Manager 5.14.0.
See TSB-290 for more information.
Fixed Versions: Cloudera Manager 5.15.0, 5.14.1
Cloudera Bug: OPSAPS-44160
Scheduled snapshot and replication jobs are skipped
Fixed an issue where scheduled Snapshot and Replication jobs can be skipped if there are too many commands scheduled to run at the same time (more than 100), or if Cloudera Manager has paused due to garbage collection.
Fixed Versions: Cloudera Manager 5.15.0, 5.14.2, 5.13.2
Cloudera Bug: OPSAPS-44153
Table statistics are lost when replicating an existing table without partitions
Cloudera Backup and Disaster Recovery added a workaround for the Hive bug HIVE-15653 and now preserves table statistics for unpartitioned tables during subsequent runs.
Fixed Versions: Cloudera Manager 5.15.0, 5.14.2, 5.13.2
Cloudera Bug: OPSAPS-44070
The Replication performance CSV file header does not match content
Fixed an issue where the header in the HDFS Replication performance file (in CSV format) does not match its contents.
Fixed in: Cloudera Manager 5.15.0, 5.14.2, 513.2
Cloudera Bug: OPSAPS-43997
BDR Cloud (s3) Replication job fail with delegation token creation issue
Fixed an issue where HDFS to Amazon S3 or Hive to Amazon S3 replication jobs fail when an expired delegation token is used to run a MapReduce/YARN job.
Cloudera Bug: OPSAPS-44008
Spark CSD should emit proper environment variables for older CDH version 5.4.x
Fixed configuration of Kerberos credentials for the Spark History Server in CDH 5.4.
Cloudera Bug: OPSAPS-43985
Hive Replication export step fails with StaleObjectStateException
Fixed an issue where replication commands sometimes fail because of concurrent executions in the database.
Cloudera Bug: OPSAPS-43964
Add "sentry" group in "hadoop.proxyuser.hive.groups" on upgrade to CDH 5.13.0 and higher
For CDH5.13.0 and higher, when Hive is used with Sentry, Hive Proxy Groups should contain either a wildcard ('*') for the Sentry Group for Sentry to work with Hive. If this is not present, Cloudera Manager adds the Sentry Group to Hive Proxy Groups when upgrading CDH.
Cloudera Bug: OPSAPS-43809
Cloudera Manager Server reports 'Too many open files' error
Fixed an issue where collection of diagnostic bundles would lead to slow file descriptor leaks in Cloudera Manager Server that eventually cause the server to become non-operational or unresponsive.
Cloudera Bug: OPSAPS-44922
Cloudera Manager Upgrade (5.14.0 to 5.14.1) stuck at refreshing package metadata - configurator not found
Fixed a bug in the host installation/upgrade wizard that occurred when retrying individual hosts. The error message "Configurator not found" might appear and prevent installation or upgrade of all hosts.
Cloudera Bug: OPSAPS-44694
Issues Fixed in Cloudera Manager 5.14.4
Cloudera Manager read-only user can access sensitive cluster information
Fixed an issue where, due to a security vulnerability, a Cloudera Manager read-only user can access sensitive cluster information.
For the latest update on this issue, see the corresponding Knowledge article:
TSB 2018-306: Cloudera Manager Information Disclosure
Cloudera Bug: OPSAPS-45688
Gateway roles and Isilon replication jobs
Fixed a bug where Cloudera Manager did not allow Gateway roles for Isilon clusters, which prevented replications jobs from running.
Cloudera Bug: OPSAPS-46154
Save Changes remains enabled after clicking (possible autocomplete issue)
Google Chrome version 66, released on 28 April 2018, introduced behavior changes which can trigger unintended modification of existing configuration values in Cloudera Manager. If a page contains a password field, the browser aggressively applies auto-complete form data to the first text field and first password form fields. These changes are applied without user input or explicit notification (fields are highlighted).
Cloudera Bug: OPSAPS-46118
Cloudera Backup and Disaster Recovery cannot import Hive metadata
Fixed a bug where Cloudera Backup and Disaster Recovery could not import Hive metadata that included a Partitioned View with a null StorageDescriptor.
Cloudera Bug: OPSAPS-45900
Do not expose configuration history to non-admin users
Users were previously able to go directly to the configuration history and rollback page using the URL, even though the link itself is not visible. This is now protected.
Cloudera Bug: OPSAPS-45781
Cloudera Manager should not omit LDAP GROUP_MAPPING passwords from NodeManager
Some sensitive authentication configurations were not emitted for the Yarn Node Manager when using LDAP group mapping. This is now corrected for clusters running CDH 5.5 and higher where encryption is available for those sensitive configurations.
Cloudera Bug: OPSAPS-45440
Errors thrown for Hive replications managed by a single Cloudera Manager
Fixed an issue where an exception is thrown when collecting replication diagnostics for a Hive replication schedule between two clusters managed by a single Cloudera Manager.
Cloudera Bug: OPSAPS-45197
Agent exception "Could not evaluate resource {u'hard_limit': 500, u'soft_limit': 300}: 'unicode' object has no attribute 'items'"
Fixes an issue in Cloudera Manager agent where cgroup soft and hard memory limits were not applied on the host.
Cloudera Bug: OPSAPS-45229
Yarn Application Masters fail when a concurrent Deploy Client Configuration job is executed
Yarn Application Masters fail because the container-executor.cfg file is missing when a YARN application is executed concurrently with a Deploy Client Configurations job. The container-executor hierarchy has been moved to /var/lib/yarn-ce, which is not modified by the Deploy Client Configuration command.
- On the Cloudera Manager server host, add the following line to the /etc/default/cloudera-scm-server file:
export CMF_FF_YARN_SAFE_CONTAINER_EXECUTOR_DIR=true
- Restart the Cloudera Manager Server:
service cloudera-scm-server restart
- Restart the NodeManager(s) so they can pick up the new configuration change:
- In the Cloudera Manager Admin console, go to the YARN service.
- Click the Instances tab.
- Select all hosts with the NodeManager Role Type.
- Click .
Cloudera Bug: OPSAPS-24398
Host installation or upgrade using key based authentication where private key is protected by passphrase does not work
In Cloudera Manager, host installation and upgrade does not work when using key-based host authentication with SSH where the private key is protected by a passphrase.
Cloudera Bug: OPSAPS-45571
Cloudera Manager does not list any CDH package options other than "custom"
When doing a package installation or upgrade of CDH, no versions of CDH5 are shown in the Cloudera Manager Admin Console.
Cloudera Bug: OPSAPS-45732
Issues Fixed in Cloudera Manager 5.14.3
Cross-site scripting vulnerability in Cloudera Manager
Fixed the cross-site vulnerability described in TSB-2018-285 (XSS Scripting Vulnerability in Cloudera Manager). For more information, see the Known Issue description
Cloudera Bug: DOCS-3186
Backup and Disaster Recovery replication fails between two clusters when data is copied from one encryption zone to another when using CDH 5.12.0 or higher
Fixed an issue where replication fails when two clusters use HDFS HA, and the nameservice names are the same.
Both the source and destination clusters must upgrade to a release that contains the fix.
Cloudera Bug: OPSAPS-43556
Fixed in: Cloudera Manager 5.15.0, 5.14.3, 5.13.3
HDFS and Hive Replications may fail after upgrading to CM 5.14.2 on clusters where HDFS HA is enabled
Fixed an issue that caused HDFS and Hive replications to fail if the destination cluster is managed by Cloudera Manager 5.14.2.
For more information, see TSB-305.
Cloudera Bug: OPSAPS-45600
Issues Fixed in Cloudera Manager 5.14.2
Cross-site scripting vulnerability in Cloudera Manager
Fixed the cross-site vulnerability described in TSB-2018-285 (XSS Scripting Vulnerability in Cloudera Manager). For more information, see the Known Issue description
Cloudera Bug: DOCS-3186
CGroup Hard Memory resource reports incorrect units of measurement
The
page now reports the correct units for the CGroup Hard Memory resource.Cloudera Bug: OPSAPS-41473
Scheduled snapshot and replication jobs are skipped
Fixed an issue where scheduled Snapshot and Replication jobs can be skipped if there are too many commands scheduled to run at the same time (more than 100), or if Cloudera Manager has paused due to garbage collection.
Fixed Versions: Cloudera Manager 5.15.0, 5.14.2, 5.13.2
Cloudera Bug: OPSAPS-44153
The Replication performance CSV file header does not match content
Fixed an issue where the header in the HDFS Replication performance file (in CSV format) does not match its contents.
Fixed in: Cloudera Manager 5.15.0, 5.14.2, 513.2
Cloudera Bug: OPSAPS-43997
BDR Cloud (s3) Replication job fail with delegation token creation issue
Fixed an issue where HDFS to Amazon S3 or Hive to Amazon S3 replication jobs fail when an expired delegation token is used to run a MapReduce/YARN job.
Cloudera Bug: OPSAPS-44008
Cloudera Manager Upgrade (5.14.0 to 5.14.1) stuck at refreshing package metadata - configurator not found
Fixed a bug in the host installation/upgrade wizard that occurred when retrying individual hosts. The error message "Configurator not found" might appear and prevent installation or upgrade of all hosts.
Cloudera Bug: OPSAPS-44694
Hive Replication export step fails with StaleObjectStateException
Fixed an issue where replication commands sometimes fail because of concurrent executions in the database.
Cloudera Bug: OPSAPS-43964
Add "sentry" group in "hadoop.proxyuser.hive.groups" on upgrade to CDH 5.13.0 and higher
For CDH5.13.0 and higher, when Hive is used with Sentry, Hive Proxy Groups should contain either a wildcard ('*') for the Sentry Group for Sentry to work with Hive. If this is not present, Cloudera Manager adds the Sentry Group to Hive Proxy Groups when upgrading CDH.
Cloudera Bug: OPSAPS-43809
Spark CSD should emit proper environment variables for older CDH version 5.4.x
Fixed configuration of Kerberos credentials for the Spark History Server in CDH 5.4.
Cloudera Bug: OPSAPS-43985
Cloudera Manager Server reports 'Too many open files' error
Fixed an issue where collection of diagnostic bundles would lead to slow file descriptor leaks in Cloudera Manager Server that eventually cause the server to become non-operational or unresponsive.
Cloudera Bug: OPSAPS-44922
Table statistics are lost when replicating an existing table without partitions
Cloudera Backup and Disaster Recovery added a workaround for the Hive bug HIVE-15653 and now preserves table statistics for unpartitioned tables during subsequent runs.
Fixed Versions: Cloudera Manager 5.15.0, 5.14.2, 5.13.2
Cloudera Bug: OPSAPS-44070
Issues Fixed in Cloudera Manager 5.14.1
Hive Replications Can Fail Intermittently
This issue, which was also reported in TSB-2018-276, is fixed in CDH 5.13.2. For further details, see the original Known Issue.
Cloudera Manager upgrade workflow incorrectly requires deploying some optional management roles
Fixed an issue that occurred when a user upgrades to Cloudera Manager 5.14.0, and after all the agents have been updated to 5.14.0. The user sees an Upgrade Wizard, and is asked to select where to place the Navigator Metadata Server, Navigator Audit Server, and the Reports Manager roles. The Continue button is disabled until user adds one of these roles.
See TSB-289.
Cloudera Bug: OPSAPS-44629
Cloudera Bug: OPSAPS-44629
Logging issue slows down Hive and HDFS Replication jobs
Fixed an issue that occurred when using Cloudera Manager for cross-cluster replication of HDFS and Hive. Unnecessary warning logs are printed during the initial phase of replication (‘copy listing’). These logs were printed for each and every file that Cloudera Backup and Disaster Recovery (BDR) copies. This causes very verbose log output which slows down this phase of the replication job and can affect overall replication times considerably. This happens only when both source and target clusters are running Cloudera Manager 5.14.0.
See TSB-290 for more information.
Fixed Versions: Cloudera Manager 5.15.0, 5.14.1
Cloudera Bug: OPSAPS-44160
Issues Fixed in Cloudera Manager 5.14.0
Transient 502 proxy error displays red popup in Hue
As of CDH 5.12 and later, the Hue Load balancer started throwing transient 502 proxy error that appear as a red popup on Hue web pages. This happens frequently on a secure cluster. The Hue server's runcpserver.log file does not log these 502 errors. The error is logged in /var/log/hue-httpd/error_log. Cloudera Manager now properly configures the Hue load balancer to avoid these issues.
Cloudera Bug: OPSAPS-43317
Cloudera Manager User Administrator role Error
Fixed a bug that occurred when a Cloudera Manager user with the User Administrator goes to the Settings page. The Redaction Parameters for Diagnostic Bundles parameter displays the following error message:
Invalid JSON configuration: SyntaxError: Unexpected token * in JSON at position 0.
Cloudera Bug: OPSAPS-41286
Cluster upgrade fails in wizard with "There is already a pending command on this entity."
Previously, if the customer selects the Skip Host Inspector option, the wizard proceeds to the next page but the command still runs in the background and the user sees the message "There is already a pending command on this entity." Cloudera Manager now ensures that the Host Inspector command is aborted when user selects Skip Host Inspector. It is still possible that other commands (scheduled or not) will run at the same time as the upgrade command. In this case, user will still see the same error message.
Cloudera Bug: OPSAPS-43740
Configuration "diff" throws TypeMismatchException
The feature that compares the configuration between multiple services or multiple clusters on the configuration page threw an error in Cloudera Manager 5.13. This is now fixed.
Cloudera Bug: OPSAPS-43130
Send Test Alert response dialog does not work
Since Cloudera Manager 5.12, the ability to send a Test Alert has been broken. This is now fixed.
Cloudera Bug: OPSAPS-42826
Incorrect warnings when configuring HBase Thrift Server in Kerberized cluster
Previously, when configuring the HBase Thrift Server security in a Kerberized cluster, incorrect warnings such as "When HBase is configured to use Kerberos, HBase Thrift Authentication is ignored when Enable TLS/SSL for HBase Thrift Server over HTTP is enabled" would appear. With this fix, these warnings are eliminated.
Cloudera Bug: OPSAPS-41441
Historical Disk Usage By User download CSV is not adding the metric type customer is choosing
When creating the "Historical Disk Usage By User" report from the
page, the download button did not honor the chosen metric. This is now fixed.Cloudera Bug: OPSAPS-43474
WebServerMetricCollector breaks
Fixed a bug causing broken Impala monitoring functionality when password authentication is enabled for the Impala Daemon Web server.
Cloudera Bug: OPSAPS-43216
Cloudera Manager LDAP authentication fails
When the External Authentication type is set to LDAP, and the LDAP server is Active Directory, and the LDAP Group Search Base field is configured to be the root of the directory tree, authentication may fail with a PartialResultException message in the logs. This exception is now handled so that authentication succeeds.
Cloudera Bug: OPSAPS-43262
Logging in to Cloudera Manager 5.12.x with Internet Explorer 11 fails
Fixed an issue where Internet Explorer defaults to DocMode 7 due to the removal of the X-UA-Compatible header in Cloudera Manager 5.12. When the user uses Compatibility Mode in Internet Explorer 9, 10, 11, or Edge, the browser is incorrectly identified as Internet Explorer 7.0 and as a result Cloudera Manager issues an error message (You are using an unsupported browser) and does not allow the user to log in.
Cloudera Bug: OPSAPS-42870
Hive Replication jobs fail intermittently
Fixed a bug where Hive Replications can fail intermittently on the first step. The failure message says: "The remote command failed with error message: Hive Replication Export Step failed".
See TSB-276.
Fixed in: Cloudera Manager 5.14.0, 5.13.1
Cloudera Bug: OPSAPS-43676
Collect HDFS Replication process files in Hive Replication Diagnostic Bundle
The Hive Replication Diagnostic bundle now collects the HDFS Replication step's process log files.
Cloudera Bug: OPSAPS-43583
Hive Replication fails in unsecured clusters when proxy user is not a superuser on replication source
Fixed a bug that caused Hive Replication jobs to fail in unsecured clusters during the transfer step if the proxy user is not a superuser on the replication source.
Cloudera Bug: OPSAPS-43505
lsof output in host statistics can be huge due to duplicate per-thread entries
Fixed an issue where the output of the lsof command that is captured in support bundles showed open files per-thread as well as per-process. This could cause the size of the support bundle to increase significantly, and in some cases could cause the host statistics collection phase of support bundle collection to fail. Because the per-thread information is generally redundant, it has been removed from the lsof output.
Cloudera Bug: OPSAPS-42646
Cloudera Manager unable to refresh parcel information
Fixes an issue with refreshing parcels. Information about all available parcels was failing to refresh if one of the repositories contained an invalid manifest file.
Cloudera Bug: OPSAPS-43614
Collection of Impala logs should not fail even when some log files are not present
Fixed an issue of missing Impala and Kudu role logs in the diagnostic bundle when their log directories have broken symlinks.
Cloudera Bug: OPSAPS-41194
Transfer Metadata Files step fails when the home directory of the username is encrypted
This fixes a known issue with Hive and HDFS replication where those replications fail if the /user/$proxyuser or /user/hdfs directories are encrypted. The bug was introduced in Cloudera Manager 5.12 for Hive Replication and in Cloudera Manager 5.13 for HDFS Replication.
Cloudera Bug: OPSAPS-42439
Duplicate replication job on Cloudera Manager restart
This fixes a known issue where a restart of Cloudera Manager that occurs while HDFS or Hive replication jobs are running can cause a duplicate replication job to be started.
Cloudera Bug: OPSAPS-42557
ACLs and external attributes comparison in HDFS and Hive Replication can be incorrect
Fixes a bug where ACLs and external attributes (Xattrs) may be copied over during HDFS and Hive replication even when they have not changed.
Cloudera Bug: OPSAPS-42818
HDFS Replication does not show the progress marker
This fixes an issue in Cloudera Manager in which progress markers for HDFS Replication were not visible in the Admin Console.
Cloudera Bug: OPSAPS-42805
ACLs and external attributes comparison in HDFS and Hive Replication can be incorrect
Fixes a bug where ACLs and external attributes (Xattrs) may be copied over during HDFS and Hive replication even when they have not changed.
Cloudera Bug: OPSAPS-42818
Cloudera Manager fails to start when gateway roles have configuration overrides
Fixes an issue where descriptor generation fails and the Cloudera Management Service fails to start if any Gateway roles have a configuration override.
Cloudera Bug: OPSAPS-43517
Replication fails with 'another command' error when the previous run is aborted
Fixes a bug introduced in Cloudera Manager 5.13 where a replication command is aborted, the next run of the command fails with the following error message: "Another HDFS replication command .... is in progress".
Cloudera Bug: OPSAPS-42808
Do not include unhealthy hosts when calculating acceptable estimation rate
Fixed an issue affecting the reliable generation of diagnostic bundles when some hosts are in an unhealthy state.
Cloudera Bug: OPSAPS-42720
Duplicate Hive Logs in diagnostic bundles.
Fixes a bug where some Hive logs would be duplicated in diagnostic bundles.
Cloudera Bug: OPSAPS-41611
"100%" health aggregation thresholds no longer permitted
Cloudera Manager now validates that custom services (CSDs) cannot define an invalid threshold for the role health of a service that affects overall service health. Now the thresholds for these health warnings ("percentGreenForGreen" and "percentYellowGreenForYellow ") must be less than 100%.
Cloudera Bug: OPSAPS-42853
Allow validations for HIVE_METASTORE_MAX_MESSAGE_SIZE to be suppressible
Fixed an issue where the validation warning for "Max Message Size for Hive MetaStore" configuration parameter could not be suppressed. The new behavior allows any validations to be suppressed.
Cloudera Bug: OPSAPS-43320
Preserve export.json and distcp-staging path when a different user runs /user replication
This fixes an issue in which a replication job that replicates the /user directory in HDFS using the "delete missing" delete policy causes other concurrent replication jobs to fail.
Cloudera Bug: OPSAPS-43050
Spark History Server ignores hadoop.security.auth_to_local mapping
The Spark History Server now respects the configured Kerberos-to-local user name mappings of the HDFS service.
Cloudera Bug: OPSAPS-42577
Impala Queries State are displayed wrong
The Impala queries page now shows the state of running queries correctly instead of calling them Finished.
Cloudera Bug: OPSAPS-43410
Rolling upgrade can fail when high availability services are stopped
Fixed a bug where rolling upgrades of CDH could fail when certain services Cloudera Manager expects to be able to restart without downtime are already stopped. Now, Cloudera Manager tolerates this and starts those services after upgrade as part of the cluster's rolling restart.
Cloudera Bug: OPSAPS-42515
Pagination on Commands page skips some commands
Fixed a bug with the pagination on the All Recent Commands page in which commands were not always listed consistently.
Cloudera Bug: OPSAPS-43052
Get all schedules operation is very slow in Cloudera Manager 5.11 and higher
Before Cloudera Manager 5.14, the getAllSchedules API returned a list of failed files for all runs of a schedule. This operation slows down execution of the API and has been changed so that a list of failed files is returned only when the view is specified as full.
Cloudera Bug: OPSAPS-42587
Improve reporting of Replication progress
Live monitoring of throughput and estimated completion time for HDFS and Hive Replications running using Cloudera Manager Backup and Disaster Recovery (BDR) are now available in log files.
Cloudera Bug: OPSAPS-42756
Remove the recommendation to restart Cloudera Manager when adding trusted Kerberos realm
Changing the list of trusted Kerberos realms no longer requires a restart of Cloudera Manager.
Cloudera Bug: OPSAPS-43237
Inefficiency when checking staleness and host status
Fixed an inefficiency in staleness checking and checking host status that caused slowness in the Cloudera Manager Admin Console.
Cloudera Bug: OPSAPS-42698
NameNode migration timeout while saving namespace of size more than 7GB
Fixes an issue during HDFS NameNode migration between hosts, where the "Saving Namespace" step may timeout if the fsimage size is large.
Cloudera Bug: OPSAPS-38236
Add Diagnostic Events for Agent Upgrades
Added installation and upgrade events for the Cloudera Manager agent software running on a cluster host to the diagnostic bundle.
Cloudera Bug: OPSAPS-42468
Limit the size of Hive log files collected in BDR diagnostic
Hive-related log files included in diagnostic bundle are now be limited to 100MB (before compression).
Cloudera Bug: OPSAPS-41610
Hive partitions not dropped in Hive replication
When partitions are deleted from a Hive table on the source cluster, Cloudera Backup and Disaster Recovery now correctly deletes the same partitions on Hive replication target. This fixes the bug introduced in Cloudera Manager 5.8.
Cloudera Bug: OPSAPS-42613
MR2Params.DEFAULT_MAPREDUCE_REDACTED_PROPERTIES should include Microsoft Azure credentials
Fixes a bug that caused a possible leak of sensitive cloud account information because redaction of these job configuration properties was not enabled by default for MapReduce jobs.
Cloudera Bug: OPSAPS-43753
Cross-site scripting issues fixed
A number of cross-site scripting issues have been identified through internal auditing and have all been fixed.
Cloudera Bug: OPSAPS-42828
Default end time in cluster utilization APIs is not parsed correctly
Fixed an issue where the cluster utilization report APIs did not work if the end time of the report was not specified with the to parameter. End time is meant to be an optional parameter, and now such API calls work without the to parameter.
Cloudera Bug: OPSAPS-42820
Replication fails if the home directory of the username in the schedule is encrypted
Fixed an issue where BDR replication fails if the user directory of the user specified in the Run as Peer User or Run as username field in the replication schedule is encrypted.
Fixed in: Cloudera Manager 5.14.0, 5.13.1
Cloudera Bug: OPSAPS-42445
Issues Fixed in Cloudera Manager 5.13.3
Cross-site scripting vulnerability in Cloudera Manager
Fixed the cross-site vulnerability described in TSB-2018-285 (XSS Scripting Vulnerability in Cloudera Manager). For more information, see the Known Issue description
Cloudera Bug: DOCS-3186
Cloudera Manager Server reports 'Too many open files' error
Fixed an issue where collection of diagnostic bundles would lead to slow file descriptor leaks in Cloudera Manager Server that eventually cause the server to become non-operational or unresponsive.
Cloudera Bug: OPSAPS-44922
Backup and Disaster Recovery replication fails between two clusters when data is copied from one encryption zone to another when using CDH 5.12.0 or higher
Fixed an issue where replication fails when two clusters use HDFS HA, and the nameservice names are the same.
Both the source and destination clusters must upgrade to a release that contains the fix.
Cloudera Bug: OPSAPS-43556
Fixed in: Cloudera Manager 5.15.0, 5.14.3, 5.13.3
Issues Fixed in Cloudera Manager 5.13.2
Cross-site scripting vulnerability in Cloudera Manager
Fixed the cross-site vulnerability described in TSB-2018-285 (XSS Scripting Vulnerability in Cloudera Manager). For more information, see the Known Issue description
Cloudera Bug: DOCS-3186
Hive Replications Can Fail Intermittently
This issue, which was also reported in TSB-2018-276, is fixed in CDH 5.13.2. For further details, see the original Known Issue.
Add "sentry" group in "hadoop.proxyuser.hive.groups" on upgrade to CDH 5.13.0 and higher
For CDH5.13.0 and higher, when Hive is used with Sentry, Hive Proxy Groups should contain either a wildcard ('*') for the Sentry Group for Sentry to work with Hive. If this is not present, Cloudera Manager adds the Sentry Group to Hive Proxy Groups when upgrading CDH.
Cloudera Bug: OPSAPS-43809
BDR Cloud (s3) Replication job fail with delegation token creation issue
Fixed an issue where HDFS to Amazon S3 or Hive to Amazon S3 replication jobs fail when an expired delegation token is used to run a MapReduce/YARN job.
Cloudera Bug: OPSAPS-44008
Cloudera Manager User Administrator role Error
Fixed a bug that occurred when a Cloudera Manager user with the User Administrator goes to the Settings page. The Redaction Parameters for Diagnostic Bundles parameter displays the following error message:
Invalid JSON configuration: SyntaxError: Unexpected token * in JSON at position 0.
Cloudera Bug: OPSAPS-41286
Cluster upgrade fails in wizard with "There is already a pending command on this entity."
Previously, if the customer selects the Skip Host Inspector option, the wizard proceeds to the next page but the command still runs in the background and the user sees the message "There is already a pending command on this entity." Cloudera Manager now ensures that the Host Inspector command is aborted when user selects Skip Host Inspector. It is still possible that other commands (scheduled or not) will run at the same time as the upgrade command. In this case, user will still see the same error message.
Cloudera Bug: OPSAPS-43740
Collect HDFS Replication process files in Hive Replication Diagnostic Bundle
The Hive Replication Diagnostic bundle now collects the HDFS Replication step's process log files.
Cloudera Bug: OPSAPS-43583
Configuration "diff" throws TypeMismatchException
The feature that compares the configuration between multiple services or multiple clusters on the configuration page threw an error in Cloudera Manager 5.13. This is now fixed.
Cloudera Bug: OPSAPS-43130
Historical Disk Usage By User download CSV is not adding the metric type customer is choosing
When creating the "Historical Disk Usage By User" report from the
page, the download button did not honor the chosen metric. This is now fixed.Cloudera Bug: OPSAPS-43474
Hive Replication export step fails with StaleObjectStateException
Fixed an issue where replication commands sometimes fail because of concurrent executions in the database.
Cloudera Bug: OPSAPS-43964
Hive Replication fails in unsecured clusters when proxy user is not a superuser on replication source
Fixed a bug that caused Hive Replication jobs to fail in unsecured clusters during the transfer step if the proxy user is not a superuser on the replication source.
Cloudera Bug: OPSAPS-43505
Hive Replication jobs fail intermittently
Fixed a bug where Hive Replications can fail intermittently on the first step. The failure message says: "The remote command failed with error message: Hive Replication Export Step failed".
See TSB-276.
Fixed in: Cloudera Manager 5.14.0, 5.13.1
Cloudera Bug: OPSAPS-43676
Collection of Impala logs should not fail even when some log files are not present
Fixed an issue of missing Impala and Kudu role logs in the diagnostic bundle when their log directories have broken symlinks.
Cloudera Bug: OPSAPS-41194
Scheduled snapshot and replication jobs are skipped
Fixed an issue where scheduled Snapshot and Replication jobs can be skipped if there are too many commands scheduled to run at the same time (more than 100), or if Cloudera Manager has paused due to garbage collection.
Fixed Versions: Cloudera Manager 5.15.0, 5.14.2, 5.13.2
Cloudera Bug: OPSAPS-44153
Table statistics are lost when replicating an existing table without partitions
Cloudera Backup and Disaster Recovery added a workaround for the Hive bug HIVE-15653 and now preserves table statistics for unpartitioned tables during subsequent runs.
Fixed Versions: Cloudera Manager 5.15.0, 5.14.2, 5.13.2
Cloudera Bug: OPSAPS-44070
The Replication performance CSV file header does not match content
Fixed an issue where the header in the HDFS Replication performance file (in CSV format) does not match its contents.
Fixed in: Cloudera Manager 5.15.0, 5.14.2, 513.2
Cloudera Bug: OPSAPS-43997
WebServerMetricCollector breaks
Fixed a bug causing broken Impala monitoring functionality when password authentication is enabled for the Impala Daemon Web server.
Cloudera Bug: OPSAPS-43216
Spark CSD should emit proper environment variables for older CDH version 5.4.x
Fixed configuration of Kerberos credentials for the Spark History Server in CDH 5.4.
Cloudera Bug: OPSAPS-43985
lsof output in host statistics can be huge due to duplicate per-thread entries
Fixed an issue where the output of the lsof command that is captured in support bundles showed open files per-thread as well as per-process. This could cause the size of the support bundle to increase significantly, and in some cases could cause the host statistics collection phase of support bundle collection to fail. Because the per-thread information is generally redundant, it has been removed from the lsof output.
Cloudera Bug: OPSAPS-42646
Issues Fixed in Cloudera Manager 5.13.1
Replication fails if the home directory of the username in the schedule is encrypted
Fixed an issue where BDR replication fails if the user directory of the user specified in the Run as Peer User or Run as username field in the replication schedule is encrypted.
Fixed in: Cloudera Manager 5.14.0, 5.13.1
Cloudera Bug: OPSAPS-42445
Add Diagnostic Events for Agent Upgrades
Added installation and upgrade events for the Cloudera Manager agent software running on a cluster host to the diagnostic bundle.
Cloudera Bug: OPSAPS-42468
Cross-site scripting issues fixed
A number of cross-site scripting issues have been identified through internal auditing and have all been fixed.
Cloudera Bug: OPSAPS-42828
Logging in to Cloudera Manager 5.12.x with Internet Explorer 11 fails
Fixed an issue where Internet Explorer defaults to DocMode 7 due to the removal of the X-UA-Compatible header in Cloudera Manager 5.12. When the user uses Compatibility Mode in Internet Explorer 9, 10, 11, or Edge, the browser is incorrectly identified as Internet Explorer 7.0 and as a result Cloudera Manager issues an error message (You are using an unsupported browser) and does not allow the user to log in.
Cloudera Bug: OPSAPS-42870
ACLs and external attributes comparison in HDFS and Hive Replication can be incorrect
Fixes a bug where ACLs and external attributes (Xattrs) may be copied over during HDFS and Hive replication even when they have not changed.
Cloudera Bug: OPSAPS-42818
Transfer Metadata Files step fails when the home directory of the username is encrypted
This fixes a known issue with Hive and HDFS replication where those replications fail if the /user/$proxyuser or /user/hdfs directories are encrypted. The bug was introduced in Cloudera Manager 5.12 for Hive Replication and in Cloudera Manager 5.13 for HDFS Replication.
Cloudera Bug: OPSAPS-42439
Replication fails with 'another command' error when the previous run is aborted
Fixes a bug introduced in Cloudera Manager 5.13 where a replication command is aborted, the next run of the command fails with the following error message: "Another HDFS replication command .... is in progress".
Cloudera Bug: OPSAPS-42808
New Advanced Configuration Snippet for overriding the hdfs-site/core-site.xml values for Impala configurations
- Impala Catalog Server Advanced Configuration Snippet (Safety Valve) for core-site.xml
- Impala Daemon Advanced Configuration Snippet (Safety Valve) for core-site.xml
Cloudera Bug: OPSAPS-9586
Improve reporting of Replication progress
Live monitoring of throughput and estimated completion time for HDFS and Hive Replications running using Cloudera Manager Backup and Disaster Recovery (BDR) are now available in log files.
Cloudera Bug: OPSAPS-42756
Cloudera Manager fails to start when gateway roles have configuration overrides
Fixes an issue where descriptor generation fails and the Cloudera Management Service fails to start if any Gateway roles have a configuration override.
Cloudera Bug: OPSAPS-43517
Limit the size of Hive log files collected in BDR diagnostic
Hive-related log files included in diagnostic bundle are now be limited to 100MB (before compression).
Cloudera Bug: OPSAPS-41610
Do not include unhealthy hosts when calculating acceptable estimation rate
Fixed an issue affecting the reliable generation of diagnostic bundles when some hosts are in an unhealthy state.
Cloudera Bug: OPSAPS-42720
Duplicate Hive Logs in diagnostic bundles.
Fixes a bug where some Hive logs would be duplicated in diagnostic bundles.
Cloudera Bug: OPSAPS-41611
Hive partitions not dropped in replication target cluster
Fixes a bug introduced in Backup and Disaster Recovery for Cloudera Manager 5.8 where HDFS and Hive replication were not dropping partitions on the target cluster that had been dropped on the source cluster.
Cloudera Bug: OPSAPS-43282
Incorrect warnings when configuring HBase Thrift Server in Kerberized cluster
Previously, when configuring the HBase Thrift Server security in a Kerberized cluster, incorrect warnings such as "When HBase is configured to use Kerberos, HBase Thrift Authentication is ignored when Enable TLS/SSL for HBase Thrift Server over HTTP is enabled" would appear. With this fix, these warnings are eliminated.
Cloudera Bug: OPSAPS-41441
"100%" health aggregation thresholds no longer permitted
Cloudera Manager now validates that custom services (CSDs) cannot define an invalid threshold for the role health of a service that affects overall service health. Now the thresholds for these health warnings ("percentGreenForGreen" and "percentYellowGreenForYellow ") must be less than 100%.
Cloudera Bug: OPSAPS-42853
Duplicate replication job on Cloudera Manager restart
This fixes a known issue where a restart of Cloudera Manager that occurs while HDFS or Hive replication jobs are running can cause a duplicate replication job to be started.
Cloudera Bug: OPSAPS-42557
Allow validations for HIVE_METASTORE_MAX_MESSAGE_SIZE to be suppressible
Fixed an issue where the validation warning for "Max Message Size for Hive MetaStore" configuration parameter could not be suppressed. The new behavior allows any validations to be suppressed.
Cloudera Bug: OPSAPS-43320
Preserve export.json and distcp-staging path when a different user runs /user replication
This fixes an issue in which a replication job that replicates the /user directory in HDFS using the "delete missing" delete policy causes other concurrent replication jobs to fail.
Cloudera Bug: OPSAPS-43050
HDFS Replication does not show the progress marker
This fixes an issue in Cloudera Manager in which progress markers for HDFS Replication were not visible in the Admin Console.
Cloudera Bug: OPSAPS-42805
YARN postponed cgroups cleanup could remove hadoop-yarn directory when NodeManager is running
This fixes a bug in which, under certain conditions after a YARN or cluster restart, Cloudera Manager would delete the local directory used by the YARN NodeManager for creation of YARN container cgroups. On systems configured to use cgroups for YARN CPU isolation, this would prevent new YARN workloads from running on specific hosts until the directory was recreated manually.
Cloudera Bug: OPSAPS-40755
Inefficiency when checking staleness and host status
Fixed an inefficiency in staleness checking and checking host status that caused slowness in the Cloudera Manager Admin Console.
Cloudera Bug: OPSAPS-42698
Improved dynamic chunk operation of BDR
For HDFS and Hive replication, copying data in chunks sized by bytes, not a fixed number of files is now the default behavior.
Cloudera Bug: OPSAPS-42682
Remove the recommendation to restart Cloudera Manager when adding trusted Kerberos realm
Changing the list of trusted Kerberos realms no longer requires a restart of Cloudera Manager.
Cloudera Bug: OPSAPS-43237
BDR performance improvement
This fix delivers a big performance boost by parallelizing the process of checking for changes in file permissions, ACLs, and external attributes. Directory permissions are now preserved in the CopyMapper phase instead of theCopyCommitter phase.
Cloudera Bug: OPSAPS-42834
Spark History Server ignores hadoop.security.auth_to_local mapping
The Spark History Server now respects the configured Kerberos-to-local user name mappings of the HDFS service.
Cloudera Bug: OPSAPS-42577
NameNode migration timeout while saving namespace of size more than 7GB
Fixes an issue during HDFS NameNode migration between hosts, where the "Saving Namespace" step may timeout if the fsimage size is large.
Cloudera Bug: OPSAPS-38236
Issues Fixed in Cloudera Manager 5.13.0
CM should report Spark service health as bad when the SparkHistoryServer is down
The Spark service health now reflects the health of its configured roles.
Cloudera Bug: OPSAPS-34698
Timeout between BDR peers increased
The communications timeout between two peer Cloudera Manager servers for communication during BDR replication has been increased to 10 seconds.
Cloudera Bug: OPSAPS-39225
New Impala metrics for hedged reads, JVM heap usage and connection setup queue size
The new metrics are for JVM Heap usage of the Catalog Server and Hedged reads.
Cloudera Bug: OPSAPS-39831, OPSAPS-40212, OPSAPS-40771
ClassCastException during upgrade with custom services (CSD) that support rolling restart
Fixed a bug that caused a ClassCastException during upgrade of clusters with custom (CSD) services that explicitly define rolling restart steps for master roles.
Cloudera Bug: OPSAPS-40182
Only one existing NodeManager role marked stale in Cloudera Manager when a new NodeManager is added
Fixes an issue with staleness detection logic. The new staleness detection logic, introduced in 5.11.0, caused a regression where it does not mark all the services stale. This affects rolling restart of the services.
Cloudera Bug: OPSAPS-40332
Proper termination and cleanup of YARN applications during decommissioning
Fixed an issue where YARN applications may not exit gracefully or clean-up properly if hosts are decommissioned while application containers are still running. This could lead to unexpected container/application failure and/or orphaned container processes on YARN worker nodes. Now, when decommissioning a NodeManager or host running a NodeManager, Cloudera Manager first waits for the configured YARN graceful decommission timeout (if applicable), and allows additional time for ResourceManager to properly terminate the NodeManager and its child processes.
Cloudera Bug: OPSAPS-40731
Health Event Startup Policy incorrectly mutes health events
Fixed an issue where all health events are ignored and no alerts get sent when the Health Event Startup Policy is set to none.
Cloudera Bug: OPSAPS-40851
Non-ASCII characters in logs caused failure of log collection for diagnostic bundles
Fixed an issue where log files did not get collected correctly as part of diagnostic bundles because they contained non-ASCII characters.
Cloudera Bug: OPSAPS-40949
Exception thrown when searching large log files
Fixed an issue where an exception might be thrown when searching a log when the log file size is larger than 2 GB.
Cloudera Bug: OPSAPS-41710
Exception thrown when accessing a service status page while stopping one of its roles
Fixed an issue where an NullPointerException occurred when accessing the service status page in the Cloudera Manager Admin Console while stopping a role.
Cloudera Bug: OPSAPS-41222
Increase Maximum Document Buffer size default to 2047 in Reports Manager
The default upper limit for the Reports Manager's Maximum Document Buffer Size configuration parameter has been increased to 2047 MB.
Cloudera Bug: OPSAPS-41358
Spilled memory not populated in Impala queries and in the Spilled Memory tab in the Cluster Utilization report
Fixed an issue where the Memory Spilled metric for each Impala query was not correctly populated. This prevented various features that depend on this metric from functioning correctly. For example, the Spilled Memory tab of the Cluster Utilization Report was not populated with data.
Cloudera Bug: OPSAPS-41447
HSM KMS trust store password is visible in logs
In previous releases, when using the Cloudera Navigator HSM KMS (for use with a Thales or Luna Hardware Security Module), the KMS's trust store password was displayed in some process logs on the KMS hosts. While the trust store password is not considered sensitive, some customers set their trust store password to the same value as their key store password, which is sensitive. In this release, the HMS KMS's trust store password is no longer displayed.
Cloudera Bug: OPSAPS-41626
Hue Load Balancer caused login failure
Fixed an issue where using Apache httpd 2.4 as the Hue load balancer caused Hue logins to fail when TLS is enabled for Hue. This change requires Cloudera Manager to set the use_x_forwarded_host parameter in the hue.ini file to "true". After upgrading Cloudera Manager, Cloudera Manager will report that the Hue Server and Load Balancer role configurations are stale. If your cluster is affected by this bug, you must restart the Hue service.
Cloudera Bug: OPSAPS-41850
Upgrade is blocked when HMS validation fails
While upgrading to Cloudera Manager 5.12 and CDH 5.12, Cloudera Manager added a new Hive Metastore validation step that is executed as a part of the CDH upgrade command to detect any corruption in the Hive Metastore. In 5.12, when corruption is detected and validation fails, the upgrade command fails and leaves the cluster in an intermediate state, meaning that some services may be started while others are stopped, which is not desirable.
This issue has been fixed In Cloudera Manager 5.12.1. Because it is possible for Hive to tolerate some forms of minor schema corruption, and because it is impossible to run the schema validation tool prior to CDH 5.12, the Hive Metastore validation is now executed as the last step of the upgrade command, which occurs after all the services in the cluster have fully been upgraded and restarted. Although this step still appears to be part of upgrade step, your upgrade is actually complete and you can deal with schema integrity issues following the upgrade. If you see this step failing, exit the upgrade wizard and contact Cloudera Support for assistance repairing any schema corruption. You may then re-run the validation tool manually from the Hive service actions menu after repair is complete to verify a successful repair.
Cloudera Bug: OPSAPS-41936
Default values for yarn.scheduler.fair.assignmultiple can block YARN applications from running on CDH 5.5 or CDH 5.6
In some previous versions of Cloudera Manager, the default value of yarn.scheduler.fair.assignmultiple was incorrect and can cause problems in CDH 5.5 and 5.6. This has been fixed. Note: if you use CDH versions 5.5.x or 5.6.x and upgrade to CM 5.13, you may see a staleness indicator for the YARN service. The staleness shows yarn.scheduler.fair.max.assign as being added. This is expected, and you should restart the YARN service to avoid a serious bug in the Resource Manager (YARN-4477).
Cloudera Bug: OPSAPS-42118
Add Host Wizard does not apply host template
Fixed an issue where the Apply Host Template feature in the Add Hosts Wizard did not apply the host template.
Cloudera Bug: OPSAPS-42134
Advanced configuration properties for Hue Load Balancer have no effect
Fixed an issue where Advanced Configuration Snippets for the Hue Load Balancer were not able to override the settings SSLProtocol and SSLCipherSuite.
Cloudera Bug: OPSAPS-42187
Issues with Kafka Active Controller when managing multiple Kafka services
Fixed an issue where Cloudera Manager did not track the Active Controller in Kafka correctly if there were multiple Kafka services running under the same Cloudera Manager instance.
Cloudera Bug: OPSAPS-42216
JDK 7 performance regression for Cloudera Manager-managed deployments of HBase
This change sets the JVM property ReservedCodeCacheSize to 256MB in the default JVM startup options for HBase roles. This change attempts to prevent performance issues seen when HBase uses Java 7. The value set is the same as the default when using Java 8.
Cloudera Bug: OPSAPS-42259
NullPointerException on the Command Details page while deploying client configuration
Fixed a NullPointerException on the Command Details page that caused the Deploy Client Configuration status to not display.
Cloudera Bug: OPSAPS-42390
BDR jobs replicating specific directories can cause other jobs to fail when using certain Delete Policy modes
Fixed an issue where a replication schedule copying the /user/, /user/hdfs or /user/$bdr_user directory with the Delete Policy set to delete missing files can cause other replication jobs that run simultaneously to fail.
Cloudera Bug: OPSAPS-42492
Rolling upgrade can fail when high availability services are stopped
Fixed a bug where rolling upgrades of CDH could fail when certain services Cloudera Manager expects to be able to restart without downtime are already stopped. Now, Cloudera Manager tolerates this and starts those services after upgrade as part of the cluster's rolling restart.
Cloudera Bug: OPSAPS-42515
Issues Fixed in Cloudera Manager 5.12.2
Do not include unhealthy hosts when calculating acceptable estimation rate
Fixed an issue affecting the reliable generation of diagnostic bundles when some hosts are in an unhealthy state.
Cloudera Bug: OPSAPS-42720
BDR jobs replicating specific directories can cause other jobs to fail when using certain Delete Policy modes
Fixed an issue where a replication schedule copying the /user/, /user/hdfs or /user/$bdr_user directory with the Delete Policy set to delete missing files can cause other replication jobs that run simultaneously to fail.
Cloudera Bug: OPSAPS-42492
Rolling upgrade can fail when high availability services are stopped
Fixed a bug where rolling upgrades of CDH could fail when certain services Cloudera Manager expects to be able to restart without downtime are already stopped. Now, Cloudera Manager tolerates this and starts those services after upgrade as part of the cluster's rolling restart.
Cloudera Bug: OPSAPS-42515
Spark History Server ignores hadoop.security.auth_to_local mapping
The Spark History Server now respects the configured Kerberos-to-local user name mappings of the HDFS service.
Cloudera Bug: OPSAPS-42577
Default values for yarn.scheduler.fair.assignmultiple can block YARN applications from running on CDH 5.5 or CDH 5.6
In some previous versions of Cloudera Manager, the default value of yarn.scheduler.fair.assignmultiple was incorrect and can cause problems in CDH 5.5 and 5.6. This has been fixed. Note: if you use CDH versions 5.5.x or 5.6.x and upgrade to CM 5.13, you may see a staleness indicator for the YARN service. The staleness shows yarn.scheduler.fair.max.assign as being added. This is expected, and you should restart the YARN service to avoid a serious bug in the Resource Manager (YARN-4477).
Cloudera Bug: OPSAPS-42118
Add Host Wizard does not apply host template
Fixed an issue where the Apply Host Template feature in the Add Hosts Wizard did not apply the host template.
Cloudera Bug: OPSAPS-42134
Incorrect warnings when configuring HBase Thrift Server in Kerberized cluster
Previously, when configuring the HBase Thrift Server security in a Kerberized cluster, incorrect warnings such as "When HBase is configured to use Kerberos, HBase Thrift Authentication is ignored when Enable TLS/SSL for HBase Thrift Server over HTTP is enabled" would appear. With this fix, these warnings are eliminated.
Cloudera Bug: OPSAPS-41441
CM - log refresh takes me to the top of the page every 5 seconds
Fixed an issue in the Install Details dialog that scrolling position was not respected and always moves to the very top. Now it stays in the location that user has scrolled to.
Cloudera Bug: OPSAPS-40836
YARN postponed cgroups cleanup could remove hadoop-yarn directory when NodeManager is running
This fixes a bug in which, under certain conditions after a YARN or cluster restart, Cloudera Manager would delete the local directory used by the YARN NodeManager for creation of YARN container cgroups. On systems configured to use cgroups for YARN CPU isolation, this would prevent new YARN workloads from running on specific hosts until the directory was recreated manually.
Cloudera Bug: OPSAPS-40755
New Advanced Configuration Snippet for overriding the hdfs-site/core-site.xml values for Impala configurations
- Impala Catalog Server Advanced Configuration Snippet (Safety Valve) for core-site.xml
- Impala Daemon Advanced Configuration Snippet (Safety Valve) for core-site.xml
Cloudera Bug: OPSAPS-9586
Allow validations for HIVE_METASTORE_MAX_MESSAGE_SIZE to be suppressible
Fixed an issue where the validation warning for "Max Message Size for Hive MetaStore" configuration parameter could not be suppressed. The new behavior allows any validations to be suppressed.
Cloudera Bug: OPSAPS-43320
Preserve export.json and distcp-staging path when a different user runs /user replication
This fixes an issue in which a replication job that replicates the /user directory in HDFS using the "delete missing" delete policy causes other concurrent replication jobs to fail.
Cloudera Bug: OPSAPS-43050
[sentry] Warn when policy files are in use
New Behavior: CM will show a suppressible warning when Sentry Policy files are used when the service can be configured to work with the Sentry Service in that CDH version. Note: HBase Solr Indexer does not currently support the Sentry Service in any CDH version and only supports policy files. Therefore, this validation warning will not be available for HBase Solr Indexer.
Cloudera Bug: OPSAPS-42865
Logging in to Cloudera Manager 5.12.x with Internet Explorer 11 fails
Fixed an issue where Internet Explorer defaults to DocMode 7 due to the removal of the X-UA-Compatible header in Cloudera Manager 5.12. When the user uses Compatibility Mode in Internet Explorer 9, 10, 11, or Edge, the browser is incorrectly identified as Internet Explorer 7.0 and as a result Cloudera Manager issues an error message (You are using an unsupported browser) and does not allow the user to log in.
Cloudera Bug: OPSAPS-42870
BDR performance improvement
This fix delivers a big performance boost by parallelizing the process of checking for changes in file permissions, ACLs, and external attributes. Directory permissions are now preserved in the CopyMapper phase instead of theCopyCommitter phase.
Cloudera Bug: OPSAPS-42834
ACLs and external attributes comparison in HDFS and Hive Replication can be incorrect
Fixes a bug where ACLs and external attributes (Xattrs) may be copied over during HDFS and Hive replication even when they have not changed.
Cloudera Bug: OPSAPS-42818
NullPointerException on the Command Details page while deploying client configuration
Fixed a NullPointerException on the Command Details page that caused the Deploy Client Configuration status to not display.
Cloudera Bug: OPSAPS-42390
Issues Fixed in Cloudera Manager 5.12.1
Hue Load Balancer caused login failure
Fixed an issue where using Apache httpd 2.4 as the Hue load balancer caused Hue logins to fail when TLS is enabled for Hue. This change requires Cloudera Manager to set the use_x_forwarded_host parameter in the hue.ini file to "true". After upgrading Cloudera Manager, Cloudera Manager will report that the Hue Server and Load Balancer role configurations are stale. If your cluster is affected by this bug, you must restart the Hue service.
Cloudera Bug: OPSAPS-41850
HSM KMS trust store password is visible in logs
In previous releases, when using the Cloudera Navigator HSM KMS (for use with a Thales or Luna Hardware Security Module), the KMS's trust store password was displayed in some process logs on the KMS hosts. While the trust store password is not considered sensitive, some customers set their trust store password to the same value as their key store password, which is sensitive. In this release, the HMS KMS's trust store password is no longer displayed.
Cloudera Bug: OPSAPS-41626
Maximum Diagnostic Bundle Size reported incorrectly
- The Send Diagnostic Data command was erroneously reporting the maximum allowed bundle size when the diagnostic bundle is created using the By Date Range option. This message was fixed to show the right allowed bundle size.
- The Send Diagnostic Data command displayed unclear error messages when the estimation step fails. This has been fixed to show a clear error message.
Cloudera Bug: OPSAPS-41020
Upgrade is blocked when HMS validation fails
While upgrading to Cloudera Manager 5.12 and CDH 5.12, Cloudera Manager added a new Hive Metastore validation step that is executed as a part of the CDH upgrade command to detect any corruption in the Hive Metastore. In 5.12, when corruption is detected and validation fails, the upgrade command fails and leaves the cluster in an intermediate state, meaning that some services may be started while others are stopped, which is not desirable.
This issue has been fixed In Cloudera Manager 5.12.1. Because it is possible for Hive to tolerate some forms of minor schema corruption, and because it is impossible to run the schema validation tool prior to CDH 5.12, the Hive Metastore validation is now executed as the last step of the upgrade command, which occurs after all the services in the cluster have fully been upgraded and restarted. Although this step still appears to be part of upgrade step, your upgrade is actually complete and you can deal with schema integrity issues following the upgrade. If you see this step failing, exit the upgrade wizard and contact Cloudera Support for assistance repairing any schema corruption. You may then re-run the validation tool manually from the Hive service actions menu after repair is complete to verify a successful repair.
Cloudera Bug: OPSAPS-41936
Spilled memory not populated in Impala queries and in the Spilled Memory tab in the Cluster Utilization report
Fixed an issue where the Memory Spilled metric for each Impala query was not correctly populated. This prevented various features that depend on this metric from functioning correctly. For example, the Spilled Memory tab of the Cluster Utilization Report was not populated with data.
Cloudera Bug: OPSAPS-41447
Increase Maximum Document Buffer size default to 2047 in Reports Manager
The default upper limit for the Reports Manager's Maximum Document Buffer Size configuration parameter has been increased to 2047 MB.
Cloudera Bug: OPSAPS-41358
Exception thrown when searching large log files
Fixed an issue where an exception might be thrown when searching a log when the log file size is larger than 2 GB.
Cloudera Bug: OPSAPS-41710
Proper termination and cleanup of YARN applications during decommissioning
Fixed an issue where YARN applications may not exit gracefully or clean-up properly if hosts are decommissioned while application containers are still running. This could lead to unexpected container/application failure and/or orphaned container processes on YARN worker nodes. Now, when decommissioning a NodeManager or host running a NodeManager, Cloudera Manager first waits for the configured YARN graceful decommission timeout (if applicable), and allows additional time for ResourceManager to properly terminate the NodeManager and its child processes.
Cloudera Bug: OPSAPS-40731
Viewing agent logs in Internet Explorer renders incorrectly
When viewing agent logs in Internet Explorer, the logs may render as HTML instead of text. This has been fixed by forcing browsers to render the log page as text.
Cloudera Bug: OPSAPS-41122
Threads CPU time and Total Time are not populated in Impala Query Monitoring
The Thread CPU Time and Total Time attributes of Impala Query Monitoring are now correctly populated.
Cloudera Bug: OPSAPS-39647
Issues Fixed in Cloudera Manager 5.12.0
Renaming an empty directory on Amazon S3 when using DynamoDB with S3Guard may fail
Fixed an issue where renaming an empty directory on Amazon S3 when using DynamoDB with S3Guard may fail
Cloudera bug: CDH-51869
Apache bug: HADOOP-14036
Changes to the /tmp directory causes Hue failures
Changing permissions or removing files in the /tmp directory can cause Hue to fail because the Hue Kerberos ticket cache file, located by default in the /tmp directory, is no longer available. The default location has been changed to /var/run/hue.
You can change the location of the Hue Kerberos ticket cache by changing the Hue Kerberos Credentials Cache Directory property. In Cloudera Manager, go to the Hue service, select the Configuration tab, and search for the property. Restart the Hue service to enable the change.
After upgrading Cloudera Manager you must also restart the Hue service.
Cloudera Bug: OPSAPS-26101
Exception when setting maintenanceOwners to null
Fixed how null values for the maintenanceOwners parameter are handled when creating clusters with the Cloudera Manager API.
Cloudera Bug: OPSAPS-32880
Upgrade continues when there are hosts with warnings
Fixed an issue where an upgrade continues even if hosts have a warning. Host warnings must be resolved before an upgrade can complete.
Cloudera Bug: OPSAPS-40945
Address renewal requirements for delegation tokens in DR
Fixed an issue where BDR replication jobs fail on a Kerberos enabled cluster if the job duration is longer than the renewal interval for the hdfs delegation token. With this fix, both the delegation token and Kerberos ticket are renewed until the max lifetime of token/ticket (default value is 7 days). This enables longer replications without needing to bring down the source cluster.
Cloudera Bug: OPSAPS-32811
hostname parameter is not passed to Impala catalog role
IMPALA-5253 contained a security fix for clusters using Impala with TLS (SSL) security enabled. This fix was also made in several maintenance versions of CDH that require you to upgrade Cloudera Manager. If you upgrade to a CDH version with this fix without upgrading Cloudera Manager, Impala will not function when TLS is enabled for Impala. You should upgrade Cloudera Manager first if you want to move to a CDH version with the security fix.
This issue affects upgrades of Cloudera Manager and CDH to version 5.11.1.
There are two ways you can workaround this issue:
- Upgrade to one of the following versions of Cloudera Manager before upgrading CDH:
- 5.13.0
- 5.12.1
- 5.11.2
- 5.10.2
- 5.9.3
- 5.8.5
- Before upgrading CDH, set the -hostname option to the fully-qualified domain name of the Catalog Server using the Catalog Server Command Line Argument Advanced Configuration Snippet (Safety Valve) configuration property:
-hostname=fully-qualified-domain-name of Impala Catalog Server
(To set this property, in Cloudera Manager, go to the Impala service, select the Configuration tab and search for the property.
- 5.11.1
- 5.10.2
- 5.9.3
- 5.8.5
Cloudera bug: OPSAPS-41218
Hive Replication fails with OTHER_ERROR with duplicate view/table names
Fixed an issue where Hive replication fails if the same name is used for a table on the target cluster which is also used for a view on the source cluster. With this change, Hive replication properly handles all cases where a view and table on source/target clusters have the same name.
Cloudera Bug: OPSAPS-36302
Underscores in LDAP domain names not allowed
Fixed an issue where LDAP domain names could not contain underscores. This fix affects Cloudera Manager, Hue and Cloudera Navigator.
Cloudera Bug: OPSAPS-40487
Only use healthy HDFS/Hive hosts for launching replication jobs
- Hosts that run any role of the HDFS/Hive Service (for HDFS or Hive replication)
- Hosts that have a Non-Gateway role
- Hosts where the health status is in the GOOD or CONCERNING state with preference given to GOOD
- Hosts that are whitelisted, if configured
Cloudera Bug: OPSAPS-40040
Low watermark value for Memstore Flush default is incorrect
For CDH versions 5.8 and higher, the Low Watermark for Memstore Flush configuration parameter is associated with the HBase parameter hbase.regionserver.global.memstore.lowerLimit.
This value represents the fullness threshold of the memstore as a percentage of memstore capacity. The default value for this parameter was incorrectly set too low at .38. This can cause severe under utilization of the memstore.
The default has been corrected to be .95. When upgrading to a version of Cloudera Manager with this fix, if the value was previously set to the old default of .38, it will automatically be increased to the new default, which may cause Cloudera Manager to mark your HBase service as having a stale configuration, requiring a restart.
Additionally, if an existing Low Watermark for Memstore Flush configuration parameter has a value <= .9, it will be flagged as a configuration warning.
Fixed in: Cloudera Manager 5.12, 5.11.1, 5.10.2, 5.9.3, 5.8.5
Cloudera Bug: OPSAPS-38468
Accessing Sqoop2 with Hue fails
Fixed an issue where accessing Sqoop2 with Hue fails with the following error: Sqoop error: Could not get connectors.
CDH 5.5.0 or higher clusters running a Hue Service require a restart of Hue services because of a new configuration file. This new configuration file is required for Hue's Sqoop2 Application functions in secure settings, but it will show up whether or not Sqoop or security settings are in use.
Cloudera Bug: OPSAPS-27286
Make Oozie Load-balancer URL mandatory when enabling Oozie HA
Fixed an issue when the Oozie Load Balancer field in the Oozie configuration is not set and Oozie high availability is in use (two or more Oozie Server roles are deployed). This now creates a validation error and Cloudera Manager does not let you start or restart Oozie until the problem is fixed.
Fixed in: Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3
Cloudera Bug: OPSAPS-39372
Wire encryption configuration properties
HDFS client data-transfer encryption cipher related properties are now published to HTTPFs. Previously they were emitted just to HDFS Gateways, which caused HTTPFs performance to suffer when Data Transfer Encryption was turned on. When upgrading to Cloudera Manager 5.12, all HTTPFs instances will be marked stale, and a restart of those roles is required for these properties to take effect.
Cloudera Bug: OPSAPS-39981
Missing Sentry configuration files
Fixed an issue where some configuration files (core-site.xml) were missing from Sentry configuration.
Cloudera Bug: OPSAPS-33710
LoggingOutInterceptor log level
To enhance security, when API debugging is enabled, the entire API request and response is no longer printed at the DEBUG log level. To see the request/response, set the logging level to TRACE. Note that this may expose sensitive information in the logs.
Cloudera Bug: OPSAPS-34538
Failed health checks because of deprecated ntpc command
Fixed an issue where the ntpdc command was used in the host Clock Offset health test even if the command is deprecated for an operating system.
Cloudera Bug: OPSAPS-38268
Reports Manager throws ArrayIndexOutOfBoundsException when indexing fsimage
Fixes an issue where an ArrayIndexOutOfBoundsException can be thrown by Reports Manager.
Fixed in Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3
Cloudera Bug: OPSAPS-40914
Spark History Server password handling
Improved password handling for the Spark History Server. After upgrading to Cloudera Manager 5.12, Cloudera Manager may consider the Spark service as having a stale configuration due to this change, requiring a restart.
Cloudera Bug: OPSAPS-40298
Agent process directories re-mounted on agent restart
Fixed an issue where restarting an agent on newer Linux distributions such as Ubuntu 16.04 or Red Hat 7 would result in process run directories being remounted and lost.
Cloudera Bug: OPSAPS-41259
Process secrets no longer protected with file permissions
Fixed an issue where secret data, including passwords and other data, can be exposed in the /var/run/cloudera-scm-agent/process-name/proc.json or /var/run/cloudera-scm-agent/process-name/config.zip files because these files are world readable. See TSB-235 for more information.
Fixed in: Cloudera Manager 5.12, 5.11, 5.10.2, 5.9.3
Cloudera Bug: OPSAPS-40536
Configuration files can be downloaded from the UI
Certain files that may contain sensitive information can no longer be downloaded from the Processes tab in Cloudera Manager. If access to those files is required, you must log into the appropriate host.
Cloudera Bug: OPSAPS-40309
Command download filename uniqueness
Fixed an issue where downloading the command output did not generate a unique file name.
Cloudera Bug: OPSAPS-40249
StopRunner is not honouring the keyAdministrator Role Activities
Fixed an issue where a CSD descriptor was not respecting the correct authorization for start/stop when specifying a service-level stopRunner (which enables graceful shutdown). This could cause some user roles to be able to start but not stop some services.
Cloudera Bug: OPSAPS-41030
Hue Load Balancer SSL Handshake error
Fixed an issue with the SSL handshake in Hue when Apache httpd 2.4 or higher is used as the load balancer. The Hue load balancer previously set the ProxyPreserveHost directive to On, when it should have been set to Off. This causes problems making SSL connections when using Apache httpd 2.4 or higher. The error caused problems when verifying the CN, which older versions of Apache httpd did not encounter because they did not properly verify the CN.
When upgrading Cloudera Manager, the Hue load balancer may be marked as having a stale configuration. If you are experiencing issues connecting to Hue with SSL, restart the Hue service to update the configuration.
Cloudera Bug: OPSAPS-40700
LDAP trust failures not showing in stack traces
When an external user authenticating via LDAP or Active Directory fails to login to Cloudera Manager, the failure stack trace is now logged in the Cloudera Manager server log to help debug the failure.
Cloudera Bug: OPSAPS-40065
getRoles filtering is not working with Cloudera Manager API version11 and higher
/api//clusters/clusterName/services/serviceName/roles?filter=type==ROLE_TYPE
Cloudera Bug: OPSAPS-40184
Cluster templates don't include role level configuration
Fixed an issue with Cluster Templates where role level configuration was not getting exported. This was causing cluster to fail when trying user try to import a cluster template exported from a cluster on which HDFS HA was enabled.
Cloudera Bug: OPSAPS-31528
Dynamic Resource Pool drop-down options are not visible when using Internet Explorer 11
Fixed a typo on the Dynamic Resource Pools page that prevents Internet Explorer from rendering the add/edit resource pool dialog box.
Cloudera Bug: OPSAPS-40522
Cloudera Manager Server not validating agent hostnames with TLS
Fixed an issue where, when using TLS, hostnames were not verified during agent to server communication. To fix this, Cloudera Manager has a new setting: Verify Agent Hostname Against Certificate. When enabled, agent hostnames must match the hostname in the agent certificate, which is validated when agents send heartbeats to the Cloudera Manager Server.
Cloudera Bug: OPSAPS-40125
User Administrator role cannot configure S3Guard
Fixed an issue where the user administrator role was disallowed from managing S3 configuration.
Cloudera Bug: OPSAPS-40083
Allow diagnostic bundle estimation timeout to be configurable
- -Dcom.cloudera.RoleLogEstimator.maxEstimateTimeoutSeconds=number of seconds (If not specified, the default is 90 seconds)
- -Dcom.cloudera.RoleLogEstimator.estimateTimeoutPerHostSeconds=number of seconds (If not specified, default is 60 seconds)
sudo service cloudera-scm-server restart
Fixed in: Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3
Cloudera Bug: OPSAPS-40987
Peak Memory Usage report for Impala does not display data
Fixed an issue where the Impala Peak Memory Usage page in the Cluster Utilization Report did not display any data in Cloudera Manager.
Fixed in: Cloudera Manager 5.12, 5.11.2, 5.9.3
Cloudera Bug: OPSAPS-39836
NullPointerException when accessing the configuration page for Alerts
Fixed an issue where a NullPointerException occurred when viewing the configuration page for alerts.
Fixed in Cloudera Manager 5.12, 5.11.2, 5.10.2
Cloudera Bug: OPSAPS-39296
Issues Fixed in Cloudera Manager 5.11.2
Agent process directories re-mounted on agent restart
Fixed an issue where restarting an agent on newer Linux distributions such as Ubuntu 16.04 or Red Hat 7 would result in process run directories being remounted and lost.
Cloudera Bug: OPSAPS-41259
hostname parameter is not passed to Impala catalog role
IMPALA-5253 contained a security fix for clusters using Impala with TLS (SSL) security enabled. This fix was also made in several maintenance versions of CDH that require you to upgrade Cloudera Manager. If you upgrade to a CDH version with this fix without upgrading Cloudera Manager, Impala will not function when TLS is enabled for Impala. You should upgrade Cloudera Manager first if you want to move to a CDH version with the security fix.
This issue affects upgrades of Cloudera Manager and CDH to version 5.11.1.
There are two ways you can workaround this issue:
- Upgrade to one of the following versions of Cloudera Manager before upgrading CDH:
- 5.13.0
- 5.12.1
- 5.11.2
- 5.10.2
- 5.9.3
- 5.8.5
- Before upgrading CDH, set the -hostname option to the fully-qualified domain name of the Catalog Server using the Catalog Server Command Line Argument Advanced Configuration Snippet (Safety Valve) configuration property:
-hostname=fully-qualified-domain-name of Impala Catalog Server
(To set this property, in Cloudera Manager, go to the Impala service, select the Configuration tab and search for the property.
- 5.11.1
- 5.10.2
- 5.9.3
- 5.8.5
Cloudera bug: OPSAPS-41218
Maximum Diagnostic Bundle Size reported incorrectly
- The Send Diagnostic Data command was erroneously reporting the maximum allowed bundle size when the diagnostic bundle is created using the By Date Range option. This message was fixed to show the right allowed bundle size.
- The Send Diagnostic Data command displayed unclear error messages when the estimation step fails. This has been fixed to show a clear error message.
Cloudera Bug: OPSAPS-41020
Allow diagnostic bundle estimation timeout to be configurable
- -Dcom.cloudera.RoleLogEstimator.maxEstimateTimeoutSeconds=number of seconds (If not specified, the default is 90 seconds)
- -Dcom.cloudera.RoleLogEstimator.estimateTimeoutPerHostSeconds=number of seconds (If not specified, default is 60 seconds)
sudo service cloudera-scm-server restart
Fixed in: Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3
Cloudera Bug: OPSAPS-40987
Reports Manager throws ArrayIndexOutOfBoundsException when indexing fsimage
Fixes an issue where an ArrayIndexOutOfBoundsException can be thrown by Reports Manager.
Fixed in Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3
Cloudera Bug: OPSAPS-40914
Proper termination and cleanup of YARN applications during decommissioning
Fixed an issue where YARN applications may not exit gracefully or clean-up properly if hosts are decommissioned while application containers are still running. This could lead to unexpected container/application failure and/or orphaned container processes on YARN worker nodes. Now, when decommissioning a NodeManager or host running a NodeManager, Cloudera Manager first waits for the configured YARN graceful decommission timeout (if applicable), and allows additional time for ResourceManager to properly terminate the NodeManager and its child processes.
Cloudera Bug: OPSAPS-40731
Peak Memory Usage report for Impala does not display data
Fixed an issue where the Impala Peak Memory Usage page in the Cluster Utilization Report did not display any data in Cloudera Manager.
Fixed in: Cloudera Manager 5.12, 5.11.2, 5.9.3
Cloudera Bug: OPSAPS-39836
Make Oozie Load-balancer URL mandatory when enabling Oozie HA
Fixed an issue when the Oozie Load Balancer field in the Oozie configuration is not set and Oozie high availability is in use (two or more Oozie Server roles are deployed). This now creates a validation error and Cloudera Manager does not let you start or restart Oozie until the problem is fixed.
Fixed in: Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3
Cloudera Bug: OPSAPS-39372
NullPointerException when accessing the configuration page for Alerts
Fixed an issue where a NullPointerException occurred when viewing the configuration page for alerts.
Fixed in Cloudera Manager 5.12, 5.11.2, 5.10.2
Cloudera Bug: OPSAPS-39296
Issues Fixed in Cloudera Manager 5.11.1
All required fonts are now installed by Cloudera Manager
Fixed an issue where Cloudera Manager made requests to googleapi.com to download some of its required fonts, which fails if the browser does not have Internet access. Cloudera Manager now includes all of the necessary fonts.
Cloudera Bug:OPSAPS-40609.
Automated Cloudera Manager installer fails on Ubuntu 16.04
Fixed an issue where running the cloudera-manager-installer.bin installer file (as described in the documentation) fails on Ubuntu 16.04 LTS (Xenial).
Cloudera Bug: DOCS-2037.
Unable to connect to Oozie with curl
Fixed an issue where some Linux distributions could not connect to Oozie with curl through HTTPS when DHE-based ciphers are present.
Cloudera Bug: OPSAPS-40407
getRoles filtering is not working with Cloudera Manager API version11 and higher
/api//clusters/clusterName/services/serviceName/roles?filter=type==ROLE_TYPE
Cloudera Bug: OPSAPS-40184
Exception when setting maintenanceOwners to null
Fixed how null values for the maintenanceOwners parameter are handled when creating clusters with the Cloudera Manager API.
Fixed in: Cloudera Manager 5.12, 5.11.1, 5.10.2, 5.9.3
Cloudera Bug: OPSAPS-32880
HBase configuration is supplied for Hive when HBase service is not selected
Fixed an issue where Cloudera Manager provided configuration for the hive-site.xml file even if the HBase Service setting in Hive is not selected, which could cause unnecessary errors when Hive-on-Spark attempts to connect to HBase. Cloudera Manager now correctly emits the HBase-related configuration in the hive-site.xml only when Hive is dependent on HBase.
- CM5.8.5 and higher maintenance releases,
- CM5.9.2 and higher maintenance releases,
- CM5.10.2 and higher maintenance releases,
- CM5.11.1 and higher maintenance releases
When you upgrade Cloudera Manager from an older version to one of the fixed versions, many services may have stale configurations. You must restart of all the stale services in order for them to receive the updated configuration in the hive-site.xml file.
Cloudera Bug: OPSAPS-39021
Accessing Sqoop2 with Hue fails
Fixed an issue where accessing Sqoop2 with Hue fails with the following error: Sqoop error: Could not get connectors.
CDH 5.5.0 or higher clusters running a Hue Service require a restart of Hue services because of a new configuration file. This new configuration file is required for Hue's Sqoop2 Application functions in secure settings, but it will show up whether or not Sqoop or security settings are in use.
Cloudera Bug: OPSAPS-27286
Exception when setting maintenanceOwners to null
Fixed how null values for the maintenanceOwners parameter are handled when creating clusters with the Cloudera Manager API.
Cloudera Bug: OPSAPS-32880
Underscores in LDAP domain names not allowed
Fixed an issue where LDAP domain names could not contain underscores. This fix affects Cloudera Manager, Hue and Cloudera Navigator.
Cloudera Bug: OPSAPS-40487
Only use healthy HDFS/Hive hosts for launching replication jobs
- Hosts that run any role of the HDFS/Hive Service (for HDFS or Hive replication)
- Hosts that have a Non-Gateway role
- Hosts where the health status is in the GOOD or CONCERNING state with preference given to GOOD
- Hosts that are whitelisted, if configured
Cloudera Bug: OPSAPS-40040
CSD graceful service stop second step failure
Fixed an issue in the stop command execution for CSD services authored to use a service-level graceful shutdown. The stop command could be shown with the second step (forced kill) marked as failed when all roles were already stopped. This issue also affects shutdown of Kafka using Cloudera Manager 5.11.0 and can impact Kafaka upgrades.
Fixed in: Cloudera Manager 5.11.1, 5.10.2, 5.9.3
Cloudera Bug: OPSAPS-40002
Metric missing from Workload Summary for Kudu
Fixed an issue where the total_kudu_rows_upserted_rate_across_kudu_replicas metric was not included in the Workload Summary for Kudu.
Cloudera Bug: OPSAPS-40551
Low watermark value for Memstore Flush default is incorrect
For CDH versions 5.8 and higher, the Low Watermark for Memstore Flush configuration parameter is associated with the HBase parameter hbase.regionserver.global.memstore.lowerLimit.
This value represents the fullness threshold of the memstore as a percentage of memstore capacity. The default value for this parameter was incorrectly set too low at .38. This can cause severe under utilization of the memstore.
The default has been corrected to be .95. When upgrading to a version of Cloudera Manager with this fix, if the value was previously set to the old default of .38, it will automatically be increased to the new default, which may cause Cloudera Manager to mark your HBase service as having a stale configuration, requiring a restart.
Additionally, if an existing Low Watermark for Memstore Flush configuration parameter has a value <= .9, it will be flagged as a configuration warning.
Fixed in: Cloudera Manager 5.12, 5.11.1, 5.10.2, 5.9.3, 5.8.5
Cloudera Bug: OPSAPS-38468
Failed health checks because of deprecated ntpc command
Fixed an issue where the ntpdc command was used in the host Clock Offset health test even if the command is deprecated for an operating system.
Cloudera Bug: OPSAPS-38268
Dynamic Resource Pool drop-down options are not visible when using Internet Explorer 11
Fixed a typo on the Dynamic Resource Pools page that prevents Internet Explorer from rendering the add/edit resource pool dialog box.
Cloudera Bug: OPSAPS-40522
Cluster templates don't include role level configuration
Fixed an issue with Cluster Templates where role level configuration was not getting exported. This was causing cluster to fail when trying user try to import a cluster template exported from a cluster on which HDFS HA was enabled.
Cloudera Bug: OPSAPS-31528
Graceful shutdown of Kafka brokers does not work as expected
Fixed an issue where the new Graceful Shutdown Timeout configuration property does not work as expected. As a result, Kafka takes an additional 30 seconds (by default) to shut down, but will still only have 30 seconds to complete its controlled shutdown, before Cloudera Manager forcibly shuts down Kafka brokers regardless of the configured timeout.
Fixed in Cloudera Manager 5.11.1.
Cloudera Bug: OPSAPS-40106.
Issues Fixed in Cloudera Manager 5.11.0
ResourceManager state store recovery may fail.
Fixed an issue where ResourceManager state store recovery may fail. The YARN service will become stale when a cluster containing a YARN service with a ZooKeeper dependency set is upgraded to Cloudera Manager 5.10.1+ or 5.11+. Restart the YARN service normally or with a rolling restart.
Cloudera Bug: OPSAPS-38908
Cloudera Bug: OPSAPS-38908
Privilege Escalation in Cloudera Manager
Fixed an issue where a read-only Cloudera Manager user can discover the usernames of other users and elevate the privileges of another user. A user cannot elevate their own privilege.
Cloudera Bug: OPSAPS-34124
The cloudera-server-db fast_stop fails on Debian-based systems
Fixed an issue where the cloudera-server-db fast_stop command fails on non-sytemd Debian systems like Debian 7 with a command not found error.
Cloudera Bug: OPSAPS-39393
Cluster template export exports Autoconfiguration settings
Fixed an issue where the API to export cluster templates exported settings that were auto-configured. Auto-configured settings should not be exported in the cluster template.
Cloudera Bug: OPSAPS-39031
Pauses in Cloudera Manager after adding peer
Fixed an issue that caused pauses and slow performance of the Cloudera Manager Admin Console occur after creating a peer.
Fixed in Cloudera Manager 5.11
Cloudera Bug: OPSAPS-38868.
Max heap is wrong for ZooKeeper
Fixed an issue where the JVM Heap Memory Usage chart for ZooKeeper displayed the wrong value for maximum memory.
Cloudera Bug: OPSAPS-38821
Error starting the NodeManager when the /tmp directory is mounted as noexec
Fixed an issue where an error occurs when starting the NodeManager because the /tmp directory is mounted as noexec.
Cloudera Bug: OPSAPS-33053
Cloudera Manager cannot delete principals from AD when regenerating principals
Fixed an issue where generating Kerberos credentials failed when Active Directory properties like OU have a space in them or are too long to fit in a line.
Cloudera Bug: OPSAPS-37100
The Cloudera Manager Python API may experience connection errors
Python 2.7 and later enables certificate chain validation by default, and specifying a custom SSL context with an CA certificate may be required to prevent connection errors. The ApiResource constructor in the Cloudera Manager Python API now takes an optional "ssl_context" argument where a custom SSL context can be provided. This allow clients to specify the CA certificate of the API endpoint's certificate.
Cloudera Bug: OPSAPS-31699
The service cloudera-scm-server force_start command fails with Postgres SQL
Fixed an issue where a force start of the Cloudera Manager server failed if Cloudera Manager used PostgreSQL.
Cloudera Bug: OPSAPS-32915
Parcels cannot be removed from Cloudera Manager
Fixed an issue where parcels could not be removed from the Cloudera Manager database when the manifest.json file is not available in the remote repository or removed from the remote location.
Cloudera Bug: OPSAPS-34964
Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled
Fixed an issue where the Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled for Navigator Metadata Server.
Fixed in 5.11, 5.10.1, ,5.9.2, 5.7.6
Cloudera Bug: OPSAPS-38865
Warning about suspicious non-ASCII punctuation character in KMS ACLs
When setting up the KMS ACLs for HDFS encryption, the warning "Suspicious non-ASCII punctuation character "’" at character position 9118" displays. This warning can be safely ignored, and editing any KMS ACL in Cloudera Manager will make the warning disappear. This bug fix removes this warning.
Fixed in Cloudera Manager 5.11.0, 5.10.1
Cloudera Bug: OPSAPS-38670
Kafka fails when configured with Sentry and an old Kafka version
Fixed an issue that occurred when Kafka was configured to use Sentry for authorization, and Kafka was not version 2.1 or higher, which caused Kafka to fail with the following exception: java.lang.ClassNotFoundException: org.apache.sentry.kafka.authorizer.SentryKafkaAuthorizer.
Cloudera Bug: OPSAPS-37907
Fixed in: Cloudera Manager 5.11.0, 5.10.1
Invalid regex needs agent hard_restarted
Fixed Cloudera Manager agent problem that requires hard restart when an invalid regular expression is used to specify tables in Hive replication.
Fixed in: Cloudera Manager 5.11.0, 5.10.1, 5.9.2
Cloudera Bug: OPSAPS-38946 and OPSAPS-36974
Issue with views after BDR Hive Replication
Fixed an issue where a change to a Hive view on a source cluster was not reflected in the target cluster after Hive Replication with the Force Overwrite option selected.
Cloudera Bug: OPSAPS-39034
Sentry Database upgrades
During a CDH upgrade, the Sentry Database Upgrade step will be performed only when necessary. Previously, the Sentry Database Upgrade step always ran.
Cloudera Bug: OPSAPS-25405
Hive Replication fails when Impala is SSL enabled but Hadoop services are not
Fixed an issue where a NullPointerException is thrown when using Hive Replication with SSL enabled on an Impala service but not on other Hadoop services.
Cloudera Bug: OPSAPS-38700
Fixed in Cloudera Manager 5.11, 5.10.1, 5.9.2
Issues Fixed in Cloudera Manager 5.10.2
Underscores in LDAP domain names not allowed
Fixed an issue where LDAP domain names could not contain underscores. This fix affects Cloudera Manager, Hue and Cloudera Navigator.
Cloudera Bug: OPSAPS-40487
Low watermark value for Memstore Flush default is incorrect
For CDH versions 5.8 and higher, the Low Watermark for Memstore Flush configuration parameter is associated with the HBase parameter hbase.regionserver.global.memstore.lowerLimit.
This value represents the fullness threshold of the memstore as a percentage of memstore capacity. The default value for this parameter was incorrectly set too low at .38. This can cause severe under utilization of the memstore.
The default has been corrected to be .95. When upgrading to a version of Cloudera Manager with this fix, if the value was previously set to the old default of .38, it will automatically be increased to the new default, which may cause Cloudera Manager to mark your HBase service as having a stale configuration, requiring a restart.
Additionally, if an existing Low Watermark for Memstore Flush configuration parameter has a value <= .9, it will be flagged as a configuration warning.
Fixed in: Cloudera Manager 5.12, 5.11.1, 5.10.2, 5.9.3, 5.8.5
Cloudera Bug: OPSAPS-38468
Heap dump files don't contain the correct process ID
Fixed an issue where if Sentry crashed with an OutOfMemory error, the generated dump file name was not unique, and therefore the file could be overwritten on subsequent occurrences of the error. This has been fixed to include the PID in the dump file name, which is the standard practice for other CDH services.
Cloudera Bug: OPSAPS-40600
CSD graceful service stop second step failure
Fixed an issue in the stop command execution for CSD services authored to use a service-level graceful shutdown. The stop command could be shown with the second step (forced kill) marked as failed when all roles were already stopped. This issue also affects shutdown of Kafka using Cloudera Manager 5.11.0 and can impact Kafaka upgrades.
Fixed in: Cloudera Manager 5.11.1, 5.10.2, 5.9.3
Cloudera Bug: OPSAPS-40002
getRoles filtering is not working with Cloudera Manager API version11 and higher
/api//clusters/clusterName/services/serviceName/roles?filter=type==ROLE_TYPE
Cloudera Bug: OPSAPS-40184
Only use healthy HDFS/Hive hosts for launching replication jobs
- Hosts that run any role of the HDFS/Hive Service (for HDFS or Hive replication)
- Hosts that have a Non-Gateway role
- Hosts where the health status is in the GOOD or CONCERNING state with preference given to GOOD
- Hosts that are whitelisted, if configured
Cloudera Bug: OPSAPS-40040
Dynamic Resource Pool drop-down options are not visible when using Internet Explorer 11
Fixed a typo on the Dynamic Resource Pools page that prevents Internet Explorer from rendering the add/edit resource pool dialog box.
Cloudera Bug: OPSAPS-40522
HBase configuration is supplied for Hive when HBase service is not selected
Fixed an issue where Cloudera Manager provided configuration for the hive-site.xml file even if the HBase Service setting in Hive is not selected, which could cause unnecessary errors when Hive-on-Spark attempts to connect to HBase. Cloudera Manager now correctly emits the HBase-related configuration in the hive-site.xml only when Hive is dependent on HBase.
- CM5.8.5 and higher maintenance releases,
- CM5.9.2 and higher maintenance releases,
- CM5.10.2 and higher maintenance releases,
- CM5.11.1 and higher maintenance releases
When you upgrade Cloudera Manager from an older version to one of the fixed versions, many services may have stale configurations. You must restart of all the stale services in order for them to receive the updated configuration in the hive-site.xml file.
Cloudera Bug: OPSAPS-39021
The cloudera-server-db fast_stop fails on Debian-based systems
Fixed an issue where the cloudera-server-db fast_stop command fails on non-sytemd Debian systems like Debian 7 with a command not found error.
Cloudera Bug: OPSAPS-39393
Exception when setting maintenanceOwners to null
Fixed how null values for the maintenanceOwners parameter are handled when creating clusters with the Cloudera Manager API.
Cloudera Bug: OPSAPS-32880
Cannot upload large diagnostic bundles
Fixed an issue where large diagnostic bundles, such as ones greater than 4 GB, fail to upload.
Cloudera Bug: OPSAPS-40100
NullPointerException when accessing the configuration page for Alerts
Fixed an issue where a NullPointerException occurred when viewing the configuration page for alerts.
Fixed in Cloudera Manager 5.12, 5.11.2, 5.10.2
Cloudera Bug: OPSAPS-39296
Issues Fixed in Cloudera Manager 5.10.1
ResourceManager state store recovery may fail.
Fixed an issue where ResourceManager state store recovery may fail. The YARN service will become stale when a cluster containing a YARN service with a ZooKeeper dependency set is upgraded to Cloudera Manager 5.10.1+ or 5.11+. Restart the YARN service normally or with a rolling restart.
Cloudera Bug: OPSAPS-38908
Cloudera Bug: OPSAPS-38908
Privilege Escalation in Cloudera Manager
Fixed an issue where a read-only Cloudera Manager user can discover the usernames of other users and elevate the privileges of another user. A user cannot elevate their own privilege.
Cloudera Bug: OPSAPS-34124
Warning about suspicious non-ASCII punctuation character in KMS ACLs
When setting up the KMS ACLs for HDFS encryption, the warning "Suspicious non-ASCII punctuation character "’" at character position 9118" displays. This warning can be safely ignored, and editing any KMS ACL in Cloudera Manager will make the warning disappear. This bug fix removes this warning.
Fixed in Cloudera Manager 5.11.0, 5.10.1
Cloudera Bug: OPSAPS-38670
Hive Replication fails when Impala is SSL enabled but Hadoop services are not
Fixes a bug where some Hadoop services did not recognize the Impala SSL configuration, which caused Hive replications to fail when SSL is enabled. To enable SSL, see: Configuring TLS/SSL for HDFS, YARN and MapReduce.
This support also ensures that connection to Impala is successful when SSL is enabled even if Kerberos is not enabled.
Fixed in: Cloudera Manager 5.10.1, 5.9.2, 5.8.4
Cloudera Bug: OPSAPS-38700
Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled
Fixed an issue where the Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled for Navigator Metadata Server.
Fixed in 5.11, 5.10.1, ,5.9.2, 5.7.6
Cloudera Bug: OPSAPS-38865
Spark CSD may cause issues in yarn-cluster mode
Spark client configuration has been fixed to avoid application failures in certain cases when launching applications in YARN cluster mode.
Fixed in Cloudera Manager 5.10.1, 5.9.2
Cloudera Bug: OPSAPS-39118
Invalid regex needs agent hard_restarted
Fixed Cloudera Manager agent problem that requires hard restart when an invalid regular expression is used to specify tables in Hive replication.
Fixed in: Cloudera Manager 5.11.0, 5.10.1, 5.9.2
Cloudera Bug: OPSAPS-38946 and OPSAPS-36974
Kafka fails when configured with Sentry and an old Kafka version
Fixed an issue that occurred when Kafka was configured to use Sentry for authorization, and Kafka was not version 2.1 or higher, which caused Kafka to fail with the following exception: java.lang.ClassNotFoundException: org.apache.sentry.kafka.authorizer.SentryKafkaAuthorizer.
Cloudera Bug: OPSAPS-37907
Fixed in: Cloudera Manager 5.11.0, 5.10.1
Hive Replication fails when Impala is SSL enabled but Hadoop services are not
Fixed an issue where a NullPointerException is thrown when using Hive Replication with SSL enabled on an Impala service but not on other Hadoop services.
Cloudera Bug: OPSAPS-38700
Fixed in Cloudera Manager 5.11, 5.10.1, 5.9.2
Issues Fixed in Cloudera Manager 5.10.0
Importing cluster templates fails
Fixes an issue where the Cluster Import command fails after updating parcel repositories and when the parameter addRepositories=true is included in the command and there are no pre-configured repositories in the cluster.
Cloudera Bug: OPSAPS-33059
DB Oracle client libraries cannot be found on host due to missing libaio1
On a parcels install, Hue can be set up with an Oracle Database. This requires placing required Oracle packages in a specific location. See Hue Custom Databases.
Cloudera Bug: OPSAPS-34339
CM - error connecting to an Oracle DB with a Package install for HUE's DB
On a packages install, Hue can be set up with an Oracle Database and proceed past the Test Connection page in the setup wizard. This requires placing required Oracle packages in a specific location. See Hue Custom Databases.
Cloudera Bug: OPSAPS-34608
Support non-public schemas with PostgreSQL
Cloudera Manager used to work with only 'public' schema in PostgreSQL. With this change, Cloudera Manager now supports custom schema names. Cloudera Manager relies on the schema search path in PostgreSQL, which can be set for a user or database. For more information, see https://www.postgresql.org/docs/current/static/ddl-schemas.html.
Cloudera Bug: OPSAPS-33752
Truststore password shouldn't be required
Trust store passwords are not required. This fixes a bug where some Cloudera components erroneously reported that a password was required.
Cloudera Bug: OPSAPS-38183
Server error deleting a host - Cannot delete or update a parent row: a foreign key constraint fails
Fixes a database constraint violation that occurs when you use Cloudera Manager to delete a host that has cluster-wide configurations. (Kerberos configurations, for example.)
Cloudera Bug: OPSAPS-38150
Hide unlicensed configurations instead of disabling them
Cloudera Express no longer shows configurations that requires a license to manage.
Cloudera Bug: OPSAPS-38214
Various improvements in the Pools page
- You can now click on an input row and go directly to that input field in the edit dialog.
- The columns where you enter minimum and maximum values for Virtual cores and Memory now appear under headings Min Resources and Max Resources
- On the Create Resource Pool page, the Configuration Sets tab has been renamed to Resource Limits.
Cloudera Bug: OPSAPS-38133
Override the SMON client configuration so the MapReduce job does not produce compressed output
This fixes an issue where YARN utilization report may not work when MapReduce job output is specified as "Compressed" and a compression codec is used for it.
Cloudera Bug: OPSAPS-38460
Excess load on Cloudera Manager database
Fixed an issue where the load on the Cloudera Manager database increases significantly on clusters with 100-200 nodes or more and when there are host-level configuration overrides. This has been resolved by using a smaller default value for the default_batch_fetch_size property in the hibernate configuration.
Fixed in: Cloudera Manager 5.10.0, 5.9.2, 5.8.4, 5.7.6
Cloudera Bug: OPSAPS-37985
Dollar sign '$' character in password results in an IllegalArgumentException
Fixed an issue where CSD-based services could not use certain special characters like '$' without getting an exception. This is most frequently an issue for passwords.
Cloudera Bug: OPSAPS-37542
Incorrect Scheduling Policy of Resource Pool Configuration in YARN
If a user did not make any resource policy change on an existing cluster, the default scheduling policy used is FAIR, but the Cloudera Manager Admin console incorrectly displays the policy as DRF. This is now fixed to show FAIR. When the user creates new clusters, the default scheduling policy will be DRF.
Cloudera Bug: OPSAPS-37478
Cannot select time period in custom charts in C5.9
The quick time selection (30m, 1h, etc) on custom dashboards now work correctly.
Cloudera Bug: OPSAPS-37190
Increase the default value of Safemode Minimum DataNodes property to 1
In Cloudera Manager 5.9 and lower, the HDFS property Safemode Minimum DataNodes has a default value of 0. This property configures the number of DataNodes that must register with the NameNode before the NameNode exits safe mode. This property now has a default value of 1 in CDH 5.9 and higher
In an empty cluster (that is, a cluster with no HDFS data) where the property is set to 0, this has the side effect of extending the duration of startup safe mode by about 30 seconds. For non-empty clusters, this change has no visible effect. This change only applies to new CDH 5.9 and higher clusters created with Cloudera Manager 5.10 or higher. Existing CDH 5.9 clusters are not affected; pre-CDH 5.9 clusters that are upgraded to CDH 5.9 or higher are also unaffected.
Cloudera Bug: OPSAPS-36988
Turn off HSTS header in Hue Load Balancer
Only the Hue server now only generates the HSTS HTTP header. Previously, both the Hue server and Hue Load Balancer generated the HSTS HTTP header.
Cloudera Bug: OPSAPS-35536
AWS ID being used for UUID, which can cause duplicate hosts
Prevent duplicate hosts from being reported in Cloudera Manager due to use of the AWS instance ID as a unique host identifier. Cloudera Manager now uses a random number as the host unique identifier instead. This prevents a duplicate host issue when host is running on a cloud service such as AWS and the host is added using the Cloudera Manager wizard and manually added later.
Cloudera Bug: OPSAPS-35282
Cloudera Manager corrupts passwords and other attributes
Previously, some users found that '******' were inserted in the database literally. Cloudera Manager now performs a check on this special string prevents it from being stored in the Cloudera Manager database.
Cloudera Bug: OPSAPS-34252
Database wizard error message when the database does not exist is misleading
Cloudera Manager now generates a proper error message when the database does not exist and the username and password do exist. Cloudera Manager now displays the message "Able to find the Database server, but not the specified database. Please check if the database name is correct and make sure that the user can access the database."
Cloudera Bug: OPSAPS-33915
Hive Replication: Make parameters replication on by default
Parameters of databases, tables, partitions, and indexes are replicated by default during Hive replications. You can disable this replication. See Replication of Parameters.
Cloudera Bug: OPSAPS-38197
NFS Gateway daemon in HDFS needs SSL server configs
The Web server of the HDFS NFS Gateway that is used to publish metrics and view configurations is now covered by SSL protection when enabled across the HDFS service. This fixes an issue that caused a failure when starting the Web interface for the NFS gateway.
Cloudera Bug: OPSAPS-33202
CM server error - JsonMappingException
Fixed an issue where a race condition can happen when getting the log links for unhealthy roles and then causes a null pointer exception for the Cloudera Manager homepage.
Cloudera Bug: OPSAPS-32804
"Restart needed" button doesn't appear after changing the server's private key password in the KeyTrustee Server service configuration
When passwords change, the stale configuration icons displays. When you click one of these icons, the Stale Configurations page displays but the page does not indicate which passwords have changed.
Cloudera Bug: OPSAPS-29146
Issues Fixed in Cloudera Manager 5.9.3
Reports Manager throws ArrayIndexOutOfBoundsException when indexing fsimage
Fixes an issue where an ArrayIndexOutOfBoundsException can be thrown by Reports Manager.
Fixed in Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3
Cloudera Bug: OPSAPS-40914
Make Oozie Load-balancer URL mandatory when enabling Oozie HA
Fixed an issue when the Oozie Load Balancer field in the Oozie configuration is not set and Oozie high availability is in use (two or more Oozie Server roles are deployed). This now creates a validation error and Cloudera Manager does not let you start or restart Oozie until the problem is fixed.
Fixed in: Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3
Cloudera Bug: OPSAPS-39372
Allow diagnostic bundle estimation timeout to be configurable
- -Dcom.cloudera.RoleLogEstimator.maxEstimateTimeoutSeconds=number of seconds (If not specified, the default is 90 seconds)
- -Dcom.cloudera.RoleLogEstimator.estimateTimeoutPerHostSeconds=number of seconds (If not specified, default is 60 seconds)
sudo service cloudera-scm-server restart
Fixed in: Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3
Cloudera Bug: OPSAPS-40987
Low watermark value for Memstore Flush default is incorrect
For CDH versions 5.8 and higher, the Low Watermark for Memstore Flush configuration parameter is associated with the HBase parameter hbase.regionserver.global.memstore.lowerLimit.
This value represents the fullness threshold of the memstore as a percentage of memstore capacity. The default value for this parameter was incorrectly set too low at .38. This can cause severe under utilization of the memstore.
The default has been corrected to be .95. When upgrading to a version of Cloudera Manager with this fix, if the value was previously set to the old default of .38, it will automatically be increased to the new default, which may cause Cloudera Manager to mark your HBase service as having a stale configuration, requiring a restart.
Additionally, if an existing Low Watermark for Memstore Flush configuration parameter has a value <= .9, it will be flagged as a configuration warning.
Fixed in: Cloudera Manager 5.12, 5.11.1, 5.10.2, 5.9.3, 5.8.5
Cloudera Bug: OPSAPS-38468
Exception when setting maintenanceOwners to null
Fixed how null values for the maintenanceOwners parameter are handled when creating clusters with the Cloudera Manager API.
Cloudera Bug: OPSAPS-32880
CSD graceful service stop second step failure
Fixed an issue in the stop command execution for CSD services authored to use a service-level graceful shutdown. The stop command could be shown with the second step (forced kill) marked as failed when all roles were already stopped. This issue also affects shutdown of Kafka using Cloudera Manager 5.11.0 and can impact Kafaka upgrades.
Fixed in: Cloudera Manager 5.11.1, 5.10.2, 5.9.3
Cloudera Bug: OPSAPS-40002
Heap dump files don't contain the correct process ID
Fixed an issue where if Sentry crashed with an OutOfMemory error, the generated dump file name was not unique, and therefore the file could be overwritten on subsequent occurrences of the error. This has been fixed to include the PID in the dump file name, which is the standard practice for other CDH services.
Cloudera Bug: OPSAPS-40600
Only use healthy HDFS/Hive hosts for launching replication jobs
- Hosts that run any role of the HDFS/Hive Service (for HDFS or Hive replication)
- Hosts that have a Non-Gateway role
- Hosts where the health status is in the GOOD or CONCERNING state with preference given to GOOD
- Hosts that are whitelisted, if configured
Cloudera Bug: OPSAPS-40040
Process secrets no longer protected with file permissions
Fixed an issue where secret data, including passwords and other data, can be exposed in the /var/run/cloudera-scm-agent/process-name/proc.json or /var/run/cloudera-scm-agent/process-name/config.zip files because these files are world readable. See TSB-235 for more information.
Fixed in: Cloudera Manager 5.12, 5.11, 5.10.2, 5.9.3
Cloudera Bug: OPSAPS-40536
Peak Memory Usage report for Impala does not display data
Fixed an issue where the Impala Peak Memory Usage page in the Cluster Utilization Report did not display any data in Cloudera Manager.
Fixed in: Cloudera Manager 5.12, 5.11.2, 5.9.3
Cloudera Bug: OPSAPS-39836
Validator for for hive.metastore.server.max.message.size can break Hive Metastore startup
The recommended value for Max Message Size for Hive MetaStore configuration parameter should be at least 10% of the value for the Java Heap Size of Hive Metastore Server in Bytes parameter, but should never exceed 2147483647B. Previously, the validator for Max Message Size for Hive MetaStore was showing an incorrect value in its validation message. This validator is now fixed to show the correct recommended value.
Cloudera Bug: OPSAPS-38434
getRoles filtering is not working with Cloudera Manager API version11 and higher
/api//clusters/clusterName/services/serviceName/roles?filter=type==ROLE_TYPE
Cloudera Bug: OPSAPS-40184
Issues Fixed in Cloudera Manager 5.9.2
Privilege Escalation in Cloudera Manager
Fixed an issue where a read-only Cloudera Manager user can discover the usernames of other users and elevate the privileges of another user. A user cannot elevate their own privilege.
Cloudera Bug: OPSAPS-34124
Excess load on Cloudera Manager database
Fixed an issue where the load on the Cloudera Manager database increases significantly on clusters with 100-200 nodes or more and when there are host-level configuration overrides. This has been resolved by using a smaller default value for the default_batch_fetch_size property in the hibernate configuration.
Fixed in: Cloudera Manager 5.10.0, 5.9.2, 5.8.4, 5.7.6
Cloudera Bug: OPSAPS-37985
Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled
Fixed an issue where the Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled for Navigator Metadata Server.
Fixed in 5.11, 5.10.1, ,5.9.2, 5.7.6
Cloudera Bug: OPSAPS-38865
Invalid regex needs agent hard_restarted
Fixed Cloudera Manager agent problem that requires hard restart when an invalid regular expression is used to specify tables in Hive replication.
Fixed in: Cloudera Manager 5.11.0, 5.10.1, 5.9.2
Cloudera Bug: OPSAPS-38946 and OPSAPS-36974
Spark CSD may cause issues in yarn-cluster mode
Spark client configuration has been fixed to avoid application failures in certain cases when launching applications in YARN cluster mode.
Fixed in Cloudera Manager 5.10.1, 5.9.2
Cloudera Bug: OPSAPS-39118
Dollar sign '$' character in password results in an IllegalArgumentException
Fixed an issue where CSD-based services could not use certain special characters like '$' without getting an exception. This is most frequently an issue for passwords.
Cloudera Bug: OPSAPS-37542
Hive Replication fails when Impala is SSL enabled but Hadoop services are not
Fixed an issue where a NullPointerException is thrown when using Hive Replication with SSL enabled on an Impala service but not on other Hadoop services.
Cloudera Bug: OPSAPS-38700
Fixed in Cloudera Manager 5.11, 5.10.1, 5.9.2
Issues Fixed in Cloudera Manager 5.9.1
Cannot select time period in custom charts in C5.9
The quick time selection (30m, 1h, and so on) on custom dashboards does not work in 5.9.x.
Cloudera Bug: OPSAPS-37190
Hive table Views do not get restored from S3
When creating a Hive Replication schedule that copies Hive data from S3 and you select the Reference Data From Cloud option, Hive table Views are not restored correctly and result in a Null Pointer Exception when querying data from the view.
Cloudera Bug: OPSAPS-37549
Cloudera Manager blocks from HS2 enabling both LDAP and Kerberos authorization
HS2 now supports LDAP and Kerberos authentication on the same instance for CDH 5.7.0 or higher. Previously, this was considered an error.
Cloudera Bug: OPSAPS-34310
Support non-public schemas
Cloudera Manager used to work with only the public schema in Postgresql. With this change, Cloudera Manager now supports custom schema names. Cloudera Manager relies on the schema search path in postgresql, which can be set for a user, database, etc: See https://www.postgresql.org/docs/current/static/ddl-schemas.html
Cloudera Bug: OPSAPS-33752
Alert Publisher throws "unsigned 32bit value" error after long uptime
Fixes an issue where the Alert Publisher throws "unsigned 32bit value" error after long uptime. TimeTick is an extension of UnsignedInteger32 type. TimeTick represents time in 1/100 seconds. Its value range is 0 to 4294967295. Activity Monitor's uptime is a Java long type that can exceed the range of TimeTicks. Before this fix, long uptime could cause the Alert Publisher to throw the "unsigned 32bit value" error.
Cloudera Bug: OPSAPS-35564
Issues Fixed in Cloudera Manager 5.9
Configuration changes marking too many roles as stale
When upgrading to Cloudera Manager 5.9 or later, YARN will become stale due to the following properties changing to be emitted to the Resource Manager role only:
- yarn.scheduler.fair.user-as-default-queue
- yarn.scheduler.fair.preemption
- yarn.scheduler.fair.sizebasedweight
- yarn.scheduler.fair.assignmultiple
- yarn.scheduler.fair.locality.threshold.node
- yarn.scheduler.fair.locality.threshold.rack
This fixes a problem where changes to these configurations would mark too many roles as stale. You can safely ignore staleness to any role caused by the removal of these configuration parameters.
Cloudera Bug: OPSAPS-32610
Impala load_catalog_in_background configuration should be set to false by default in Cloudera Manager
Changed default value for load_catalog_in_background to false. This fixes catalog scalability issues observed in Impala since v2.2.
Cloudera Bug: OPSAPS-35869
Oozie first run fails with custom principals
Fixed an issue in Cloudera Manager 5.8.1 where the first time Oozie is run it fails if using Kerberos custom principals.
Cloudera Bug: OPSAPS-35822
Cluster export fails when service configuration is invalid
Fixed an issue in the export cluster template code path where it was failing because of stale configuration settings in the Cloudera Manager database. This can occur when configurations are deprecated on older CDH releases.
Cloudera Bug: OPSAPS-35586
Add gateway role to Kafka and move dependencies' client configs into Kafka's client configs
Cloudera recommends that you place your Kafka host in the same logical cluster as your Sentry host. However, if you deploy Kafka as a separate logical cluster, you can deploy a dummy Sentry service on Kafka's logical cluster with an override for Sentry-site.xml to point to the Sentry service on first logical cluster, and then it can be turned off. This is a workaround that allows Cloudera Manager to generate the appropriate Sentry client configurations for Kafka.
Cloudera Bug: OPSAPS-35369
Sentry Upgrade command is not retriable
If the Sentry Upgrade command fails, you can now retry the command.
Cloudera Bug: OPSAPS-35365
Impala Breakpad script does not convert exponentials into decimals and leads to errors
Fixed an issue where the Impala Breakpad script fails if you try to collect more than 10 MB of dumps from a single role.
Cloudera Bug: OPSAPS-34971
HDFS-S3: Incremental backup support
HDFS-S3 replication supports incremental backups using snapshot diffs. HDFS-S3 replication does not support incremental restore using snapshot diff.
Cloudera Bug: OPSAPS-34987
Fix css in navigation
- Do not show role link again on the role instances page.
- Do not bold the decommission state.
- Do not use long display name for hosts; use short display name.
- Show the role link on the role health test page.
- Show Today rather than the long time label.
- Show only month, date when the year is the same.
- Make the icons in navigation line up.
- Make the icons in navigation not so wide.
- Change all line-height settings to multiples of 4.
- Add back the border below the title.
Cloudera Bug: OPSAPS-35262
Fix sorting on the instances page
Fixed the initial sort order on the instances page.
Cloudera Bug: OPSAPS-35268
Nightly Charts are broken due to gridster refactoring
There is a permission issue on the Cluster Status page where the grid is never enabled, and on the View Page where the grid is always enabled for all users. The former change allows the user to customize the Cluster status page. The latter change ensures that users do not get errors when customizing specific view pages.
Cloudera Bug: OPSAPS-34526
Redact s3 credential properties in MR by default.
AWS S3 credentials, if specified in the job configuration by setting fs.s3a.access.key and fs.s3a.secret.key, were shown as clear text in MapReduce UIs. The credentials are now redacted by default in all MapReduce UIs.
Cloudera Bug: OPSAPS-36840
Latest Cloudera Manager Java client does not work on older Cloudera Manager
Fixed an issue in Cloudera Manager client versions 5.8, 5.8.1, and 5.8.2 where ApiCollectDiagnosticDataArguments was incompatible with Cloudera Manager versions lower than 5.8.
Cloudera Bug: OPSAPS-36315
Comment for command retry in the cm_api Python github needs to be updated
Fixed the API command documentation to include the canRetry attribute. Added a new method, ApiCommand.getCanRetry() and deprecated the method ApiCommand.isCanRetry().
Cloudera Bug: OPSAPS-36009
cm_api changes for HDFS Cloud replication schedule args
python api changes for hdfs cloud replication.
Cloudera Bug: OPSAPS-35892
Defaults to 1st Impala service in the cluster when there are multiple Impalas
Fixed an issue that prevented the display of Impala usage on the Cluster Utilization page when there are two Impala services in the same cluster. The UI shows usage for the first Impala service only.
Cloudera Bug: OPSAPS-34495
Staleness check page popped up 30s ~ 60s after clicking the icon.
Fixed an issue where a stale configuration page would take a lot of time to load for a large cluster.
Cloudera Bug: OPSAPS-34497
Oozie points to older sharelib even after running sharelib install command
Fixed the Install Oozie Share Lib action so that the Oozie service is informed that there is a new shared library installed. This eliminates the need for a separate manual restart.
Cloudera Bug: OPSAPS-26825
Cloudera Manager set catalogd default jvm memory to 4G can cause out of memory error on upgrade to Cloudera Manager 5.7+
After upgrading to 5.7 or later, you might see a reduced Java heap maximum on Impala Catalog Server due to a change in its default value. Upgrading from Cloudera Manager lower than 5.7 to Cloudera Manager 5.8.2 no longer causes any effective change in the Impala Catalog Server Java Heap size.
When upgrading from Cloudera Manager 5.7 or later to Cloudera Manager 5.8.2, if the Impala Catalog Server Java Heap Size is set at the default (4GB), it is automatically changed to either 1/4 of the physical RAM on that host, or 32GB, whichever is lower. This can result in a higher or a lower heap, which could cause additional resource contention or out of memory errors, respectively.
Cloudera Bug: OPSAPS-34039
Agent uses USER env var to run everything if it is set
Cloudera Manager Server now runs services using the user ID with which that single-user mode is configured. If single-user mode is configured on the agents to use the user cloudera-scm, then an attempt to run Hive as the user hive fails.
Cloudera Bug: OPSAPS-35621
In LZO enabled clusters, the cluster utilization feature fails
YARN usage aggregation job now runs successfully on clusters where LZO compression is being used.
Cloudera Bug: OPSAPS-33356
HDFS Snapshot policy is selecting unhealthy host to run on
When selecting a role to run HDFS Snapshot command, Cloudera Manager selects a non-decommissioned host in Active status. Also, hosts in maintenance mode have a lower priority than the ones in active state.
Cloudera Bug: OPSAPS-33144
Discourage CSDs from producing client config files that pollute the root dir
For CSD development, there are now deprecation warnings in the CLI validation tool and the Maven validation plugin. These indications provide guidance for future behavior changes in the support of CSD services in Cloudera Manager. A deprecation warning is shown when applicable, but does not affect the outcome of the validation.
Cloudera Bug: OPSAPS-33510
Ensure that one-off processes cannot re-execute.
One-off requests, such as "Inspect Hosts," do not re-execute.
Cloudera Bug: OPSAPS-34255
Hive Replication Command should update copy the Serde properties correctly
Hive Replication now replicates the Serde Properties and also copies the corresponding HDFS file.
Cloudera Bug: OPSAPS-34354
Cloudera Manager complains "Unable to parse the input XML" when you enter an working XML for the "Fair Scheduler XML Advanced Configuration Snippet (Safety Valve)"
Passing a legal XML value to Fair Scheduler XML Advanced Configuration Snippet (Safety Valve) no longer causes a parsing error.
Cloudera Bug: OPSAPS-34329
If files excluded by exclusion filters are renamed, they are not replicated
Customers using Incremental HDFS replication had an issue where if an excluded file (through exclusion filters) is renamed to an included file, the new file was not copied to the destination cluster. This issue is resolved as part of this fix.
Cloudera Bug: OPSAPS-34066
Proper fix to handle parcel activation falsely succeeding when host health is failing
Fixed an issue related to the first run failing when some of the hosts are in bad health. This fix involves adding an extra stop to wait for hosts to report correct the parcel version before proceeding.
Cloudera Bug: OPSAPS-33766
Deferred cgroup removal might not be waiting at all
This fix provides some wait time before the SCM agent attempts to remove control groups (cgroups) again after initial failure.
Cloudera Bug: OPSAPS-32331
SMON should only fall back to Oozie's instrumentation endpoint if the metrics endpoint gives a 503
SMON blindly fell back to Oozie's instrumentation endpoint if it had any problems with the metrics endpoint. Now, SMON falls back only if the metrics endpoint returns a 503 error code, which is the only case it could possibly have success with instrumentation endpoint.
Cloudera Bug: OPSAPS-31988
Support bundle missing client configuration deployment logs
Client configuration deployment logs are now collected as a part of diagnostics support bundle, which were unintentionally removed in Cloudera Manager 5.3.
Cloudera Bug: OPSAPS-31377
Use concurrency option when uploading the sharelib to be faster
You can increase the number of threads used to upload the Oozie sharelib to HDFS. This significantly reduces the time it takes for this operation. This feature is available starting in CDH 5.9.0.
Cloudera Bug: OPSAPS-31078
Host inspector incorrectly warns about kernel version "2.6.32-504.16.2"
Before this fix, the host inspector incorrectly warned about kernel version "2.6.32-504.16.2" as "non-recommended"
Cloudera Bug: OPSAPS-35170
Agent orphan cleanup removes process dir from in flight process
With this fix, the preventative steps in TSB-181 are no longer required.
Cloudera Bug: OPSAPS-35294
Rolling upgrade fails if services stopped
Rolling upgrade will no longer fail if services are stopped.
Cloudera Bug: OPSAPS-34322
Redact Content from Flume configuration
Enabled redaction of sensitive information from Flume configuration.
Cloudera Bug: OPSAPS-34506
Redaction of sensitive information from diagnostic bundles at creation time
- Modified Cloudera Manager so that known sensitive data is redacted from the bundles before transmission to Cloudera.
- Updated Cloudera CDH components to remove logging and output of known potentially sensitive properties and configurations.
See Redaction of Sensitive Information from Diagnostic Bundles.
Cloudera Bug: OPSAPS-34621
Huge memory leak if the HDFS File Browser UI remains open for an extended time
If the HDFS File Browser were kept open for long periods of time, it could cause a memory leak that would cause Cloudera Manager to crash. This fix addresses the issue.
Cloudera Bug: OPSAPS-35168
Evaluate impact of disabling second-level cache on performance at scale
Disabled second level hibernate cache, which was causing the cache to become "stale" under load. There is no significant difference in Cloudera Manager performance after disabling the cache.
Cloudera Bug: OPSAPS-34010
Express wizard failing to install ZooKeeper
Installing CDH using Packages on Debian 8.2 through the Cloudera Manager wizard could install the incorrect CDH binaries, leading to failures in starting the cluster. Certain packages are available in both the default repository and the Cloudera repository, which could result in the wizard using the wrong one. The Cloudera Manager wizard now ensures the correct binaries are selected. Workaround: Use the parcels format or manually install the correct packages.
Cloudera Bug: OPSAPS-36100
Empty archive files should not be created for impala role diagnostics
Support Bundles started collecting Impala minidumps bundles in Cloudera Manager 5.8.0 and higher. It was generating an empty TAR file if no bundles were found. With this fix, no empty TAR files are generated.
Cloudera Bug: OPSAPS-34887
Cloudera Manager no longer shows "this step is expected to fail" when enabling HDFS-HA
Cloudera Manager now shows the correct label when performing HA.
Cloudera Bug: OPSAPS-30777
If total_space_bytes is very large, heartbeats fail
Fixed an issue where the heartbeat fails with a host that has a mount point backed by cloud storage, such as AWS.
Cloudera Bug: OPSAPS-35742
Enabling cgroups requires "impala" group even if there is no Impala service
Fixed the presumption that any default-named group exists in hosts. YARN cgroup containers do not require the Impala user/group to be present in hosts.
Cloudera Bug: OPSAPS-35242
OOMKiller script not works for Impala Catalog
Fixed a bug where OutOfMemory errors in the Catalog Server might lead to killing multiple Java processes, including other roles on the same host.
Cloudera Bug: OPSAPS-33991
Issues Fixed in Cloudera Manager 5.8.5
Privilege Escalation in Cloudera Manager
Fixed an issue where a read-only Cloudera Manager user can discover the usernames of other users and elevate the privileges of another user. A user cannot elevate their own privilege.
Cloudera Bug: OPSAPS-34124
Use whitelist to only check known good parcels before first run
During the execution of First-Run command, the command only waits for the Cloudera Manager Agent to detect CDH parcels and does not wait for any other activated parcels. Previously, it was waiting for agents to detect all the activated parcels.
Cloudera Bug: OPSAPS-38304
HBase configuration is supplied for Hive when HBase service is not selected
Fixed an issue where Cloudera Manager provided configuration for the hive-site.xml file even if the HBase Service setting in Hive is not selected, which could cause unnecessary errors when Hive-on-Spark attempts to connect to HBase. Cloudera Manager now correctly emits the HBase-related configuration in the hive-site.xml only when Hive is dependent on HBase.
- CM5.8.5 and higher maintenance releases,
- CM5.9.2 and higher maintenance releases,
- CM5.10.2 and higher maintenance releases,
- CM5.11.1 and higher maintenance releases
When you upgrade Cloudera Manager from an older version to one of the fixed versions, many services may have stale configurations. You must restart of all the stale services in order for them to receive the updated configuration in the hive-site.xml file.
Cloudera Bug: OPSAPS-39021
getRoles filtering is not working with Cloudera Manager API version11 and higher
/api//clusters/clusterName/services/serviceName/roles?filter=type==ROLE_TYPE
Cloudera Bug: OPSAPS-40184
Placement rules in DRP UI should provide option to not create sub-pools
Nested User Pools (except existingSecondaryGroup) now support create=true|false as a checkbox in the UI.
Cloudera Bug: OPSAPS-39625
Low watermark value for Memstore Flush default is incorrect
For CDH versions 5.8 and higher, the Low Watermark for Memstore Flush configuration parameter is associated with the HBase parameter hbase.regionserver.global.memstore.lowerLimit.
This value represents the fullness threshold of the memstore as a percentage of memstore capacity. The default value for this parameter was incorrectly set too low at .38. This can cause severe under utilization of the memstore.
The default has been corrected to be .95. When upgrading to a version of Cloudera Manager with this fix, if the value was previously set to the old default of .38, it will automatically be increased to the new default, which may cause Cloudera Manager to mark your HBase service as having a stale configuration, requiring a restart.
Additionally, if an existing Low Watermark for Memstore Flush configuration parameter has a value <= .9, it will be flagged as a configuration warning.
Fixed in: Cloudera Manager 5.12, 5.11.1, 5.10.2, 5.9.3, 5.8.5
Cloudera Bug: OPSAPS-38468
Issues Fixed in Cloudera Manager 5.8.4
CM server error - JsonMappingException
Fixed an issue where a race condition can happen when getting the log links for unhealthy roles and then causes a null pointer exception for the Cloudera Manager homepage.
Cloudera Bug: OPSAPS-32804
Dollar sign ($) char in password results in IllegalArgumentException
Using special characters such as the dollar sign ($) for passwords and other user-supplied values with CSD-based services (those added to Cloudera Manager with custom service descriptors) raised exceptions. This has been resolved.
Cloudera Bug: OPSAPS-37542
Error when distributing parcels : No such torrent
Error when distributing to host: No such torrent:parcel_name.torrent
Workaround: Remove the file /opt/cloudera/parcel-cache/parcel_name.torrent from the host.
Cloudera Bug: OPSAPS-37183
Hive Replication Command should update copy the Serde properties correctly
Hive Replication now replicates the Serde Properties and also copies the corresponding HDFS file.
Cloudera Bug: OPSAPS-34354
Hive Replication fails when Impala is SSL enabled but Hadoop services are not
Fixes a bug where some Hadoop services did not recognize the Impala SSL configuration, which caused Hive replications to fail when SSL is enabled. To enable SSL, see: Configuring TLS/SSL for HDFS, YARN and MapReduce.
This support also ensures that connection to Impala is successful when SSL is enabled even if Kerberos is not enabled.
Fixed in: Cloudera Manager 5.10.1, 5.9.2, 5.8.4
Cloudera Bug: OPSAPS-38700
Excess load on Cloudera Manager database
Fixed an issue where the load on the Cloudera Manager database increases significantly on clusters with 100-200 nodes or more and when there are host-level configuration overrides. This has been resolved by using a smaller default value for the default_batch_fetch_size property in the hibernate configuration.
Fixed in: Cloudera Manager 5.10.0, 5.9.2, 5.8.4, 5.7.6
Cloudera Bug: OPSAPS-37985
Ability to configure the length of Impala queries that SMON keeps in memory
Lengthy queries (such as Impala DDLs) sometimes overloaded the SMON (service monitor) heap, resulting in out-of-memory exceptions (OOME). With this release, queries are limited to 10k characters by default. This setting can be adjusted using the safety valve mechanism (Advanced Configuration Snippet) in Cloudera Manager.
Cloudera Bug: OPSAPS-37053
Issues Fixed in Cloudera Manager 5.8.3
YARN historical reports by user shows pool-user entity
When Cloudera Manager manages multiple clusters, there is no per user tracking for historical applications and queries across clusters. Instead, Historical Applications by User and Historical Queries by User show applications and queries per user and pool. (A pool is associated with a specific cluster.)
Cloudera Bug: OPSAPS-34986.
If total_space_bytes is very large, heartbeats fail
Fixes heartbeat failure with a host that has a mount point backed by cloud storage, such as AWS.
Cloudera Bug: OPSAPS-36144.
OPSAPS-29327 Add config for hive.metastore.server.max.message.size
You can configure hive.meetastore.max.message.size using Max Message Size for Hive MetaStore. The default setting is 100MB. This can cause staleness during a Cloudera Manager upgrade.
Cloudera Bug: OPSAPS-34098.
CM blocks from HS2 enabling both LDAP and Kerberos authentication
HS2 now supports LDAP and Kerberos authentication on the same instance for CDH 5.7.0 and higher.
Cloudera Bug: OPSAPS-34310.
Backport OPSAPS-36100 Debian 8.2 packages cdh install fix to C5.8
Installing CDH using Packages on Debian 8.2 through the Cloudera Manager wizard could install the incorrect CDH binaries, leading to failures in starting the cluster. Certain packages are available in both the default repository and the Cloudera repository, which caused the installer to get confused and pick the wrong one. Cloudera Manager's wizard now ensures the correct binaries are selected.
Cloudera Bug: OPSAPS-36971.
Impala load_catalog_in_background config should set to "false" by default in CM
Changed default value for load_catalog_in_background to false. This fixes catalog scalability issues observed in Impala since v2.2.
Cloudera Bug: OPSAPS-35869.
[api] Latest CM Java client does not work on older CM
Fixed an issue in Cloudera Manager client versions 5.8, 5.8.1, and 5.8.2 where ApiCollectDiagnosticDataArguments was incompatible with Cloudera Manager versions lower than 5.8.
Cloudera Bug: OPSAPS-36315
Empty archive files should not be created for Impala role diagnostics
Support Bundles started collecting Impala minidump bundles with Cloudera Manager 5.8 and higher. If no bundles were found, Cloudera Manager generated an empty TAR file. With this fix, no empty TAR files are generated.
Cloudera Bug: OPSAPS-34887
OOMKiller script not works for Impala Catalog
Fixed a bug where OutOfMemory errors in the Catalog Server could lead to killing multiple java processes including other roles on the same host.
Cloudera Bug: OPSAPS-33991
Sentry Upgrade command is not retriable
If the Sentry Upgrade command fails, you can now retry the command.
Cloudera Bug: OPSAPS-35365
Support non-public schemas
Cloudera Manager used to work with only 'public' schema in PostgreSQL. With this change, Cloudera Manager supports custom schema names. Cloudera Manager relies on the schema search path in PostgreSQL, which can be set for a user, database, and so on. https://www.postgresql.org/docs/current/static/ddl-schemas.html
Cloudera Bug: OPSAPS-33752
Issues Fixed in Cloudera Manager 5.8.2
Improve advanced configuration snippet redaction to encompass cloud provider credentials and other access tokens
The redaction of potentially sensitive parameters in advanced configuration snippets is extended to those commonly used by the Azure Data Lake.
Cloudera Bug: OPSAPS-29523
If files excluded by exclusion filters are renamed, they are not replicated
Customers using Incremental HDFS replication had an issue where if an excluded file (through exclusion filters) is renamed to an 'included' file, the new file is still not copied to the destination cluster. This issue is resolved as part of this fix.
Cloudera Bug: OPSAPS-34066
Hive Replication Command should update copy the Serde properties correctly
Hive Replication now replicates the Serde Properties and also copies the corresponding HDFS file.
Cloudera Bug: OPSAPS-34354
Increase default Solrd watchdog Timeout value
Solr server initialization can take up to 60 secs to complete. During this time interval, Solr server does not respond to the solrd watchdog requests. This can result in solrd watchdog terminating the Solr server process. The default timeout duration for watchdog is increased to 70 secs.
Cloudera Bug: OPSAPS-34320
Add service changes YARN settings
In Cloudera Manager 5.7, adding any new service to your cluster can cause the YARN setting for mapreduce.job.reduces to change unexpectedly. Adding a service no longer causes this problem.
Cloudera Bug: OPSAPS-34151
OPSAPS-29327 Add config for hive.metastore.server.max.message.size
Hive Metastore max message size can be configured now using Max Message Size for Hive MetaStore. It defaults to 100MB. It can cause staleness for customers on Cloudera Manager upgrade.
Cloudera Bug: OPSAPS-34098
XSS in Kerberos activation
In lower releases, there was an XSS vulnerability on the Kerberos page. This is now fixed.
Cloudera Bug: OPSAPS-33883
Upload deployment.json fails when it contains replication info
While trying to migrate Cloudera Manager using deployment.json file with existing Hive replication, schedules used to fail. This has been fixed in this release.
Cloudera Bug: OPSAPS-33927
Cloudera Manager set cataloged default jvm memory to 4G may cause oom on upgrade to Cloudera Manager 5.7+
After upgrading to 5.7 or later, customers could see a reduced Java heap maximum on Impala Catalog Server, due to a change in its default value. Upgrading from Cloudera Manager < 5.7 to Cloudera Manager 5.8.2 no longer sees any effective change in the Impala Catalog Server Java Heap size.
Cloudera Bug: OPSAPS-34039
Oozie first run fails with custom principals
In 5.8.1, Oozie first run fails if using kerberos custom principals. This is now fixed.
Cloudera Bug: OPSAPS-35822
Hive Replication shows "Dry Run" incorrectly
The earlier known issue that running Hive Replication shows "Dry Run" in status message is fixed now.
Cloudera Bug: OPSAPS-33206
HDFS Snapshot policy is selecting unhealthy host to run on
Policy for selecting a role to run HDFS Snapshot command: We select a non-decommissioned host that is in Active status. Also, hosts in maintenance mode have a lower priority than hosts in active state.
Cloudera Bug: OPSAPS-33144
Cluster export fails when service configuration is invalid
The export cluster template code path was failing because of stale configuration in the Cloudera Manager database. Having a stale configuration in the database is possible. This could happen when configurations are deprecated on older CDH releases.
Cloudera Bug: OPSAPS-35586
Agent orphan cleanup removes process dir from in flight process
With this fix, the preventative steps in TSB-181 are no longer required.
Cloudera Bug: OPSAPS-35294
Fix CatalogServiceClient to handle TLS connections to catalogd for UDF replication
When Impala uses SSL, Cloudera supports TLS Connection to Catalog Server. Customers are able to enable replication for any Impala UDFs/Metadata (in Hive Replication).
Cloudera Bug: OPSAPS-34801
Redact Content from Flume config
Enabled redacting sensitive information from Flume configuration.
Cloudera Bug: OPSAPS-34506
Host inspector incorrectly warns about kernel version "2.6.32-504.16.2"
Host inspector incorrectly warns about kernel version "2.6.32-504.16.2" as "non-recommended."
Cloudera Bug: OPSAPS-35170
Impala Breakpad script does not convert exponentials into decimals and leads to errors
Impala Breakpad script failure that happens when trying to collect more than 10 MB of dumps from a single role is fixed.
Cloudera Bug: OPSAPS-34971
Oozie points to older sharelib even after running sharelib install command
After an "Install Oozie Share Lib" action, the Oozie service is informed that that there is a new shared lib installed. This eliminates the need for a separate manual restart.
Cloudera Bug: OPSAPS-26825
Issues Fixed in Cloudera Manager 5.8.1
CDH upgrade from 5.7.x to 5.8.x fails when Sentry gateway role is enabled
If the Sentry Gateway role is configured on any hosts of a CDH 5.7.x cluster, the upgrade process to CDH 5.8.x fails.
Upgrades to CDH 5.8.x now complete successfully.
Cloudera Bug: OPSAPS-35356
Issues Fixed in Cloudera Manager 5.8.0
Changes to yarn.nodemanager.remote-app-log-dir not picked up from gateway
YARN log aggregation did not work when yarn.nodemanager.remote-app-log-dir was configured to a non-default location. Now this value is emitted in YARN client configuration, ensuring clients logs go to the proper location.
This fix causes staleness.
Cloudera Bug: OPSAPS-29422
MapReduce2 Counter Limits on Cloudera Manager's YARN page
Fixed an issue where the MapReduce2 property mapreduce.job.counters.max was not included in the configuration for the JobHistory Server, which could cause jobs to fail if there were too many counters. This might happen despite increasing the limit configured in Cloudera Manager. The property is now included in the JobHistory Server configuration, in addition to the related property mapreduce.job.counters.groups.max.
This fix causes staleness.
Cloudera Bug: OPSAPS-26705
Cloudera Bug: OPSAPS-26705
Kafka MirrorMaker unable to start due to KAFKA_HOME not being set
Kafka MirrorMaker would not start when Kafka is installed using packages. This occurred because KAFKA_HOME was not set to the correct default when starting MirrorMaker. This issue affected Cloudera Manager 5.4.0 and higher with Kafka 1.4.0 and higher.
Cloudera Bug: OPSAPS-33293
Kafka unable to start due to misconfigured security.inter.broker.protocol when Kerberos is enabled
Kafka would not start when Kerberos is enabled and the default value of security.inter.broker.protocol was not changed. This occurred because Kafka tried to use the same port for SASL_PLAINTEXT and PLAINTEXT. By default, Cloudera Manager now infers the protocol based on the security settings.
This issue affected Cloudera Manager 5.5.2 and higher with Kafka 2.0.0 and higher.
Upgrading to Cloudera Manager 5.7.1 or higher upgrades currently configured values to INFERRED unless SSL/TLS is enabled and the values are currently either PLAINTEXT or SASL_PLAINTEXT. This does not cause any change in behavior.
Cloudera Bug: OPSAPS-31744
Child commands for deleting or adding a nameservice show stack trace
In an existing HDFS deployment with high availability, when you try to add or delete a nameservice and attempt to view the progress of the child commands, a stack trace is triggered if some of the child commands have not yet run. This fix eliminates the stack trace and informs you that the child commands have not yet been run.
Cloudera Bug: OPSAPS-33383
Setting owner of a file in Isilon fails
On Isilon systems, the owner that the file is being changed to must be present on the system. In general cases, the user is not present, so this command fails with an error message suggesting that the user is not part of the supergroup. This fix addresses the issue by not failing the command.
Cloudera Bug: OPSAPS-33145
Handle drop-recreate partition efficiently
With this change, properties of entities (database, table, partition, index) are not updated by default. You can choose to update properties by setting REPLICATE_PARAMETERS=true in Hive Replication Environment Advanced Configuration Snippet (Safety Valve).
Cloudera Bug: OPSAPS-33954
HiveReplicationCmdArgs.update is not accessible using Cloudera Manager
PROPERTIES_TO_UPDATE=INDICES,PARAMETERS,PARTITIONS,PRIVILEGES
Cloudera Bug: OPSAPS-33953
Operation log directory should be configurable and monitored in Cloudera Manager
Property | Default |
---|---|
Enable HiveServer2 Operations Logging | true |
HiverServer2 Operations Log Directory | /var/logs/hive/operation_logs |
Cloudera Bug: OPSAPS-29483
Kerberos should use non-person objects when creating principals in Active Directory
You can now configure Active Directory account properties. You can use custom values for objectClasses to configure accounts, including non-person objects.
Cloudera Bug: OPSAPS-30301
Changes to yarn.nodemanager.remote-app-log-dir not picked up from gateway
YARN log aggregation did not work when yarn.nodemanager.remote-app-log-dir was configured to a non-default location. Now this value is emitted in YARN client configuration, ensuring clients logs go to the proper location.
Cloudera Bug: OPSAPS-29422
Key Trustee KMS should use round-robin configuration when Key Trustee server uses High Availability
If the Key Trustee server is configured with High Availability, the Key Management Service needs to use round-robin DNS.
Cloudera Bug: OPSAPS-29221
AD_ACCOUNT_PREFIX should not be required
Active Directory Account Prefix was improperly implemented as a required configuration for Security/ Kerberos. The use of this configuration is now optional.
Cloudera Bug: OPSAPS-29196
Proper fix to handle parcel activation falsely succeeding when host health is failing
Fixed an issue related to the first run failing when some of the hosts are in bad health. This fix involves adding an extra stop to wait for hosts to report the correct parcel version before proceeding.
Cloudera Bug: OPSAPS-33766
Document Kerberos + Isilon support in Disaster Recovery
BDR is now supported on Isilon (including on clusters secured with Kerberos).
Cloudera Bug: OPSAPS-33758
Separation of authentication and authorization coprocessor configs in HBase
HBase Secure Bulkload is now enabled for all CDH5.5 and higher clusters, regardless of whether Kerberos is enabled. Also fixed related issue where clusters with authentication (kerberos) but not authorization failed in Hbase-related MapReduce jobs.
Cloudera Bug: OPSAPS-33657
Cloudera Manager - BDR UI - Generate replication diagnostics data. Failed due to java.lang.NullPointerException.
Trying to collect diagnostic data for a Hive replication schedule caused a Java stack trace to be shown on the page. This fix shows an error message instead of displaying a Java stack trace.
Cloudera Bug: OPSAPS-33438
Diagnostic collection fails on a failed BDR job
Failed BDR jobs no longer report errors on "Collect diagnostic data" actions.
Cloudera Bug: OPSAPS-33474
Redact Advanced Configuration Snippets in the UI that contain secrets
Cloudera Manager 5.8 supports redaction of Advanced Configuration Snippet parameters in UI configuration pages. Redaction is based on matching keywords defined as sensitive, and detected within the contents of the Advanced Configuration Snippet text. Users who can edit the parameter still see the sensitive words, but users without edit privileges see only the redacted contents.
Cloudera Bug: OPSAPS-33401
Cloudera Manager - snapshot - take snapshot - needs reset of illegal character when fixed
Fixed an issue in the Take Snapshot dialog where the validation of the snapshot name could become "stuck" and prevent execution of the operation.
Cloudera Bug: OPSAPS-33464
BDR UI: Add Search back - It is difficult to find the desired replication schedule in the Cloudera Manager 5.5 UI
The Replications page provides enhanced search functionality to filter schedules by any specified text. Searches occur within any of these schedule fields: HDFS paths, database names and table names.
Cloudera Bug: OPSAPS-33171
Spark standalone does not come up if HDFS is not available
The Spark standalone service now works without an HDFS service. This requires Spark services to show up as stale and require a restart after upgrade to Cloudera Manager 5.7.1 and higher.
Cloudera Bug: OPSAPS-33509
Cloudera Manager - add hdfs nameservice - gets stack trace
In an existing HDFS High Availability setup, when the user tries to add or delete a nameservice and, in the process, attempts to get progress on the child commands, a stack trace is triggered if some of the child commands have not yet run. This fix eliminates the stack trace and informs the user that the child commands have not yet run.
Cloudera Bug: OPSAPS-33383
BDR Replication Schedule page is slow to load
Replication schedules page load performance is improved.
Cloudera Bug: OPSAPS-33125
Replication DistCp - setOwner behavior on Isilon causing failures
On Isilon systems, the owner to which the file is being changed must be present on the system. In general cases, the user is not present, so this command tends to fail with an error message suggesting that the user is not part of the supergroup. This fix addresses the issue by not failing the command.
Cloudera Bug: OPSAPS-33145
Unable to start Hue on cluster that's using Kerberos and Isilon
Hue service can now start with Isilon if Kerberos is enabled.
Cloudera Bug: OPSAPS-27441
Enable database notifications from Hive
Hive now has the property Enable Stored Notifications in Database. When set, Hive logs DDL notifications in Hive Metastore.
Cloudera Bug: OPSAPS-32629
The hbase user should be whitelisted by default in the list of allowed system users to launch YARN applications
YARN Allowed System Users now includes hbase by default. This is helpful when running certain tools for HBase that need to execute MapReduce jobs.
Cloudera Bug: OPSAPS-32631
Allow HDFS Balancer to login with keytab
When running an HDFS rebalance command on a kerberized cluster with a large amount of data, it could would take enough time to complete that authentication would expire and cause an error. Leveraging a new capability in HDFS, the rebalance command is now able to use a keytab file to automatically renew authentication before it expires.
Cloudera Bug: OPSAPS-32372
Add support for delete tables and databases deleted on the source
Cloudera Manager now supports deletion of entities from a target Hive database when those entities are deleted from source Hive database during Hive incremental replication.
Cloudera Bug: OPSAPS-32625
Default MapReduce option should be YARN
The default MapReduce service for a new replication schedule is YARN.
Cloudera Bug: OPSAPS-32650
BDR Administrator cannot enable snapshots though the role says it can
BDR Administrator authority message is now more accurate: Create replication schedules and snapshot policies.
Cloudera Bug: OPSAPS-32521
Hive incremental replication enhancements
Cloudera Manager 5.8 includes Hive incremental replication support.
Cloudera Bug: OPSAPS-32366
Cloudera Manager API allows users with read-only privileges to list all Cloudera Manager users
A security bug in the Cloudera Manager API allowed users with read-only permissions to view all the existing users in Cloudera Manager. This issue is now fixed.
Cloudera Bug: OPSAPS-32916
Decide the value for TTL for DbNotifications
You can configure Time-to-live for Database Notifications in Hive for notifications present in the NOTIFICATION_LOG. The default is 2 days.
Cloudera Bug: OPSAPS-32898
Make the cluster menu sticky
Previously, the Clusters Menu expanded the first cluster by default. As the user expanded or collapsed the accordion, it remembered the configuration for the current session. When the user goes to the services, roles, or host of another cluster, it maintained the configuration of the previously expanded cluster (which might or might not match). In Cloudera Manager 5.7.1 and higher, Cloudera Manager records the last relevant cluster when the user visits a cluster, service, role or host page, and expands that cluster in the Clusters menu by default.
Cloudera Bug: OPSAPS-32850
NPE on Impala Admission Control page if Memory Limit is not set
In lower releases, if the configuration Impala Daemon Memory Limit is not set, the Impala Admission Control page throws a NullPointerException. This is now fixed.
Cloudera Bug: OPSAPS-33023
Change Impala service configs for admission control
Enable Impala Admission Control and Enable Dynamic Resource Pools are now enabled by default. Customized configuration values are preserved during upgrade.
Cloudera Bug: OPSAPS-32737
Disaster Recovery on Isilon breaks with Kerberos
BDR on Isilon storage is now supported with kerberized clusters.
Cloudera Bug: OPSAPS-32825
Breakpad Crash Reporting for Impala
Support bundles now collect "minidumps" from Impala that help to debug Impala crash issues. As part of this functionality, Cloudera Manager exposes two properties for three roles (Impalad, Catalog Server, Statestore Server).
Property | Description |
---|---|
Breakpad Dump Dir | This determines where the "minidumps" are temporarily available. |
Max Breakpad Dump Files | This determines the maximum number of files stored in dump dir (this limits the amount of storage allocated to Impala dump files). |
Cloudera Bug: OPSAPS-33050
s3 protocol and scheme should not be pruned during Hive metadata export
With this change, the cloud HDFS path remains as it is after replication.
Cloudera Bug: OPSAPS-32022
YARN mapreduce.shuffle.max.connections is a NodeManager setting and not a client setting
mapreduce.shuffle.max.connections was emitted to files of YARN clients instead of the NodeManager. It is now correctly emitted only for the NodeManager.
Cloudera Bug: OPSAPS-31772
Kafka unable to start due to listener misconfiguration when Kerberos is enabled
Kafka would not start when Kerberos was enabled and the security.inter.broker.protocol default was not changed. This occurred because Kafka would try to use the same port for SASL_PLAINTEXT and PLAINTEXT. By default, Kafka now infers the protocol based on the security settings. This issue affected Cloudera Manager 5.5.2 and higher with Kafka 2.0.0 and higher. Upgrading to Cloudera Manager 5.7.1 and higher upgrades currently configured values to INFERRED unless SSL / TLS is enabled and the values are currently either PLAINTEXT or SASL_PLAINTEXT. This does not cause any change in behavior.
Cloudera Bug: OPSAPS-31744
Chart Builder not showing graphs on IE9
In Cloudera Manager 5.7, charts would not render in the Chart Builder page on IE9. This issue is fixed in Cloudera Manager 5.8.
Cloudera Bug: OPSAPS-31561
Deb 8.2 support for Cloudera Manager
Cloudera Manager is now supported on Debian 8.2.
Cloudera Bug: OPSAPS-31296
ResourceManager would not start if NodeManager were down during the start phase of the restart cycle
All YARN roles are stopped and started together when the service stop or start command is issued with CDH 5.2 and higher. If CDH version is lower than 5.2, the previous behavior of stopping ResourceManagers before NodeManagers and starting them after NodeManagers stays the same.
Cloudera Bug: OPSAPS-30981
Default TLS keystore location for HTTPFS is on non-persistent disk
The default location for the HTTPFS TLS / SSL keystore was /var/run/hadoop-httpfs/.keystore, which could be deleted upon machine reboot. Newly created clusters now have an empty default. When upgrading to Cloudera Manager 5.7.1 or higher, the old value is maintained. There should be no disruption on upgrade, but Cloudera Manager presents a warning that the keystore is in a dangerous location. To fix this problem, move the files to a safe path on the new host, then update the configuration in Cloudera Manager to point to the new path.
Cloudera Bug: OPSAPS-27976
Active Directory principals created without AES 128/256 bit cause job failures if cluster is configured for AES
- rc4-hmac
- aes128-cts
- aes256-cts
- des-cbc-crc
- des-cbc-md5
Cloudera Bug: OPSAPS-27020
MR2 counter limits in the Cloudera Manager YARN page should populate all MR2 config files
The MapReduce2 property mapreduce.job.counters.max was not included in the configuration for the JobHistory Server, which could cause jobs to fail if there were too many counters. This might happen despite increasing the limit configured in Cloudera Manager. The property is now included in the JobHistory Server configuration, in addition to the related property mapreduce.job.counters.groups.max.
Cloudera Bug: OPSAPS-26705
BDR: support use of a custom principal
Cloudera Manager now supports custom Kerberos principals for BDR.
Cloudera Bug: OPSAPS-24658
Add QueryMonitoring chart to Impala service charts
A new chart on the Impala service page shows query duration for completed Impala queries.
Cloudera Bug: OPSAPS-22909
Add symbols to Cloudera Manager generated Active Directory passwords
Name | Value |
---|---|
length | 12 |
minLowerCaseLetters | 2 |
minUpperCaseLetters | 2 |
minDigits | 2 |
minSpaces | 0 |
minSpecialChars | 0 |
specialChars | ?.!$%^*()-_+=~ |
Cloudera Bug: OPSAPS-22853
Regenerate principals should delete from Active Directory, too
It is now possible to regenerate principals for Active Directory setups. This involves deletion of existing accounts and regeneration of new principals. Since some customers might not want to do this through Cloudera Manager, starting with Cloudera Manager 5.8 you can enable the new property Active Directory Delete Accounts on Credential Regeneration. Regenerating credentials with this setting enabled automatically deletes existing accounts and completes the regeneration. This setting is disabled by default. If disabled, regeneration of principals throws an error message saying that deletion of accounts is required. Cloudera Manager needs the new configuration to be set in order to delete accounts automatically.
Cloudera Bug: OPSAPS-22182
XSS in Kerberos activation
In lower releases, there was an XSS vulnerability on the Kerberos page. This is now fixed.
Cloudera Bug: OPSAPS-33883
XSS in host addition
In lower releases, there was an XSS vulnerability on the Add Hosts page. This is now fixed.
Cloudera Bug: OPSAPS-33905
XSS in Host Templates
In lower releases, there was an XSS vulnerability on the Host Templates page. This is now fixed.
Cloudera Bug: OPSAPS-33882
Make it more obvious when phone home is off
In lower releases, it was not obvious in the Send Diagnostics dialog whether data would be sent back to Cloudera. The dialog is enhanced to make this information more visible.
Cloudera Bug: OPSAPS-28674
Allow ad hoc sub-pools to be created within existing pools
Cloudera Manager supports the nestedUserQueue feature in the UI. You no longer have to use the safety valve to specify nestedUserQueues. This means you can make all jobs without specified user queues go to root.<YOUR_POOL>.<username> or root.<YOUR_POOL>.<primaryGroup> from the UI.
Cloudera Bug: OPSAPS-30156
Add an option to duplicate resource pool configs
Selecting Clone lets you create a new pool from the settings of an existing pool.
Cloudera Bug: OPSAPS-32471
Impala Admission Control root pool should have configurable ACLs
Impala Admission Control now supports a global way of editing ACLs.
Cloudera Bug: OPSAPS-33963
Do not create host templates when create cluster wizard is run
During cluster creation, host templates are no longer created automatically.
Cloudera Bug: OPSAPS-32659
The modal height is not calculated correctly
In lower releases, the modal dialog is sometimes too tall. This is now fixed.
Cloudera Bug: OPSAPS-33457
new required fields Key Management Server Proxy Group created if there is more than 1 KMS instance
When adding two Key Trustee KMS roles during the initial setup wizard, sometimes these roles were assigned to different groups. The required configuration was set for some but not all of these groups, causing errors. This is now fixed.
Cloudera Bug: OPSAPS-33946
Links should not be shown on print out
When you print pages from Cloudera Manager, the printout no longer displays link URLs.
Cloudera Bug: OPSAPS-33542
Allow customization of ldap account properties for AD-Kerberos setup
The Active Directory account properties objectClasses and accountExpires are now configurable from the Kerberos Configuration UI page.
Cloudera Bug: OPSAPS-26419
Support bundle has no way to enforce that a certain time is guaranteed to be in bundle
Support bundles can now be collected for a certain time range. Users are also able to get an estimate of the bundle size before collecting the diagnostic data. Only role logs collected as a part of the support bundle are supported by this item in Cloudera Manager 5.8. This item is not available for scheduled support bundles.
Cloudera Bug: OPSAPS-23557
Fix Spark CSD to keep client config files in subdir
The Spark CSD was modified to avoid conflicts with other CSDs that depend on it, and causes the Spark service to show up as stale on upgrade to Cloudera Manager 5.7.1 and higher.
Cloudera Bug: OPSAPS-33511
Cloudera Manager Agent clears out JN data directories that leads to HDFS not restarting
On RHEL 7 class systems, certain configuration actions intended to be executed only once during enablement of HDFS HA might be re-executed when you request a system shutdown or reboot. This can result in data loss. This issue is fixed in Cloudera Manager 5.8, but a hard restart is required on RHEL 7-class systems (including Oracle and CentOS variants) for the fix to take effect. This can be performed after upgrade in a scheduled, rolling manner.
Cloudera Bug: OPSAPS-34171
Hue should not use the embedded sqlite db by default when possible
Hue now has built-in support for PostgreSQL by taking advantage of the system library python-psycopg2. In addition to this library, Hue also includes the system libraries listed in the following table.
System | Library |
---|---|
CentOS 5 | Not supported |
CentOS 6 and 7 | postgresql-libs |
Ubuntu 10.04 | libpq5, python-egenix-mxdatetime and python-central |
Ubuntu 12.04 and 14.04 | libpq5 |
SLES 11 sp2 | libpq5 |
Cloudera Bug: OPSAPS-12507
Issues Fixed in Cloudera Manager 5.7.6
The following issues are fixed in Cloudera Manager 5.7.6.
Excess load on Cloudera Manager database
Fixed an issue where the load on the Cloudera Manager database increases significantly on clusters with 100-200 nodes or more and when there are host-level configuration overrides. This has been resolved by using a smaller default value for the default_batch_fetch_size property in the hibernate configuration.
Fixed in: Cloudera Manager 5.10.0, 5.9.2, 5.8.4, 5.7.6
Cloudera Bug: OPSAPS-37985
Hive Replication Command should update copy the Serde properties correctly
Hive Replication now replicates the Serde Properties and also copies the corresponding HDFS file.
Cloudera Bug: OPSAPS-34354
Dollar sign ($) char in password results in IllegalArgumentException
Using special characters such as the dollar sign ($) for passwords and other user-supplied values with CSD-based services (those added to Cloudera Manager with custom service descriptors) raised exceptions. This has been resolved.
Cloudera Bug: OPSAPS-37542
Hive Replication fails when Impala is SSL enabled but Hadoop services are not
Fixes a bug where some Hadoop services did not recognize the Impala SSL configuration, which caused Hive replications to fail when SSL is enabled. To enable SSL, see: Configuring TLS/SSL for HDFS, YARN and MapReduce.
This support also ensures that connection to Impala is successful when SSL is enabled even if Kerberos is not enabled.
Fixed in: Cloudera Manager 5.10.1, 5.9.2, 5.8.4
Cloudera Bug: OPSAPS-38700
CM server error - JsonMappingException
Fixed an issue where a race condition can happen when getting the log links for unhealthy roles and then causes a null pointer exception for the Cloudera Manager homepage.
Cloudera Bug: OPSAPS-32804
Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled
Fixed an issue where the Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled for Navigator Metadata Server.
Fixed in 5.11, 5.10.1, ,5.9.2, 5.7.6
Cloudera Bug: OPSAPS-38865
Issues Fixed in Cloudera Manager 5.7.5
The following issues are fixed in Cloudera Manager 5.7.5.
OOMKiller script does not work for Impala Catalog
Fixed a bug where OutOfMemory errors in the Catalog Server might lead to killing multiple Java processes, including other roles on the same host.
Cloudera Bug: OPSAPS-33991
Issues Fixed in Cloudera Manager 5.7.4
The following issues are fixed in Cloudera Manager 5.7.4.
Agent orphan cleanup removes process dir from in flight process
With this fix, the preventative steps in TSB-181 are no longer required.
Cloudera Bug: OPSAPS-35294
YARN historical reports by user shows pool-user entity
When Cloudera Manager manages multiple clusters, there is no per user tracking for historical applications and queries across clusters. Instead, Historical Applications by User and Historical Queries by User show applications and queries per user and pool. (A pool is associated with a specific cluster.)
Cloudera Bug: OPSAPS-34986
Host inspector incorrectly warns about kernel version "2.6.32-504.16.2"
Host inspector no longer warns that kernel version "2.6.32-504.16.2" as "non-recommended."
Cloudera Bug: OPSAPS-35170
Fix CatalogServiceClient to handle TLS connections to catalogd for UDF replication
When Impala uses SSL, Cloudera supports TLS Connection to Catalog Server. You can enable replication for any Impala UDFs/Metadata (in Hive Replication).
Cloudera Bug: OPSAPS-34801
If total_space_bytes is really big, heartbeats fail
Fixes heartbeat failure with a host that has a mount point backed by cloud storage such as AWS.
Cloudera Bug: OPSAPS-36145
Oozie points to older sharelib even after running sharelib install command
After an "Install Oozie Share Lib" action, the Oozie service is informed that that there is a new shared lib installed. This eliminates the need for a separate manual restart.
Cloudera Bug: OPSAPS-26825
Cloudera Manager blocks from HS2 enabling both LDAP and Kerberos auth
HS2 supports LDAP and Kerberos authentication on the same instance for CDH 5.7.0 or higher. Previously, this was considered an error.
Cloudera Bug: OPSAPS-34310
OOMKiller script does not work for Impala Catalog
Fixed a bug where OutOfMemory errors in the Catalog Server could lead to killing multiple java processes, including other roles on the same host.
Cloudera Bug: OPSAPS-33991
Issues Fixed in Cloudera Manager 5.7.2
Unable to start Hue on cluster that's using Kerberos and Isilon
Hue service can now start with Isilon if Kerberos is enabled.
Cloudera Bug: OPSAPS-27441
BDR UI: Add Search back - It is difficult to find the desired replication schedule in the Cloudera Manager 5.5 UI
The Replications page provides enhanced search functionality to filter schedules by any specified text. Searches occur within any of these schedule fields: HDFS paths, database names and table names.
Cloudera Bug: OPSAPS-33171
Handle drop-recreate partition efficiently
With this change, properties of entities (database, table, partition, index) are not updated by default. You can choose to update properties by setting REPLICATE_PARAMETERS=true in Hive Replication Environment Advanced Configuration Snippet (Safety Valve).
Cloudera Bug: OPSAPS-33954
Hue static directory is browsable
The static web directory in Hue is no longer indexed and browsable when the Hue Load Balancer is used.
XSS in Kerberos activation
In lower releases, there was an XSS vulnerability on the Kerberos page. This is now fixed.
Cloudera Bug: OPSAPS-33883
XSS in host addition
In lower releases, there was an XSS vulnerability on the Add Hosts page. This is now fixed.
Cloudera Bug: OPSAPS-33905
XSS in Host Templates
In lower releases, there was an XSS vulnerability on the Host Templates page. This is now fixed.
Cloudera Bug: OPSAPS-33882
Cloudera Manager Agent clears out JN data directories that leads to HDFS not restarting
On RHEL 7 class systems, certain configuration actions intended to be executed only once during enablement of HDFS HA might be re-executed when you request a system shutdown or reboot. This can result in data loss. This issue is fixed in Cloudera Manager 5.7.2, but a hard restart is required on RHEL 7-class systems (including Oracle and CentOS variants) for the fix to take effect. This can be performed after upgrade in a scheduled, rolling manner.
Cloudera Bug: OPSAPS-34171
Separation of authentication and authorization coprocessor configs in HBase
HBase Secure Bulkload is now enabled for all CDH5.5 and higher clusters, regardless of whether Kerberos is enabled. Also fixed related issue where clusters with authentication (kerberos) but not authorization failed in Hbase-related MapReduce jobs.
Cloudera Bug: OPSAPS-33657
Adding a new service changes mapreduce.job.reduces setting
Adding a new service in Cloudera Manager no longer changes the YARN setting mapreduce.job.reduces.
Cloudera Bug: OPSAPS-34151
BDR: Hive replication status always shows "(Dry Run)"
Running a Hive replication schedule in BDR no longer displays "(Dry Run)" in the status.
BDR Replication Schedule page is slow to load
Replication schedules page load performance is improved.
Cloudera Bug: OPSAPS-33125
HDFS Snapshot running on unavailable nodes
When selecting a host on which to run the HDFS Snapshot command, Cloudera Manager now excludes unavailable hosts, such as hosts in maintenance mode or decommissioned hosts.
Cloudera Bug: OPSAPS-33144
Migrating Cloudera Manager using deployment.json fails if replication schedules are configured
Migrating Cloudera Manager using deployment.json no longer fails if replication schedules are configured.
Cloudera Bug: OPSAPS-33927
Files excluded from replication are not replicated if they are renamed
If a file excluded from replication by an exclusion filter is renamed, it is now replicated properly.
Cloudera Bug: OPSAPS-34066
Issues Fixed in Cloudera Manager 5.7.1
Spark standalone does not come up if HDFS is not available
The Spark standalone service now works without an HDFS service. This requires Spark services to show up as stale and require a restart after upgrade to Cloudera Manager 5.7.1 and higher.
Cloudera Bug: OPSAPS-33509
Kafka unable to start due to listener misconfiguration when Kerberos is enabled
Kafka would not start when Kerberos was enabled and the security.inter.broker.protocol default was not changed. This occurred because Kafka would try to use the same port for SASL_PLAINTEXT and PLAINTEXT. By default, Kafka now infers the protocol based on the security settings. This issue affected Cloudera Manager 5.5.2 and higher with Kafka 2.0.0 and higher. Upgrading to Cloudera Manager 5.7.1 and higher upgrades currently configured values to INFERRED unless SSL / TLS is enabled and the values are currently either PLAINTEXT or SASL_PLAINTEXT. This does not cause any change in behavior.
Cloudera Bug: OPSAPS-31744
Default TLS keystore location for HTTPFS is on non-persistent disk
The default location for the HTTPFS TLS / SSL keystore was /var/run/hadoop-httpfs/.keystore, which could be deleted upon machine reboot. Newly created clusters now have an empty default. When upgrading to Cloudera Manager 5.7.1 or higher, the old value is maintained. There should be no disruption on upgrade, but Cloudera Manager presents a warning that the keystore is in a dangerous location. To fix this problem, move the files to a safe path on the new host, then update the configuration in Cloudera Manager to point to the new path.
Cloudera Bug: OPSAPS-27976
Fix Spark CSD to keep client config files in subdir
The Spark CSD was modified to avoid conflicts with other CSDs that depend on it, and causes the Spark service to show up as stale on upgrade to Cloudera Manager 5.7.1 and higher.
Cloudera Bug: OPSAPS-33511
Cloudera Manager HDFS usage reports do not include Inode references
Lower versions of Cloudera Manager HDFS usage reports do not include Inode references. As a result, usage reports underreported HDFS directory sizes and data used by users and groups in certain circumstances where HDFS snapshots were used.
Cloudera Bug: OPSAPS-33094
Kafka MirrorMaker unable to start due to KAFKA_HOME not being set
Kafka MirrorMaker would not start when Kafka is installed using packages. This occurred because KAFKA_HOME was not set to the correct default when starting MirrorMaker. This issue affected Cloudera Manager 5.4.0 and higher with Kafka 1.4.0 and higher.
Cloudera Bug: OPSAPS-33293
Authentication errors occur due to missing SAML metadata
- If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you used to notice an error screen while logging out, then this upgrade will fix that issue.
-
If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you did not notice any error screen while logging out, then you will most likely see an error screen while logging out after this upgrade. In order to fix that, you can follow either of these steps:
- Update the metadata file in your IdP with the new file from <Cloudera Manager Server>/saml/metadata
- Change SAML Entity Alias under clouderaManager" to " and restart Cloudera Manager. "
Cloudera Bug: OPSAPS-33088
Child commands for deleting or adding a nameservice show stack trace
In an existing HDFS deployment with high availability, when you try to add or delete a nameservice and attempt to view the progress of the child commands, a stack trace is triggered if some of the child commands have not yet run. This fix eliminates the stack trace and informs you that the child commands have not yet been run.
Cloudera Bug: OPSAPS-33383
HiveServer2 Web UI did not use SSL when Kerberos was enabled
SSL configuration for the HiveServer2 Web UI is now used regardless of whether Kerberos is in use.
Cloudera Bug: OPSAPS-33255
Clusters menu expands to last cluster viewed
Previously, the Clusters menu expanded the first cluster by default, and as you expand or collapse the menu, Cloudera Manager remembers that cluster for the session. However, when you go to services, roles, or hosts of another cluster, Cloudera Manager does not remember the other cluster and shows the previously expanded cluster instead.
In release 5.7.1 and higher, Cloudera Manager remembers the last cluster viewed by a user and expands that cluster in the Clusters menu by default.
Cloudera Bug: OPSAPS-32850
Impala does not throw null pointer exception when memory limit is not set
If the configuration property Impala Daemon Memory Limit was not set, the Impala Admission Control page threw a null pointer exception.
Cloudera Bug: OPSAPS-33023
HDFS rolling restart fails after CDH upgrade
In previous Cloudera Manager releases, when one of a pair of highly available NameNodes was down, it was possible for rolling restart or rolling upgrade commands to fail with an error message incorrectly describing the state of the NameNode as "Busy." The error message now correctly identifies the state of the NameNode (typically "Stopped" in this situation).
Cloudera Bug: OPSAPS-33035
The Expand Range option did not work for some charts
The Expand range to fill all values option in Chart Builder now works for all charts.
Cloudera Bug: OPSAPS-33277
Kafka unable to start due to misconfigured security.inter.broker.protocol when Kerberos is enabled
Kafka would not start when Kerberos is enabled and the default value of security.inter.broker.protocol was not changed. This occurred because Kafka tried to use the same port for SASL_PLAINTEXT and PLAINTEXT. By default, Cloudera Manager now infers the protocol based on the security settings.
This issue affected Cloudera Manager 5.5.2 and higher with Kafka 2.0.0 and higher.
Upgrading to Cloudera Manager 5.7.1 or higher upgrades currently configured values to INFERRED unless SSL/TLS is enabled and the values are currently either PLAINTEXT or SASL_PLAINTEXT. This does not cause any change in behavior.
Cloudera Bug: OPSAPS-31744
Oozie JVM heap metrics not reported in Chart Builder for some services
Oozie JVM metrics are now available and display on the role page. They can also be accessed through Chart Builder using the oozie_memory_heap_used and oozie_memory_total_max metrics.
Cloudera Bug: OPSAPS-33006
Spark CSD modified
The Spark CSD was modified to avoid conflicts with other CSDs that depend on it. This change causes the Spark service to require a restart when upgrading to Cloudera Manager 5.7.1.
Cloudera Bug: OPSAPS-33511
Poorly formed Advanced Configuration Snippets cause null pointer exception with diagnostic bundles
Certain poorly formed Advanced Configuration Snippets could cause a Null Pointer Exception when uploading diagnostic bundles and setting up a Cloudera Manager peer.
Cloudera Bug: OPSAPS-33378
Setting owner of a file in Isilon fails
On Isilon systems, the owner that the file is being changed to must be present on the system. In general cases, the user is not present, so this command fails with an error message suggesting that the user is not part of the supergroup. This fix addresses the issue by not failing the command.
Cloudera Bug: OPSAPS-33145
The Install Oozie ShareLib command is now visible to users with the Configurator role.
Cloudera Bug: OPSAPS-33157
Default location for TLS Keystore for HTTPFS is nonpersistent
The default location for the HTTPFS TLS / SSL keystore was /var/run/hadoop-httpfs/.keystore, which could be deleted when the host reboots. Newly created clusters now have an empty default instead of one that could be deleted. When upgrading to Cloudera Manager 5.7.1 or higher, the old value is maintained, so there is no disruption on upgrade. However, Cloudera Manager warns that the path is in a dangerous location. To fix this problem, move the files to a safe path on that host, and then update the configuration in Cloudera Manager to point to the new path.
Cloudera Bug: OPSAPS-27976
Collecting diagnostic bundle displayed Java stack trace
Collecting a diagnostic bundle for a Hive replication schedule caused a Java stack trace to be shown on the page. This fix shows an error message instead of throwing a Java stack trace.
Cloudera Bug: OPSAPS-33438
Unable to stop Cloudera Manager Agent on SLES 11
Fixes TSB-144.
Running the restart or stop service commands failed to stop the Agent.
Cloudera Bug: OPSAPS-33225
Error creating bean
Occasionally, some users encountered the message Error creating bean with name 'newServiceHandlerRegistry' in the Cloudera Manager Admin Console. This issue has been resolved.
Cloudera Bug: OPSAPS-33324
Impala JVM heap size is configurable
The JVM heap size of the Impala catalog server can be configured now using the Java Heap Size of Catalog Server in Bytes property. The property defaults to 4 GB, and like all memory parameters may require tuning.
Cloudera Bug: OPSAPS-26483
Issues Fixed in Cloudera Manager 5.7.0
Plain-text passwords sent to users
An authenticated user could request and receive documents that included passwords they were permitted to modify. This information was sent as plain text. Passwords are no longer included in request responses.
Cloudera Bug: OPSAPS-30757
Cloudera Manager forces Solr shutdown before operations complete
When stopping the Solr service, Cloudera Manager would forcibly stop the service after a period of time. This could result in Solr cores not coming up cleanly. Cloudera Manager now waits for all operations to complete on the Solr server before exiting.
Cloudera Bug: OPSAPS-30903
Re-enabling Kerberos fails due to duplicate roles
As part of enabling Kerberos, a role is created. Attempts to re-enable Kerberos failed because the role already existed from when Kerberos was enabled before. When Kerberos is enabled, Cloudera Manager reuses any required roles if they already exist.
Cloudera Bug: OPSAPS-30703
Processes used incorrect HOME variable
CDH service processes and third-party (CSD) processes used an incorrect HOME variable. These process now now run with the HOME environment variable set to the correct home directory based on the process user.
Cloudera Bug: OPSAPS-30610
Stale Kerberos configuration reported after deploying Kerberos client configuration
After making Kerberos configuration changes through Manage krb5.conf is enabled, the configuration issue 'Cluster has stale Kerberos configuration' might have displayed and might not have disappeared after running . The deploying Kerberos client configuration action now waits for pending staleness checks before identifying stale hosts on which to apply Kerberos configuration.
, andWorkaround: Make a different, non-Kerberos edit to a configuration, and save that change. Revert that change immediately afterward.
Cloudera Bug: OPSAPS-30371
Time range settings on report pages are incorrect
Time range settings were incorrect. They are now set correctly on report pages.
Cloudera Bug: OPSAPS-30016
Add Service Wizard fails to set Hive on Spark performance tuning parameters
Automatic configuration for Hive on Spark performance tuning parameters did not run when adding a Hive service to an existing cluster. In the past, these tuning parameters ran when adding a cluster that contained Hive, YARN, and Spark on YARN. The rules now run as long as Hive depends on YARN in both the add service and add cluster wizards.
Cloudera Bug: OPSAPS-25460
Setting empty values for LDAP Base DN and LDAP Domain produces errors
Setting empty values for the LDAP Base DN and LDAP Domain for Impala resulted in errors. These settings are now handled without errors.
Cloudera Bug: OPSAPS-29546
Restart of deleted roles does not wait until deleted roles are identified
Restart and rolling restart commands did not always wait until all deleted roles were identified. As a result, services that had not yet been identified as requiring a restart were not restarted. Restart and rolling restart commands now wait for staleness checks to complete, if the user requests that only stale services be restarted. This avoids a race between staleness computation checking and how services are determined to be stale and thus restarted.
Cloudera Bug: OPSAPS-29190
Miscellaneous problems with the Replication user interface
- The Last Run column incorrectly sorted dates. Dates are now correctly sorted.
- Collecting diagnostic data for failed Hive Replication commands failed with an error. This data collection now succeeds.
- Finished schedules were shown as running. Schedules now accurately reflect their state.
- Scheduled time was incorrectly translated between browser time and server time. Scheduled time is now correctly translated.
- The Actions menu would be disabled while a replication schedule was running, which blocked changing future runs configurations. The Actions menu is now enabled for replication schedules with commands running.
Cloudera Bug: OPSAPS-29759
Misleading error occurs while deploying client configuration
The error "There is already a pending command on this entity" was shown if a command was in process for a service and an attempt is made to run the "Deploy client configuration" command. This error is no longer shown.
Cloudera Bug: OPSAPS-31461
Gathering task progress produced null pointer exceptions
Gathering progress information on a variety of tasks could result in null pointer exceptions. For example, this could occur when decommissioning a host. Progress information is now gathered as expected.
Cloudera Bug: OPSAPS-32347
User interface elements are hidden when windows are resized
Some windows could be resized so buttons were not visible. For example, this could happen with the Create Replication dialog box. The user interface now handles resizing as expected.
Cloudera Bug: OPSAPS-32060
HDFS data transfers uses 3DES despite configuration
The configuration information for using the AES/CTR/NoPadding cipher suite for HDFS data transfers was incomplete. As a result, traffic was encrypted with the much slower 3DES algorithm. The correct configuration is now included with the HDFS client.
Cloudera Bug: OPSAPS-31607
Solr keystore passwords are no longer presented in clear text
Because of Tomcat restrictions, Solr keystore passwords were sent as clear text on the machines running the service. They are now redacted.
Cloudera Bug: CDH-33626.
Removing a host from a cluster removes all Kerberos client configuration
Removing a host from a cluster automatically removed all Kerberos client configuration from any other hosts still in the cluster. Now, when one host is removed from a cluster, any Kerberos client configuration on other hosts is unaffected.
Cloudera Bug: OPSAPS-29796
Hive replication import fails to include some information
During the Hive replication import phase, schema and location information was not consistently populated. This information is now populated as expected.
Cloudera Bug: OPSAPS-31332
Restarts attempt to deploy client configuration when action is not supported
After upgrading a parcel, restart or rolling restart steps automatically attempted to deploy the client configuration, even if that was not supported by the cluster configuration. Now, client configurations are deployed only if the cluster configuration supports this action.
Cloudera Bug: OPSAPS-31483
Some pages load very slowly
Some pages, such as the All Recent Commands page, may take over 30 seconds to load. This process has been optimized, reducing load times.
Cloudera Bug: OPSAPS-26772
kt_renewer not automatically created when Hue is added to a Kerberos-enabled cluster
When the Hue service was added to a Kerberos-enabled cluster, a single corresponding kt_renewer was not created. The process of adding the Hue service now includes checking if a keytab renewer is required, and creating one if it is.
Cloudera Bug: OPSAPS-31795
Some jobs never run due to memory configuration
It was possible to configure the YARN NodeManager with an amount of available memory less than the amount of memory available to the YARN container. In such a case, a job might never find a NodeManager that meets the memory requirements. The system now ensures that at least one YARN container is configured with an equal or greater amount of memory than the YARN NodeManager value.
Cloudera Bug: OPSAPS-22584
Replication schedule API not compatible with older versions
Clients using the version 10 replication schedule API did not work as expected with instances of Cloudera Manager using version 11 of the API. This meant that clients from Cloudera Manager 5.4.0 and lower did not work as expected with servers running Cloudera Manager 5.5.0 and higher. Clients and servers using these different API versions now function as expected.
Cloudera Bug: OPSAPS-32504
Issues Fixed in Cloudera Manager 5.6.2
Issues Fixed in Cloudera Manager 5.6.1
Scheme and location not filled in consistently during Hive replication import
In previous releases, Hive replication import phase did not consistently fill in scheme and location information. This information is now filled in as expected.
Cloudera Bug: OPSAPS-31522
Cloudera Manager HDFS usage reports do not include Inode references
Lower versions of Cloudera Manager HDFS usage reports do not include Inode references. As a result, usage reports underreported HDFS directory sizes and data used by users and groups in certain circumstances where HDFS snapshots were used.
Cloudera Bug: OPSAPS-33094
Kafka MirrorMaker unable to start due to KAFKA_HOME not being set
Kafka MirrorMaker would not start when Kafka is installed using packages. This occurred because KAFKA_HOME was not set to the correct default when starting MirrorMaker. This issue affected Cloudera Manager 5.4.0 and higher with Kafka 1.4.0 and higher.
Cloudera Bug: OPSAPS-33293
kt_renewer not automatically created when Hue is added to a Kerberos-enabled cluster
When the Hue service was added to a Kerberos-enabled cluster, a single corresponding kt_renewer was not created. The process of adding the Hue service now includes checking if a keytab renewer is required, and creating one if it is.
Cloudera Bug: OPSAPS-31795
Authentication errors occur due to missing SAML metadata
- If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you used to notice an error screen while logging out, then this upgrade will fix that issue.
-
If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you did not notice any error screen while logging out, then you will most likely see an error screen while logging out after this upgrade. In order to fix that, you can follow either of these steps:
- Update the metadata file in your IdP with the new file from <Cloudera Manager Server>/saml/metadata
- Change SAML Entity Alias under clouderaManager" to " and restart Cloudera Manager. "
Cloudera Bug: OPSAPS-33088
Oozie JVM heap metrics not reported in Chart Builder for some services
Oozie JVM metrics are now available and display on the role page. They can also be accessed through Chart Builder using the oozie_memory_heap_used and oozie_memory_total_max metrics.
Cloudera Bug: OPSAPS-33006
Issues Fixed in Cloudera Manager 5.6.0
CDH upgrade fails if the GPL Extras parcel in use
CDH and GPL Extras parcel versions must match exactly. When upgrading CDH, by default Cloudera Manager validates the dependency between the new CDH parcel and existing GPL Extras parcel. Since the dependency is not satisfied, the check returns an error and the upgrade fails.
Cloudera Bug: OPSAPS-26436
- Deactivate parcel dependency checking:
- Select .
- Search for Validate Parcel Relations.
- Deselect the checkbox.
- Click Save Changes to commit the changes.
- Deactivate the GPL Extras parcel.
- Download, distribute, and activate the GPL Extras parcel that matches the CDH upgrade version.
- Upgrade CDH.
- Reactivate parcel dependency checking.
Issues Fixed in Cloudera Manager 5.5.6
Separation of authentication and authorization coprocessor configs in HBase
HBase Secure Bulkload is now enabled for all CDH5.5 and higher clusters, regardless of whether Kerberos is enabled. Also fixed a related issue where clusters with authentication (Kerberos) but not authorization failed in HBase-related MapReduce jobs.
Cloudera Bug: OPSAPS-33657
Replications page: sort by schedule ID as default
In the Replications page, the table is now sorted by ID as a default.
Cloudera Bug: OPSAPS-33212
Hive Replication shows "Dry Run" incorrectly
Fixes an issue where running Hive Replication shows "Dry Run" in status message.
Cloudera Bug: OPSAPS-33206
HDFS Snapshot policy is selecting unhealthy host to run on
When selecting a role to run HDFS Snapshot command, Cloudera Manager now selects a non-decommissioned host in Active status. Also, hosts in maintenance mode have a lower priority than the ones in active state.
Cloudera Bug: OPSAPS-33144
Cloudera Manager no longer shows "this step is expected to fail" when enabling HDFS-HA
When enabling HDFS-HA, if the NameNode directories are empty, Cloudera Manager reports this as an error. In lower versions, it returned a message saying the failure is expected. Cloudera Manager now shows the correct message when performing HA.
Cloudera Bug: OPSAPS-30777
Configuration for all services is marked stale during upgrade
When you upgrade to version 5.5.6 of Cloudera Manager, the client configuration for all services is marked stale. From the Cluster menu, select Deploy Client Configuration to redeploy the client configuration.
Cloudera Bug: OPSAPS-36234
Issues Fixed in Cloudera Manager 5.5.4
Cluster provisioning fails
In some cases, provisioning of a cluster may fail at the start of the process. This does not happen in all cases and is mainly noticed on RHEL 6 and especially when some hosts are reporting bad health.
Releases affected: 5.5.0-5.5.3, 5.6.0-5.6.1, 5.7.0
Releases containing the fix: 5.5.4, 5.7.1
For releases containing the fix, parcel activation and first run command now completes as expected, even when some hosts report bad health.
This issue is fixed in Cloudera Manager 5.5.4 and 5.7.1 and higher.
Cloudera bug: OPSAPS-33564
Scheme and location not filled in consistently during Hive replication import
In previous releases, Hive replication import phase did not consistently fill in scheme and location information. This information is now filled in as expected.
Cloudera Bug: OPSAPS-31522
Kafka MirrorMaker unable to start due to KAFKA_HOME not being set
Kafka MirrorMaker would not start when Kafka is installed using packages. This occurred because KAFKA_HOME was not set to the correct default when starting MirrorMaker. This issue affected Cloudera Manager 5.4.0 and higher with Kafka 1.4.0 and higher.
Cloudera Bug: OPSAPS-33293
Cloudera Manager HDFS usage reports do not include Inode references
Lower versions of Cloudera Manager HDFS usage reports do not include Inode references. As a result, usage reports underreported HDFS directory sizes and data used by users and groups in certain circumstances where HDFS snapshots were used.
Cloudera Bug: OPSAPS-33094
New Hive tables fail to replicate when Sentry Sync is enabled
When Sentry Sync is enabled, new Hive tables failed to replicate. Replication now occurs as expected.
Cloudera Bug: OPSAPS-33065
kt_renewer not automatically created when Hue is added to a Kerberos-enabled cluster
When the Hue service was added to a Kerberos-enabled cluster, a single corresponding kt_renewer was not created. The process of adding the Hue service now includes checking if a keytab renewer is required, and creating one if it is.
Cloudera Bug: OPSAPS-31795
Authentication errors occur due to missing SAML metadata
- If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you used to notice an error screen while logging out, then this upgrade will fix that issue.
-
If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you did not notice any error screen while logging out, then you will most likely see an error screen while logging out after this upgrade. In order to fix that, you can follow either of these steps:
- Update the metadata file in your IdP with the new file from <Cloudera Manager Server>/saml/metadata
- Change SAML Entity Alias under clouderaManager" to " and restart Cloudera Manager. "
Cloudera Bug: OPSAPS-33088
HDFS rolling restart fails after CDH upgrade
In previous Cloudera Manager releases, when one of a pair of highly available NameNodes was down, it was possible for rolling restart or rolling upgrade commands to fail with an error message incorrectly describing the state of the NameNode as "Busy." The error message now correctly identifies the state of the NameNode (typically "Stopped" in this situation).
Cloudera Bug: OPSAPS-33035
Oozie JVM heap metrics not reported in Chart Builder for some services
Oozie JVM metrics are now available and display on the role page. They can also be accessed through Chart Builder using the oozie_memory_heap_used and oozie_memory_total_max metrics.
Cloudera Bug: OPSAPS-33006
Issues Fixed in Cloudera Manager 5.5.3
Users using external LDAP authentication with no local Cloudera Manager user role explicitly set may default to the read-only role when upgrading to Cloudera Manager 5.5.2
When upgrading to Cloudera Manager 5.5.2, customers who have non-read-only roles configured through LDAP, and have not explicitly set Cloudera Manager local roles, may lose their Cloudera Manager privileges set by LDAP.
Releases affected: Cloudera Manager 5.5.2
- May be affected: Install Cloudera Manager 5.3 -> Upgrade to Cloudera Manager 5.5.1 -> Upgrade to Cloudera Manager 5.5.2
- Unaffected: Install Cloudera Manager 5.5.1 -> Upgrade to Cloudera Manager 5.5.2
- Customers who installed Cloudera Manager 5.5.0 and higher and upgraded.
- Customers who use Cloudera Manager local role authorization, regardless of upgrade path and version.
Severity: High
- Resolve any conflicting user authorization permissions between LDAP and Cloudera Manager local permissions.
- Contact Cloudera Support for further instructions if you cannot resolve conflicting LDAP and Cloudera Manager user permissions.
- Before upgrading, resolve any conflicting user authorization permissions between LDAP and Cloudera Manager local permissions.
- Upgrade to Cloudera Manager 5.5.3 or higher.
Issues Fixed in Cloudera Manager 5.5.2
Oozie and HttpFS keystore passwords are no longer presented in clear text
Because of Tomcat restrictions, the Oozie and HttpFS keystore passwords were sent as clear text on the machines running the services. They are now hidden.
Cloudera Bug: OPSAPS-25522
Cross-site scripting vulnerability using malformed strings in the Parcel Remote URLs list
An attacker could set a malformed string in the Parcel Remote URLs list in the database and trigger the attack when a user accesses the Administration Settings page. This attack is now prevented.
Cloudera Bug: OPSAPS-30590
Starting/stopping roles for Flume instance succeeds but displays nothing in popup
In Cloudera Manager 5.5.0, running a Flume start/stop service command would succeed, but display an empty popup. This is now fixed.
Cloudera Bug: OPSAPS-31075
Role process commands missing stderr and stdout in command details
In Cloudera Manager 5.5, certain commands did not show links to stderr or stdout in the Cloudera Manager UI even if they were executed recently. These could still be found in /var/run/cloudera-scm-agent/process/ on that host. In Cloudera Manager 5.5.2 stderr and stdout should appear as they did before.
Note that links to stderr and stdout for commands may disappear if another command is run on that role. This is expected. The logs can still be found in /var/run/cloudera-scm-agent/process/ on that host.
Cloudera Bug: OPSAPS-30671
Updating the Hive NameNode location multiple times could lead to data corruption
Multiple updates to the Hive NameNode location could cause Hive Metastore database corruption. Issuing the same command multiple times no longer produces problems.
Cloudera Bug: OPSAPS-30155
Cloudera Manager skips NameNode logs in the diagnostic bundle
Scheduled diagnostic bundles did not include recent role logs. Diagnostic bundles collected manually (not scheduled) worked as expected. Now, scheduled diagnostic bundles include the latest NameNode logs.
Cloudera Bug: OPSAPS-30787
Kafka 2.0 fails to deploy on large clusters as reserved.broker.max.id defaults to 1000
Large Kafka clusters would not start when Cloudera Manager-generated broker IDs exceeded the value set by reserved.broker.max.id. The default value of broker.id.generation.enable has now been set to false to disable the reserved.broker.max.id configuration property and avoid collisions.
Cloudera Bug: OPSAPS-31128
Cloudera Manager fails to propagate HBase coprocessors to the gateway nodes
Cloudera Manager does not propagate HBase coprocessors to the gateway nodes. As a result, tools that depend on the HBase security subsystem, such as the loadIncrementalHFiles tool, do not use security features, even in secure environments.
Cloudera Bug: OPSAPS-28196
<property> <name>hbase.coprocessor.region.classes</name> <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint</value> </property>
HDFS nameservices API call returns incorrect HA role status
The HDFS nameservices API returned incorrect active/standby status information for HA roles. API calls made about roles that were active might return standby status and roles that were in standby status might return active status. Information about host statuses is now accurate.
Cloudera Bug: OPSAPS-29337
Hive requires the hive principal for HiveServer2 host as well as load balancer
An issue with HiveServer2 missing its principal and keytab when Hive is load-balanced has been fixed.
Cloudera Bug: OPSAPS-29881
More descriptive error message for service trying to start on a decommissioned host
Cloudera Manager now displays a more descriptive error message when it skips the "Start" command because all roles are started or decommissioned or on a decommissioned host.
Cloudera Bug: OPSAPS-25549
UI shows repeated errors when loading replications page
Issue fixed with loading the replication page when a previous replication command fails without launching a MapReduce job.
Cloudera Bug: OPSAPS-28789
Allow option for external users to be assigned roles in the local database
- If a user is assigned a role in Cloudera Manager, this local role is used.
- Otherwise, a user's LDAP group association determines the user role.
Cloudera Bug: OPSAPS-31181
Clean up usercache directories on migration from unsecure to secure mode
Fixes an issue that led to YARN jobs failing after migration from unsecure to secure mode.
Cloudera Bug: OPSAPS-28378
Spark REST API does not work when parcels are used
The REST API for retrieving data from a live Spark UI or from the Spark History Server has been fixed.
Cloudera Bug: OPSAPS-30919
In secure clusters, DataNode fails to start when dfs.data.transfer.protection is set and DataNode ports are changed to unprivileged ports
Before this fix, the only way to run the DataNode on unprivileged ports (port number > 1024) in a Kerberized cluster with DataNode Data Transfer Protection enabled, was to use single-user mode. Now this configuration works for both regular and single-user mode installs.
Both Hadoop SSL and DataNode Data Transfer Protection are still required for unprivileged DataNode ports to work in a Kerberized cluster. This configuration is supported only in CDH 5.2 and higher.
Cloudera Bug: OPSAPS-30819
New validation warning for non-recommended secure DataNode configurations in CDH 5.2 and higher
- Security through SASL/TLS (preferred):
- DataNode Data Transfer Protection - Enabled
- Hadoop TLS/SSL - Enabled
- DataNode Transceiver Port - Non-privileged (that is, port number >= 1024)
- Secure DataNode Web UI Port (TLS/SSL) - Non-privileged (that is, port number >= 1024)
- Security through privileged ports:
- DataNode Data Transfer Protection - Disabled
- Hadoop TLS/SSL - Disabled
- DataNode Transceiver Port - Privileged (that is, port number < 1024)
- DataNode HTTP Web UI Port - Privileged (that is, port number < 1024)
Any configuration other than these results in a validation warning or error from Cloudera Manager. In particular, the following configuration, which is allowed by HDFS but is not recommended, results in a (dismissible) validation warning:
- (Not Recommended) Security without enabling DataNode Data Transfer Protection:
- DataNode Data Transfer Protection - Disabled
- Hadoop TLS/SSL - Enabled
- DataNode Transceiver Port - Privileged (that is, port number < 1024)
- Secure DataNode Web UI Port (TLS/SSL) - Non-privileged (that is, port number >= 1024)
All configurations other than the three listed result in Cloudera Manager displaying a validation error.
Cloudera Bug: OPSAPS-31266
Sensitive environment parameters not redacted for CSDs
Passwords in environment variables for CSDs are now redacted.
Cloudera Bug: OPSAPS-29915
Update Apache Commons Collections library in Cloudera Manager due to major security vulnerability
The Apache Commons Collections library has been upgraded to 3.2.2 to fix a critical security vulnerability.
Cloudera Bug: OPSAPS-30428
Remove plaintext keystore password from /api/v6/cm/config
With the addition of the JVM parameter, \-Dcom.cloudera.api.redaction=true, sensitive configuration values are redacted from the API.
Cloudera Bug: OPSAPS-26677
JVM parameter to redact passwords now redacts the password salt and hash
When API redaction is turned on using the JVM argument -Dcom.cloudera.api.redaction=true, it also redacts the user's pwHash and pwSalt values. Passwords for Cloudera Manager Peers are also redacted.
Cloudera Bug: OPSAPS-31194
Oozie keystore and truststore passwords now redacted
Oozie's Java keystore and truststore passwords are no longer sent in clear text on the command line.
Cloudera Bug: OPSAPS-25523
Several Replication UI fixes
- The Replication UI Last Run column now sorts correctly based on dates.
- Collecting diagnostic data for failed Hive Replication commands no longer fails.
- Finished schedules are no longer shown as running when the user is watching the page.
- Scheduled time now accurately translates between browser time and server time.
- Actions menu is now enabled for replication schedules with commands running. Previously, it would be disabled while a replication schedule was running, which blocked changing the configuration for future runs.
Cloudera Bug: OPSAPS-29750
Fix Java detection
Java detection in the "Components" view for a host was fixed to account for Java versions installed using symlinks in /usr/java (such as /usr/java/default). A similar fix was made to the host inspector's Java detection logic.
Cloudera Bug: OPSAPS-31105
When Host Monitor is stopped, cluster/services status in Cloudera Manager API returns Good instead of N/A or Unknown
If the Host Monitor is down, the service details page will still be able to present non-host related health status.
Cloudera Bug: OPSAPS-30337
Issues Fixed in Cloudera Manager 5.5.1
Apache Commons Collections deserialization vulnerability
Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.
In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.
The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.
Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.
Users affected: All
Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.
Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.
Issues Fixed in Cloudera Manager 5.5.0
Setting the HBase WAL provider to the default in Cloudera Manager causes the RegionServer process to fail to start
Setting the HBase WAL provider to the default using Cloudera manager erroneously sets the value of hbase.wal.provider to default, when it should be set to defaultProvider. This causes the RegionServer process to fail to start.
Cloudera Bug: OPSAPS-29598
<property> <name>hbase.wal.provider</name> <value>defaultProvider</value> </property>
Incorrect path format causes access permission failure
The file path format used in sequence file `ing was incorrect. In replications involving a large number of files and when the Delete Policy for the replication is set to Delete to trash or Delete Permanently, distcp uses the local file system to save the intermediate result of sequence file sorting. An incorrect path format causes access permission failure.
Cloudera Bug: OPSAPS-28859
Out-of-memory exception for Hive replication
Hive replication throws an out-of-memory exception when exporting a table with a large number of partitions.
Cloudera Bug: OPSAPS-29598
Incorrect value emitted into hbase-site.xml
When configuring an HBase WAL provider with the "HBase Default" option, Cloudera Manager emits an incorrect value into hbase-site.xml and HBase reports an error.
Cloudera Bug: OPSAPS-29598
Failed replication no longer fail silently
When a replication is attempted between secure and insecure clusters, the replication reports an error and fails silently.
Cloudera Bug: OPSAPS-28380
The Replication Schedules page displays error after failed replication
A dialog box that shows a Java exception displays in the Replication Schedules page after a failed replication and the page is inaccessible.
Cloudera Bug: OPSAPS-28465
Cloudera Manager now allows you to use '/' in cluster names
In previous versions, this resulted in problems during replication because '/' was treated as an URL path.
Cloudera Bug: OPSAPS-26138
HDFS replication fails because of improper snapshot directory handling
Replications fail when converting a snapshot path to a regular path when the grandparent of the source directory is snapshottable.
Cloudera Bug: OPSAPS-27232
Renewal time limits and lifetime limits are removed for Kerberos tickets
Snapshots that take longer than 30 minutes failed because the Kerberos tickets for the snapshots expired too soon . The renewal and lifetime limits have been replaced with the system default lifetime and renewal limits, instead of 30 minutes.
Cloudera Bug: OPSAPS-28189
Replication schedules fails to catch configuration errors during creation
The schedule configuration is not validated when it is created, which causes errors during replication.
Cloudera Bug: OPSAPS-11047
Audit events now include the schedule ID
The replication ID has been added to the schedule creation, update, and deletion audit events.
Cloudera Bug: OPSAPS-11534
OutOfMemory error when running HDFS replication
HDFS replication fails with an OutOfMemory exception (in stderr.log) when an HDFS replication job replicates a large number of files.
Cloudera Bug: OPSAPS-28858
Hive replication does not preserve user and group names for the database directory
File permissions of the database directory that maps to a Hive database are not preserved.
Cloudera Bug: OPSAPS-24742
Exception in configuration history after changing host configuration
An IllegalStateException is reported in the History and Rollback page after changing host configuration.
Cloudera Bug: OPSAPS-28795
Host Inspector no longer expects the impala user to be in the hdfs group
To conform to security best practices, the impala user should not be in the hdfs group.
Cloudera Bug: OPSAPS-28129
The DataNode Refresh Data Directories command fails on secure clusters
DataNode refresh failed on Kerberized clusters.
Cloudera Bug: OPSAPS-27068
Topology should only include hosts with Hadoop daemons
A topology map is created for the services HDFS, YARN, and MapReduce. In releases earlier than 5.5.0, hosts with only gateway roles for these services were also added to the topology map. This might erroneously mark many configurations as stale, requiring restarts or refreshes to resolve the staleness.
Cloudera Bug: OPSAPS-24109
Agent host_id property is erroneously set to hostname
Previously, attempting to set the listening_hostname property in the Agent config.ini file (which is not normally necessary) changed the Agent's host ID to use this hostname, instead of the normal value.
Cloudera Bug: OPSAPS-27991
JAVA_HOME override setting does not affect component list
The component list for a host is not affected by a custom JAVA_HOME setting.
Cloudera Bug: OPSAPS-19290
Monitoring performance issues on large, busy clusters
A number of fixes have been made to improve Service Monitor and Host Monitor performance, particularly problems manifesting as large, regular garbage-collection pauses, on large, busy clusters.
Cloudera Bug: OPSAPS-26703
JAVA_HOME does not get passed to Agents
Client configuration deployment fails to locate Java in the custom JAVA_HOME environment variable, if that is specified via host configuration.
Cloudera Bug: OPSAPS-27048
Job History Server Retaining Logs in Secure Clusters
The Job History Server fails to delete old logs from HDFS on secure clusters, with the error "Failed to specify server's Kerberos principal name."
Cloudera Bug: OPSAPS-30157
On Kerberized clusters, incorrect values reported for DataNode process metrics
The DataNode process is incorrectly monitored on Kerberized clusters.
Cloudera Bug: OPSAPS-28676
During kt_renewer kinit call authentication may fail
On Kerberized clusters, Cloudera Manager might periodically report monitoring failures due to authentication errors when attempting to communicate with various role web servers to collect metrics. This is due to synchronization issues between the Agent's calls to kinit and attempts to perform Kerberos authentication with the role web servers. This has been fixed by adding logic to retry requests for metrics in the Agent a number of times on authentication failures. These retries will be logged but should not result in health failures and alerts.
Cloudera Bug: OPSAPS-28469
Client configurations are incorrectly marked as stale when a host is rebooted
Rebooting a host can causes the client configurations for gateway roles on that host to be marked as stale even though they are up to date.
Cloudera Bug: OPSAPS-28568
Rolling restart fails when inheriting inappropriate JVM properties
Rolling restart inherits custom HBase RegionServer JVM properties and can fail when those properties are inappropriate for non-daemon JVMs.
Cloudera Bug: OPSAPS-28353
Clusters can fail if Java 1.6 is installed
JAVA_HOME is set to Java 1.6 if installed, even if version 1.8 is also installed.
Cloudera Bug: OPSAPS-28888
Start should clearly indicate when it fails due to a missing parcel
Previously a missing parcel was logged only in the Agent log. The Cloudera Manager Admin Console now indicates that a required parcel is missing when starting a role or deploying client configurations.
Cloudera Bug: OPSAPS-25589
Client configuration deployment timeout set too large for large number of hosts
The deploy client configuration timeout value was set to according to the number of hosts. This caused a problem when there are large number of hosts. The tasks to deploy client configurations are run concurrently so there was no need to wait that long. The timeout value was changed to a fixed value.
Cloudera Bug: OPSAPS-29464
Two HBase metrics charts display "No Data"
HBase IPC metrics were not collected on CDH 5.4 and higher HBase due to a metric name change.
Cloudera Bug: OPSAPS-28171
Agent operating system detection logic fixed on updated Oracle Enterprise Linux 6.x
An Oracle Enterprise Linux 6.x update to its python-libs unexpectedly changed the output of the Agent's operating system detection logic, which caused problems with parcel distribution and other issues.
Cloudera Bug: OPSAPS-28193
ZooKeeper jute.maxbuffer emitted into configuration instead of JVM arguments
The ZooKeeper jute.maxbuffer property was emitted into zoo.cfg instead of in the JVM arguments. It is now passed to the JVM through the process environment variable ZOOKEEPER_SERVER_OPTS and takes effect correctly.
Cloudera Bug: OPSAPS-28244
High -Xms set for Hive clients
-Xms is set equal to -Xmx for all Hive clients which causes the Java runtime to reserve -Xms memory even if the client does not need it. This particularly affects machines with low resources. The -Xms setting has been removed so that the Java runtime does not assign -Xmx memory at the start. Instead, it starts with a much lower Java heap and increases it if needed.
Cloudera Bug: OPSAPS-28972
Service autoconfiguration set Kafka memory to 0
The Kafka service was initially configured with 0 memory because the autoconfiguration rules did not respect specified units. This is now correctly set to a value between 50 and 1024 MiB depending on available memory on the host. This issue affected any third-party CSD-based services using memory parameters with units other than "bytes".
Cloudera Bug: OPSAPS-27869
Topics with a period not reporting metrics
Topics with a period (".") in the name would not show metrics in Cloudera Manager.
Sensitive information in Cloudera Manager diagnostic support bundles
Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.
Cloudera has taken the following actions: (1) Modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) Modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.
Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data-handling policies.
- Users storing sensitive data in advanced configuration snippets
Impact: Possible transmission of sensitive data
CVE: CVE-2015-6495
- Upgrade Cloudera Manager to one of the following releases: Cloudera Manager 5.5.0, 5.4.6, 5.3.7, 5.2.7, 5.1.6, 5.0.7, 4.8.6
Cloudera Management Service can fail with a large Flume configuration file
When a Flume configuration file is large, calling its Kerberos credentials with regex can cause the Cloudera Management Service to time out and fail. In addition, the Cloudera Manager Server uses 100% of the CPU and the UI hangs.
Cloudera Bug: OPSAPS-29685
Charts built on simple select statements can return partial results
Charts built on queries in the form <select metric> for service or role metrics might not filter entities properly and might report hitting the stream limit.
Cloudera Bug: OPSAPS-28716
Issues Fixed in Cloudera Manager 5.4.10
Scheme and location not filled in consistently during Hive replication import
In previous releases, Hive replication import phase did not consistently fill in scheme and location information. This information is now filled in as expected.
Cloudera Bug: OPSAPS-31522
Having hive.compute.query.using.stats enabled by default produced incorrect results for some queries that used stats only
By default, hive.compute.query.using.stats was enabled. This produced incorrect results for some queries that used stats only. This setting is now disabled by default.
Cloudera Bug: OPSAPS-32332
YARN jobs fail after enabling Kerberos authentication or selecting Always Use Container Executor
After Kerberos security is enabled on a cluster or Always Use Container Executor is selected, YARN jobs failed. This occurred because the contents of any previously existing YARN User Cache directory could not be overridden after security was enabled. YARN jobs now complete as expected after a change in Kerberos security or usage of Container Executor.
Cloudera Bug: OPSAPS-32050
Scheduled diagnostic bundles do not include recent role logs
Diagnostic bundles collected manually included all expected logs, but bundles collected on a schedule did not include role logs. Scheduled diagnostic bundles now include all expected logs.
Cloudera Bug: OPSAPS-30787
Issues Fixed in Cloudera Manager 5.4.9
Apache Commons Collections deserialization vulnerability
Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.
In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.
The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.
Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.
Users affected: All
Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.
Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.
Cross-site scripting vulnerability using malformed strings in the parcel remote URL list
An attacker could set a malformed string in parameters that consist of a list of strings and trigger the attack when a user accessed the corresponding configuration page in classic layout mode. This attack is now prevented.
Cloudera Bug: OPSAPS-30590
Cross-site scripting vulnerability using malformed host template name
An attacker could set a malformed host template name in the backend database and trigger the attack when a user applies the host template. This attack is now prevented.
Cloudera Bug: OPSAPS-30443
Snapshot policies with names with special characters not handled as expected
Snapshot policies with names containing special characters such as #, $, ?, or % were not handled as expected. These snapshot policies were not consistently found because the special characters in their names were parsed incorrectly. Snapshot policies with names containing special characters are now handled as expected.
Cloudera Bug: OPSAPS-30426
Kafka MirrorMaker fails to find messages if ZooKeeper root directory is changed
When the ZooKeeper root directory is changed, the corresponding value in ZK_QUORUM that is passed to Kafka MirrorMaker processes is not updated. In that case, MirrorMaker fails to find messages. Changes to ZooKeeper root are now propagated properly, resulting in MirrorMaker finding messages.
Cloudera Bug: OPSAPS-30197
Updating the Hive NameNode location multiple times could lead to data corruption
Multiple updates to the Hive NameNode location could cause Hive metastore database corruption. Issuing the same command multiple times no longer produces problems.
Cloudera Bug: OPSAPS-30155
Cloudera Manager monitors subject to excessive garbage-collection workload
The Cloudera Manager Service Monitor and Cloudera Manager Host Monitor wrote aggregate timeseries data in a way that resulted in significant garbage-collection workloads. Writes are now split based on metric threshold counts, resulting in lower garbage-collection loads.
Cloudera Bug: OPSAPS-30058
Kafka MirrorMaker fails to start because of missing settings
Kafka MirrorMaker provided no defaults for Destination Broker List, Topic Whitelist, and Topic Blacklist, and no way to set these values in the wizard. These values can now be set in the wizard when adding a new instance.
Cloudera Bug: OPSAPS-29415
Cloudera Manager dry-run replication history shows unexpected values
BDR replication in dry-run mode should show the number of files that would be copied and the number of bytes those files would comprise if the same job were executed without the dry-run option. Dry-run mode showed the number of replicable files accessed up to a maximum of 1024 files and showed the total number of bytes those files comprise, up to 512 bytes per file.
The results of dry-runs now show the actual number of source files and their composite bytes that would be covered in the replication schedule. These categories are labeled replicable files and replicable bytes.
Cloudera Bug: OPSAPS-30387
Issues Fixed in Cloudera Manager 5.4.8
Clusters can fail if Java 1.6 is installed
JAVA_HOME is set to Java 1.6 if installed even if 1.8 is also installed.
Cloudera Bug: OPSAPS-28888
OutOfMemory error when running HDFS replication
HDFS replication fails with an OutOfMemory exception (in stderr.log) when an HDFS replication job replicates a large number of files.
Cloudera Bug: OPSAPS-28858
Cloudera Management Service can fail with a large Flume configuration file
When a Flume configuration file is large, calling its Kerberos credentials with regex can cause the Cloudera Management Service to timeout and fail. In addition, the Cloudera Manager Server uses too much CPU (100%) and the UI hangs.
Cloudera Bug: OPSAPS-29685
Client configurations are incorrectly marked as stale when a host is rebooted
Rebooting a host can cause the client configurations for gateway roles on that host to be marked as stale even though they are actually up to date.
Cloudera Bug: OPSAPS-28568
Issues Fixed in Cloudera Manager 5.4.7
Operating system detection logic for Oracle Enterprise Linux 6 breaks parcel distribution
Fixes the operating system detection logic on updated Oracle Enterprise Linux 6 systems. An Oracle update to its python-libs logic unexpectedly changed the output of the Agent's operating system detection logic, which caused problems with parcel distribution and other issues.
Cloudera Bug: OPSAPS-28193
ZooKeeper jute.maxbuffer property emitted into the wrong file
The ZooKeeper jute.maxbuffer property is emitted into zoo.cfg instead of in the JVM arguments. It is now passed to the JVM through the process environment variable ZOOKEEPER_SERVER_OPTS and takes effect correctly.
Cloudera Bug: OPSAPS-28244
Create user API call is allowed for user with insufficient permissions
Using the "create a user" API call, a user who normally could not create users is able to create a read-only user account. The API call now respects the permissions.
Cloudera Bug: OPSAPS-27539
Spark Authentication property is propagated to the wrong client configuration
Beginning with Cloudera Manager 5.4.6, the Spark Authentication configuration property is correctly propagated to client configurations.
Cloudera Bug: OPSAPS-27912
Agent hostname in config.ini is changed to wrong value
Attempting to set the listening_hostname property in the Agent's config.ini file (which is not normally necessary) changes the Agent's host ID to use this hostname, instead of the normal value. The host ID is now left unchanged, as expected.
Cloudera Bug: OPSAPS-27991
Cloudera Manager monitors the incorrect process for DataNode
On Kerberized clusters, Cloudera Manager monitors the wrong process as the DataNode. That has been fixed. For customers using Kerberized HDFS, Cloudera Manager reports incorrect statistics in some areas (memory, file descriptor, CPU usage, I/O, and networking, but not HDFS statistics). There is a small impact to health monitoring because of this issue. For customers using the stacks collection feature on a Kerberized DataNode and where jstack collection was enabled, this issue kills the parent jsvc process of the DataNode and leaves the DataNode up, but causes Cloudera Manager to report the process as dead.
Cloudera Bug: OPSAPS-28677
Issues Fixed in Cloudera Manager 5.4.6
Sensitive Information in Cloudera Manager Diagnostic Support Bundles
Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.
Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.
Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.
- Users storing sensitive data in advanced configuration snippets
Impact: Possible transmission of sensitive data
CVE: CVE-2015-6495
- Upgrade Cloudera Manager to one of the following releases: Cloudera Manager 5.4.6, 5.3.7, 5.2.7, 5.1.6, 5.0.7, 4.8.6
Issues Fixed in Cloudera Manager 5.4.5
Cancel Impala Query attempts to connect via TLS/SSL despite TLS/SSL being disabled
In Impala queries, if you select Cancel for any query, you see a small "internal error" at the top of the query list. This occurs because an attempt to connect via TLS/SSL is performed even though Impala does not have TLS/SSL enabled.
Cloudera Bug: OPSAPS-27146;
Cloudera Manager displays a spurious validation warning about the Cloudera Management Service truststore
Cloudera Manager incorrectly warns that Cloudera Management Service daemons will use HTTPS for communication with either Cloudera Manager or CDH services, even if no Cloudera Management Service truststore is in use.
Cloudera Bug: OPSAPS-27473;
Aggregation of Work attributes
Cloudera Manager now correctly aggregates Work attributes such as YARN applications or Impala query duration.
Cloudera Bug: OPSAPS-26493
Hue Solr Indexer
Cloudera Manager now creates the correct configuration required to create a collection.
Cloudera Bug: OPSAPS-22975
Cloudera Manager incorrectly reports “Not finalized” status for rolling upgrade
When performing a rolling upgrade from a version of CDH lower than 5.4 to CDH 5.4, and the HDFS rolling upgrade is finalized, Cloudera Manager incorrectly reports the status as not finalized. This is an error in reporting only and does not affect HDFS functionality.
Cloudera Bug: OPSAPS-27379
Validation errors not visible from service-level configuration pages
Validation errors and warnings were only visible when accessing the individual instance-level configuration pages. This has been fixed.
Cloudera Bug: OPSAPS-27066
Add Role Instances wizard does not work when initialized using the Cloudera Manager search box
You can now start the Add Role Instances wizard by searching for "<service name> Add Role" in the Cloudera Manager Admin Console search box.
Cloudera Bug: OPSAPS-27604
Cloudera Manager now allows you to use '/' in cluster names
In previous versions, this resulted in problems during replication because '/' was treated as an URL path.
Cloudera Bug: OPSAPS-26138
Expose HBase multi-WAL configuration properties in Cloudera Manager
The properties were added and are now being written to the hbase-site.xcml file.
Cloudera Bug: OPSAPS-27139
Custom Kerberos principals now handled correctly during Solr startup
The Solr custom Kerberos principal is now initialized properly during Solr server startup.
Cloudera Bug: OPSAPS-27320
Added a check in the Upgrade and Kerberos wizards to make sure Spark-standalone is not enabled
Spark Standalone does not work in clusters with Kerberos authentication. Spark on YARN supports Kerberos and is recommended over Spark Standalone. Either disable Kerberos or remove Spark Standalone before upgrading.
Cloudera Bug: OPSAPS-26151
Fixed link for Reports when YARN high availability is enabled
The Reports link in HA mode would result in a 404 error.
Cloudera Bug: OPSAPS-27089
Removed bogus failure when deploying client configuration
Deploying client configuration would sometimes fail because Cloudera Manager could not locate JAVA_HOME. This is not a valid failure because deploying client configuration does not require Java.
Cloudera Bug: OPSAPS-27650
Added core-site.xml to Sentry's classpath
Previously, core-site.xml was only added to Sentry's configuration folder, but not the classpath.
Cloudera Bug: OPSAPS-26617
Improved memory usage in serializing objects and writing them to support bundles
Performance improvements that require less memory were made for the creation of bundles.
Cloudera Bug: OPSAPS-27405
New property to enable suppressing INFO-level log messages from NameNode
You can now use the NameNode Block State Change Logging Threshold property to suppress INFO-level block state change log messages from the NameNode.
Cloudera Bug: OPSAPS-26437
Improved advice for clock offset health test
The way the health of the host's NTP daemon is determined was changed recently, which caused some cases where the related health test (host clock offset) failed without a warning. Information on this change was added to Cloudera Manager.
Cloudera Bug: OPSAPS-27278
Cloudera Manager displays warning about using RHEL 6 with Transparent Huge Pages (THP)
The THP algorithm was broken in certain variants of RHEL 6.2 and above. Cloudera Manager now displays a warning if THP is enabled for all RHEL 6 and above.
Cloudera Bug: OPSAPS-27035
Agent gets no logs if the last log4j event is larger than the max-size specified
If the byte_limit (max-size) specified by Cloudera Manager during log retrieval was smaller than the last log4j event to be collected, the Agent skipped the complete event and return nothing. This behavior was modified so pick the first N bytes (N = max-size) are picked from the log4j event and return a partial log4j event.
Cloudera Bug: OPSAPS-26406
Agent log retrieval does not always honor timeouts
Cloudera Manager Agents no longer enter an infinite loop during log retrieval.
Cloudera Bug: OPSAPS-26404
Cloudera Manager Agent missing log messages
The default timeout for displaying log entries (../logs/search and ../logs/context) has been increased to 60 seconds.
Cloudera Bug: OPSAPS-27358
Fixed cross-site scripting vulnerability
A cross-site scripting vulnerability was discovered and fixed in Cloudera Manager.
Cloudera Bug: OPSAPS-27496
New property added for ResourceManager high availability failover
The ZooKeeper session timeout property yarn.resourcemanager.zk-timeout-ms was added, and its default value is 1 minute.
Cloudera Bug: OPSAPS-20852
Set maximum value for YARN mapreduce.jobhistory.max-age-ms to 10 years
Cloudera Manager would previously display a validation error when the value was greater than 60 days.
Cloudera Bug: OPSAPS-27182
Added warning in upgrade wizard regarding dropped support for symlinks in CDH 5
This fix added a warning about removing HDFS symlinks when upgrading from CDH 4 to CDH 5.
Cloudera Bug: OPSAPS-26665
Refresh Data Directories command no longer fails on secure clusters
The DataNodeRefreshCommand now sets SCM_KERBEROS_PRINCIPAL in the environment of the command process, which causes hdfs.sh to do a kinit. Before this change, a manual kinit was required.
Cloudera Bug: OPSAPS-27068
New Sentry Synchronization Path Prefixes added in NameNode configuration are not enforced correctly
Any new path prefixes added in the NameNode configuration are not correctly enforced by Sentry. The ACLs are initially set correctly, however they would be reset to the old default after some time interval.
Cloudera Bug: OPSAPS-26141
<property> <name>sentry.hdfs.integration.path.prefixes</name> <value>/user/hive/warehouse, ADDITIONAL_DATA_PATHS</value> </property>where ADDITIONAL_DATA_PATHS is a comma-separated list of HDFS paths where Hive data will be stored. The value should be the same value as sentry.authorization-provider.hdfs-path-prefixes set in the hdfs-site.xml on the NameNode.
Fixed NullPointerException on health tests' Details page
The health tests Details page threw a NullPointerException because it was referring to a deprecated metric name.
Cloudera Bug: OPSAPS-27065
Improved Service Monitor Canary check to see if HTable is disabled
Without this check, Service Monitor would fail due to too many ZooKeeper connection messages leaking into the Service Monitor log. This resulted in resource and allocation pressures on the Service Monitor.
Cloudera Bug: OPSAPS-27318
Cloudera Manager no longer retains unnecessary references to HTables
Retaining too many unnecessary references to HTable was using up too much memory, especially when working with a large number of tables.
Cloudera Bug: OPSAPS-27319
Sqoop 2 failure in Kerberized clusters fixed
Cloudera Manager was using the wrong authentication package and picking up the wrong configuration properties for Sqoop 2 authentication with Kerberos.
Cloudera Bug: OPSAPS-27297
Fixed Solr server startup error
The Solr server would not start due to insufficient space for the shared memory file.
Cloudera Bug: OPSAPS-27158
Added HBase Canary security configuration properties
Enabling the HBase canary on a secure cluster would fail. The new properties now let Cloudera Manager specify the canary's Kerberos principal and keytab in the hbase-site.xml deployed at the RegionServers.
Cloudera Bug: OPSAPS-26468
Issues Fixed in Cloudera Manager 5.4.3
Improve Impala queries coordinator node metrics handling
For Impala queries that returned very few rows, Cloudera Manager could fail to report information such as HDFS I/O metrics on the Impala Query Monitoring and Query Detail pages. The discrepancy was typically relatively small because those queries often did very little work.
Cloudera Bug: OPSAPS-26531, OPSAPS-26533
Performance issues when changing configurations on HDFS
Fixed a performance issue where HDFS configuration pages responded slowly.
Cloudera Bug: OPSAPS-27171
Typo in Cloudera Manager metrics reference
The word “Concerning” was misspelled in many metrics reference pages.
Cloudera Bug: OPSAPS-26957
Issues with Navigator field audit_log_max_file_size
The log4j appender changed from RollingFileAppender to RollingFileWithoutDeleteAppender.
Cloudera Bug: OPSAPS-26978
The Isilon client configuration core-site.xml file does not contain proxy users
The parameters are available in the Cloudera Manager Admin Console, but the configurations are not emitted in the core-site.xml file.
Cloudera bug: OPSAPS-26816
Solr gateway role should not have a log4j.properties advanced configuration snippet
The Solr gateway role does not have a log4j.properties file.
Cloudera bug: OPSAPS-26858
The Cloudera Manager Agent force_start's hard stop commands did not set all invariants
This resulted in NPE being reported in Cloudera Manager logs when accessing active and recent command operations.
Cloudera bug: OPSAPS-26864
Configuration staleness icons appear to be enabled for users in read-only role
When moused over, the icons change to a hand indicating that they are active. However, users in the read-only role cannot act on changed configurations.
Cloudera bug: OPSAPS-26897
Setting yarn.resourcemanager.am.max-retries throws error
Observed when setting the Maximum Number of Attempts for MapReduce Jobs and then setting ApplicationMaster Maximum Attempts, which also sets yarn.resourcemanager.am.max-retries.
Cloudera bug: OPSAPS-26936
Cloudera Manager reports the wrong value for Impala bytes read from cache
Instead of cached bytes it reported the value of short circuit bytes.
Cloudera bug: OPSAPS-26938
Fixed cross-site scripting vulnerabilities
A variety of possible cross-site scripting vulnerabilities have been fixed.
Cloudera bugs: OPSAPS-26765, OPSAPS-26798, OPSAPS-26835, OPSAPS-26836, OPSAPS-26878, OPSAPS-26880, OPSAPS-25959
Location of Number of rows drop-down changed
On pages where multiple rows display, the drop-down menu where users select the number of rows to display on a page now appears at the bottom of all lists.
Cloudera bug: OPSAPS-26956
Minimum allowed value change for YARN property
The Max Shuffle Connections property now allows a value of 0, which indicates no limit on the number of connections.
Cloudera bug: OPSAPS-26953
Upgrade error
A bug was fixed that prevented upgrades from CDH 4.7.1 to CDH 5.4.3.
Cloudera bug: OPSAPS-27119
Change to Parcels page
On the Parcels page, the first cluster in the list is now automatically selected by default.
Cloudera bug: OPSAPS-27045
All Password Input Fields do not allow auto complete
All password input fields in Cloudera Manager do not allow auto complete.
Cloudera bug: OPSAPS-26927
TLS Keystore Configuration Error
It is no longer possible to delete the values of the Path to TLS Keystore File and Keystore Password properties and save them while the Use TLS Encryption for Admin Console property is enabled.
Cloudera bug: OPSAPS-26888
Host configuration properties and Agent restart messages
Some host configuration properties no longer incorrectly state that an Agent restart is required.
Cloudera bug: OPSAPS-26808
More detailed error messages for failed role migration
If there is a failure validating the NameNode or JournalNode data directories while migrating roles, Cloudera Manager now displays detailed error information, including error codes.
Cloudera bug: OPSAPS-26803
New property to configure Oozie shared library upload timeout
To prevent timeouts due to slow disks or networks, a new Oozie property, Oozie Upload ShareLib Command Timeout, has been added to set the timeout.
Cloudera bug: OPSAPS-26782
New Cluster-Wide Configuration Pages
- Databases
- Local Data Directories
- Local Data Files
- Navigator Settings
- Service Dependencies
To access these pages in Cloudera Manager, select
.Cloudera bug: OPSAPS-26730
Naming of Health Tests
The names of some Health Tests have changed to use consistent capitalization.
Cloudera bug: OPSAPS-26690
Impala Monitoring Queries for Per-node peak memory
Impala queries that report per-node peak memory were incorrect when the value is zero.
Cloudera bug: OPSAPS-26721
Enable Hive on Spark Property
The description of the Enable Hive on Spark property has been updated to remind the user that the Enable Spark on YARN property must also be selected.
Cloudera bug: OPSAPS-26560
Role Trigger property in Flume
Setting a value for the Flume Role Triggers property no longer causes validation warnings.
Cloudera bug: OPSAPS-26743
Restart of Service Monitor leaves files that can fill the disk
Restarts of the Service Monitor no longer leave extraneous copies of files that unnecessarily take up disk space.
Cloudera bug: OPSAPS-26660
HiveServer 2 properties omit Java options
- Allow URIs in Database Policy File
- HiveServer2 TLS/SSL Certificate Trust Store File
- HiveServer2 TLS/SSL Certificate Trust Store Password
Cloudera bug: OPSAPS-26657
CDH Parcel distribution reports HTTP 503 errors
Cloudera Manager no longer displays HTTP 503 errors during distribution of the CDH parcel to a large cluster.
Cloudera bug: OPSAPS-26627
Diagnostic bundle reports incorrect status for SELinux
Diagnostic bundles sometimes reported SELinux as disabled when it was enabled. The bundle now reports the correct status.
Cloudera bug: OPSAPS-26608
Hue configuration warnings do not link to correct page
On the Cloudera Manager page that displays Hue configuration issues, the links now take the user to the correct page where the user can correct the configuration.
Cloudera bug: OPSAPS-26600
Date display in Cloudera Manager log viewer
The month and date have been added before the time value in logs displayed in Cloudera Manager.
Cloudera bug: OPSAPS-26599
Disabling Hive Metastore Canary Test
When you disable the Hive Metastore health test by deselecting the Hive Metastore Canary Health property, the Hive Canary is now also disabled.
Cloudera bug: OPSAPS-26588
Agent failure when TLS 1.0 is disabled
If TLS 1.0 is disabled, the Agent now tries to negotiate the connection using TLS 1.1 or TLS 1.2.
Cloudera bug: OPSAPS-26584
Slowness when displaying details of a stale configuration
The details page now displays more quickly when a user clicks on the Stale Configuration icon.
Cloudera bug: OPSAPS-26537
Slowness observed when accessing replication page in Cloudera Manager
When you access the replication page in Cloudera Manager, the page responds slowly due to a large number of replication history records. The number of displayed historical records has been changed from 100 to 20.
Cloudera Bug: OPSAPS-26529;
Log Searches for Cloudera Manager Server
Searching the Cloudera Manager Server logs now works as expected.
Cloudera bug: OPSAPS-26470
Failed TLS Configuration and Cloudera Manager Restart
If the TLS configuration has errors, Cloudera Manager now falls back to non-TLS operation when restarting.
Cloudera bug: OPSAPS-27104
New headers added
New headers have been added to Cloudera Manager HTTP response headers to protect against vulnerabilities.
Cloudera bug: OPSAPS-25847
Hive Logging property restored
The Enable Explain Logging (hive.log.explain.output) property was removed in an earlier release and is now included in the configurations.
Cloudera bug: OPSAPS-25857
Hive Metastore Update NameNodes Command
A 150 second timeout was removed from the Update Hive Metastore NameNodes command to prevent timeouts on deployments that use Hive extensively.
Cloudera bug: OPSAPS-26056
Kafka Parcel Installation
Cloudera Manager now correctly detects the Kafka version for parcel installation.
Cloudera bug: OPSAPS-26071
Agent restart failure
In a condition where an Agent restart was required due to a Hive configuration change and a subsequent disk failure, the Agent now restarts as expected.
Cloudera bug: OPSAPS-26172
Error message wording
Some Cloudera Manager error messages referred to Cloudera Manager as “CM”. These messages now use the full name “Cloudera Manager”.
Cloudera bug: OPSAPS-26191
Oozie metrics failures
Retrieval of Oozie metrics sometimes fails due to timeout issues which are now resolved.
Cloudera bug: OPSAPS-26242
NameNode Role Migration Failures
When a NameNode role migration fails due to the destination role data directories being non-empty or having incorrect permissions, you no longer need to complete the migration manually. An error message displays and you can now correct the problem and re-run the command.
Cloudera bug: OPSAPS-26265
AWS S3 HBase configuration property renamed to Amazon S3
Several configuration properties for HBase have been renamed from AWS S3 to Amazon S3, in order to use the correct product name.
Cloudera bug: OPSAPS-23343
NodeManager Host Resources page display for the NodeManager Recovery Directory
The NodeManager Recovery Directory now displays on the NodeManager host resources page.
Cloudera bug: OPSAPS-23916
Host Inspector page now includes link to Show Inspector Results
The Host Inspector page now displays a link to a page that displays detailed results.
Cloudera bug: OPSAPS-24642
Initialization Script Improvements
The Cloudera Manager Agent initialization script now checks correctly for running processes.
Cloudera bug: OPSAPS-24941
Default Value for Hue parameter changed
The default value for the Hue cherrypy_server_threads property has been changed from 10 to 50.
Cloudera bug: OPSAPS-25030
Express Installation Wizard Package Installation Page CDH Version
The Express Installation Wizard Package installation page no longer allows the user to proceed without selecting a CDH version.
Cloudera bug: OPSAPS-25722
Host Component page display
The Host Component page now displays the package version for the KMS Trustee Key Provider.
Cloudera bug: OPSAPS-25692
Installation Wizard hangs during package installation
The Installation Wizard hangs during a CDH package installation and the status displays as “Acquiring Installation Lock”. A bug was fixed where the Agent incorrectly failed to release a lock until the Agent is restarted.
Cloudera bug: OPSAPS-22894
Minimum allocation violation not caught by Cloudera Manager
NodeManager did not start because Cloudera Manager did not correctly validate memory and CPU settings against their minimum values.
Cloudera bug: OPSAPS-17157
Impala core dump directories are now configurable
- Catalog Server Core Dump Directory
- Impala Daemon Core Dump Directory
- StateStore Core Dump Directory
Cloudera bug: OPSAPS-21743
Typo in Sqoop DB path suffix (SqoopParams.DERBY_SUFFIX)
Sqoop 2 appears to lose data when upgrading to CDH 5.4. This is due to Cloudera Manager erroneously configuring the Derby path with "repositoy" instead of "repository". The correct path name is now used.
Cloudera Bug: OPSAPS-26649.
Agent fails when retrieving log files with very long messages
When searching or retrieving large log files using the Agent, the Agent no longer consumes near 100% CPU until it is restarted. This can also happen then the collect host statistics command is issued.
Cloudera bug: OPSAPS-25854
Automated Solr TLS/SSL configuration may fail silently
Cloudera Manager 5.4.1 offers simplified TLS/SSL configuration for Solr. This process uses a solrctl command to configure the urlSchemeSolr cluster property. The solrctl command produces the same results as the Solr REST API call /solr/admin/collections?action=CLUSTERPROP&name=urlScheme&val=https. For example, the call might appear as: https://example.com:8983/solr/admin/collections?action=CLUSTERPROP&name=urlScheme&val=https
Cloudera Manager automatically executes this command during Solr service startup. If this command fails, the Solr service startup now reports an error.
Cloudera Bug: OPSAPS-26563
Removing the default value of a property fails
For example, when you access the Automatically Downloaded Parcels property on the following page: and remove the default CDH value, the following error message displays: "Could not find config to delete with template name: parcel_autodownload_products". This error has been fixed.
Cloudera bug: OPSAPS-26591
Issues Fixed in Cloudera Manager 5.4.1
distcp default configuration memory settings overwrite MapReduce settings
Replication used for backup and disaster recovery does not correctly set the MapReduce Java options, and you cannot configure them. In release 5.4.1, Cloudera Manager uses the MapReduce gateway configuration to determine the Java options for replication jobs. Replication job settings cannot be configured independently of MapReduce gateway configuration. See Backup and disaster recovery replication does not set MapReduce Java options.
Oozie high availability plug-in is now configured by Cloudera Manager
In CDH 5.4.0, Oozie added a new HA plugin that allows all of the Oozie servers to synchronize their Job ID assignments and prevent collisions. Cloudera Manager 5.4.0 did not configure this new plugin; Cloudera Manager 5.4.1 now does so.
Cloudera Bug: OPSAPS-25778
HDFS read throughput Impala query monitoring property is misleading
The hbase_bytes_read_per_second and hdfs_bytes_read_per_second Impala query properties have been renamed to hbase_scanner_average_bytes_read_per_second and hdfs_scanner_average_bytes_read_per_second to more accurately reflect that these properties return the average throughput of the query's HBase and HDFS scanner threads, respectively. The previous names and descriptions indicated that these properties were the query's total HBase and HDFS throughput, which was not accurate.
Cloudera Bug: OPSAPS-26140
Enabling wildcarding in a secure environment causes NameNode to fail to start
In a secure cluster, if you use a wildcard for the NameNode's RPC or HTTP bind address, the NameNode fails to start. For example, dfs.namenode.http-address must be a real, routable address and port, not 0.0.0.0.port. In Cloudera Manager, the "Bind NameNode to Wildcard Address" property must not be enabled. This should affect you only if you are running a secure cluster and your NameNode needs to bind to multiple local addresses.
Cloudera Bug: CDH-9991, OPSAPS-14577
Bug: HDFS-4448
Workaround: Disable the "Bind NameNode to Wildcard Address" property found on the Configuration tab for the NameNode role group.
Support for adding Hue with high availability
The Express and Add Service wizards now allow users to define multiple Hue service roles. If Kerberos is enabled, a co-located KT Renewer role is automatically added for each Hue server row.
Cloudera Bug: OPSAPS-21639
Parameter validation fails with more than one Hue role
When you add a second Hue role to a cluster, the error message "Failed parameter validation" displays.
Cloudera Bug: OPSAPS-25336
Cross-site scripting vulnerabilities
Various cross-site scripting vulnerabilities were fixed.
Cloudera Bug: OPSAPS-25809
Clicking the "Revert to default" icon stores the default value as a user-defined value in the new configuration pages
Cloudera Manager 5.4.1 fixes an issue in which saving an empty configuration value causes the value to be replaced by the default value. The empty value is now saved instead of the default value.
Cloudera Bug: OPSAPS-26340
Spurious validation warning and missing validations when multiple Hue Server roles are present
2015-03-30 17:15:45,077 WARN ActionablesProvider-0:com.cloudera.cmf.service.ServiceModelValidatorImpl: Parameter validation failed java.lang.IllegalArgumentException: There is more than one role with roletype: HUE_SERVER [...] {These messages do not correspond to actual validation warnings and can be ignored. However, some validations normally performed are skipped when this spurious warning is generated, and should be done manually. Specifically, if Hue's authentication mechanism is set to LDAP, the following configuration should be validated:
- The Hue LDAP URL property must be set.
- For CDH 4.4 and lower, set one (but not both) of the following two Hue properties: NT Domain or LDAP Username Pattern.
- For CDH 4.5 and higher, if the Hue property Use Search Bind Authentication is selected, exactly one of the two Hue properties NT Domain and LDAP Username Pattern must be set, as described in step 2 above.
Cloudera Bug: OPSAPS-25336
Logging of command unavailable message improved
When a command is unavailable, the error messages are now more descriptive.
Cloudera Bug: OPSAPS-26384
Client configuration logs no longer deleted by the Agent
If the Agent fails to deploy a new client configuration, the client log file is no longer deleted by the agent. The Agent saves the log file and appends new log entries to the saved log file.
Cloudera Bug: OPSAPS-26148
HDFS role migration requires certain HDFS roles to be running
Before using the Migrate Roles wizard to migrate HDFS roles, you must ensure that the following HDFS roles are running as described:
- A majority of the JournalNodes in the JournalNode quorum must be running. With a quorum size of three JournalNodes, for example, at least two JournalNodes must be running. The JournalNode on the source host need not be running, as long as a majority of all JournalNodes are running.
- When migrating a NameNode and co-located Failover Controller, the other Failover Controller (that is, the one that is not on the source host) must be running. This is true whether or not a co-located JournalNode is being migrated as well, in addition to the NameNode and Failover Controller.
- When migrating a JournalNode by itself, at least one NameNode / Failover Controller co-located pair must be running.
Cloudera Bug: OPSAPS-25870, OPSAPS-25878
HDFS role migration requires automatic failover to be enabled
Migration of HDFS NameNode, JournalNode, and Failover Controller roles through the Migrate Roles wizard is only supported when HDFS automatic failover is enabled. Otherwise, it causes a state in which both NameNodes are in standby mode.
Cloudera Bug: OPSAPS-25806, OPSAPS-25822
HDFS/Hive replication fails when replicating to target cluster that runs CDH 4 and has Kerberos enabled
Cloudera Bug: OPSAPS-25945
Workaround: None.
Issues Fixed in Cloudera Manager 5.4.0
Proxy Configuration in Single User Mode is Fixed
In single user mode, all services are using the same user to proxy other users in an unsecure cluster, which is the user that is running all the CDH processes on the cluster. To restrict that user so that it can proxy other users from only certain hosts and only certain groups, configure the YARN Proxy User Hosts and YARN Proxy User Groups properties in the HDFS service. The setting here supersedes all other proxy user configurations in single user mode.
Cloudera Bug: OPSAPS-25518
The Parcels page allows access to the patch release notes
Clicking the icon with an "i" in a blue circle next to a parcel shows the release notes.
Cloudera Bug: OPSAPS-25481
Monitoring Fails on Impala Catalog Server with TLS/SSL Enabled
When enabling TLS/SSL for Impala web servers (webserver_certificate_file), Cloudera Manager does not emit use_ssl in the cloudera-monitor.properties file for the Catalog Server. Other services (Impala Daemon and StateStore) are configured correctly. This causes monitoring to fail for the Catalog Server even though it is working as expected.
Cloudera Bug: OPSAPS-25469
Default Value Changed for hive.exec.reducers.bytes.per.reducer
To improve performance, the default value for the hive.exec.reducers.bytes.per.reducer property has been changed from 1 GB to 64 MB. If this value has been customized, the customized value is retained during an upgrade. If the old default of 1 GB was not changed, the value will be updated to 64MB during an upgrade.
Cloudera Bug: OPSAPS-24883
Issues Fixed in Cloudera Manager 5.3.10
Scheme and location not filled in consistently during Hive replication import
In previous releases, Hive replication import phase did not consistently fill in scheme and location information. This information is now filled in as expected.
Cloudera Bug: OPSAPS-31522
YARN jobs fail after enabling Kerberos authentication or selecting Always Use Container Executor
After Kerberos security is enabled on a cluster or Always Use Container Executor is selected, YARN jobs failed. This occurred because the contents of any previously existing YARN User Cache directory could not be overridden after security was enabled. YARN jobs now complete as expected after a change in Kerberos security or usage of Container Executor.
Cloudera Bug: OPSAPS-32050
Issues Fixed in Cloudera Manager 5.3.9
Apache Commons Collections deserialization vulnerability
Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.
In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.
The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.
Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.
Users affected: All
Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.
Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.
Cloudera Manager monitors subject to excessive garbage-collection workload
The Cloudera Manager Service Monitor and Cloudera Manager Host Monitor wrote aggregate timeseries data in a way that resulted in significant garbage-collection workloads. Writes are now split based on metric threshold counts, resulting in lower garbage-collection loads.
Cloudera Bug: OPSAPS-30058
Cloudera Manager dry-run replication history shows unexpected values
BDR replication in dry-run mode should show the number of files that would be copied and the number of bytes those files would comprise if the same job were executed without the dry-run option. Dry-run mode showed the number of replicable files accessed up to a maximum of 1024 files and showed the total number of bytes those files comprise, up to 512 bytes per file.
The results of dry-runs now show the actual number of source files and their composite bytes that would be covered in the replication schedule. These categories are labeled replicable files and replicable bytes.
Cloudera Bug: OPSAPS-30387
Updating the Hive NameNode location multiple times could lead to data corruption
Multiple updates to the Hive NameNode location could cause Hive metastore database corruption. Issuing the same command multiple times no longer produces problems.
Cloudera Bug: OPSAPS-30155
Issues Fixed in Cloudera Manager 5.3.8
Rolling Restart fails when inheriting inappropriate JVM properties
Rolling Restart inherits custom HBase RegionServer JVM properties and can fail when those properties are inappropriate for non-daemon JVMs.
Cloudera Bug: OPSAPS-28353
Exception thrown when viewing host configuration change
When ConfigContext is initialized to both cluster and host, it defaults to cluster. If the context is a host, this can cause the ConfigTableUtil class to throw an IllegalStateException.
Cloudera Bug: OPSAPS-28795
Issues Fixed in Cloudera Manager 5.3.7
Sensitive Information in Cloudera Manager Diagnostic Support Bundles
Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.
Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.
Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.
- Users storing sensitive data in advanced configuration snippets
Severity: High
Impact: Possible transmission of sensitive data
CVE: CVE-2015-6495
- Upgrade Cloudera Manager to one of the following releases: Cloudera Manager 5.4.6, 5.3.7, 5.2.7, 5.1.6, 5.0.7, 4.8.6
Issues Fixed in Cloudera Manager 5.3.6
Cloudera Manager reports the wrong value for Impala bytes read from cache
Instead of cached bytes, it reported the value of short-circuit bytes.
Cloudera Bug: OPSAPS-26938
Cancel Impala Query attempts to connect via TLS/SSL despite TLS/SSL being disabled
In Impala queries, if you select Cancel for any query, you get a small "internal error" at the top of the query list. This is because an attempt to connect via TLS/SSL is done even though Impala does not have TLS/SSL enabled.
Cloudera Bug: OPSAPS-27146
The Cloudera Manager displays a spurious validation warning about the Cloudera Management Service truststore
Cloudera Manager incorrectly warns that Cloudera Management Service daemons will use HTTPS for communication with either Cloudera Manager or CDH services even if no Cloudera Management Service truststore is in use.
Cloudera Bug: OPSAPS-27473
Issues Fixed in Cloudera Manager 5.3.4
Slowness observed when accessing replication page in Cloudera Manager
When you access the replication page in Cloudera Manager, the page responds slowly due to a large number of replication history records. The number of displayed historical records has been changed from 100 to 20.
Cloudera Bug: OPSAPS-26529
Cloudera Manager overwrites the krb5.conf file after disabling management by Cloudera Manager
When a cluster has been configured to enable Kerberos by clicking the Manage krb5.conf through Cloudera Manager button, Cloudera Manager writes out a krb5.conf file. If a user subsequently disables this feature by disabling the Manage krb5.conf through Cloudera Manager option and then restarting Cloudera Manager and the Agent, Cloudera Manager overwrites the existing krb5.conf file.
Cloudera Bug: OPSAPS-25282
Header injection vulnerability in internal logging call
An internal call to a servlet with a malformed logger name created information that could be used in a cross-site scripting attack.
Cloudera Bug: OPSAPS-26487
Graph for "Total Containers Running Across NodeManagers" displays high values
The graph Total Containers Running Across NodeManagers, which displays on the YARN status page, displayed incorrect high values.
Cloudera Bug: OPSAPS-26247
Clicking the "Revert to default" icon stores the default value as a user-defined value in the new configuration pages
Saving an empty configuration value causes the value to be replaced by the default value. The empty value is now saved instead of the default value.
Cloudera Bug: OPSAPS-26340
Some Operational Reports do not return results
- Overpopulated Directories
- Large Directories
- Custom Reports where the Replication parameter is set to 0.
Cloudera Bug: OPSAPS-26178
Xalan has been upgraded to version 2.7.2
To address a vulnerability identified by CVE-2014-0107, Xalan has been updated to version 2.7.2.
Cloudera Bug: OPSAPS-26408
Setting threshold values of -1 or -2 not accepted in new configuration layout pages
When you set threshold values in various properties, you could not select Specify and then enter -1 to indicate "Any" or -2 to indicate "Never". You can now enter -1 or -2.
Cloudera Bug: OPSAPS-26066
Rolling upgrade arguments are reversed
- Sleep seconds
- Failure threshold
Cloudera Bug: OPSAPS-26158
Issues Fixed in Cloudera Manager 5.3.3
hive.metastore.client.socket.timeout default value changed to 60
The default value of the hive.metastore.client.socket.timeout property has changed to 60 seconds.
Cloudera Bug: OPSAPS-25270
TLS/SSL Enablement property name changes
The property hadoop.ssl.enabled is deprecated. Cloudera Manager has been updated to use either dfs.http.policy or yarn.http.policy properties instead.
Cloudera Bug: OPSAPS-24985
Changing the Service Monitor Client Config Overrides property requires restart
Cloudera Manager no longer requires you to restart your cluster after changing the Service Monitor Client Config Overrides property for a service.
Cloudera Bug: OPSAPS-25272
Cluster name changed from specified name to "cluster" after upgrade
After updating to a new release, Cloudera Manager replaces the specified cluster name with cluster. Cloudera Manager now uses the correct cluster name.
Cloudera Bug: OPSAPS-25279
Configuration without host_id in upgrade DDL causes upgrade problems
A client configuration row in the database DDL did not set host_id, causing upgrade problems. Cloudera Manager now catches this condition before upgrading.
Cloudera Bug: OPSAPS-25321
hive.log.explain.output property is hidden
The property hive.log.explain.output is known to create instability of Cloudera Manager Agents in some specific circumstances, especially when the hive queries generate extremely large EXPLAIN outputs. Therefore, the property has been hidden from the Cloudera Manager configuration screens. You can still configure the property through the use of advanced configuration snippets.
Cloudera Bug: OPSAPS-25852
Slow staleness calculation can lead to ZooKeeper data loss when new servers are added
In Cloudera Manager 5.x, starting new ZooKeeper Servers shortly after adding them can cause ZooKeeper data loss when the number of new servers exceeds the number of old servers.
Cloudera Bug: OPSAPS-25966
Spark and Spark (standalone) services fail to start if you upgrade to CDH 5.2.x parcels from an older CDH package
Spark and Spark standalone services fail to start if you upgrade to CDH 5.2.x parcels from an older CDH package.
Workaround: After upgrading rest of the services, uninstall the old CDH packages, and then start the Spark service.
Cloudera Bug: OPSAPS-24005
Deploy client configuration across cluster after upgrade from Cloudera Manager 4.x to 5.3
Following a 4.x -> 5.3 upgrade, you must deploy client configuration across the entire cluster before deleting any gateway roles, any services, or any hosts. Otherwise the existing 4.x client configurations may be left registered and orphaned on the hosts where they were deployed, requiring you to manually intervene to delete them.
Cloudera Bug: OPSAPS-24279
Oozie health bad when Oozie is HA, cluster is kerberized, and Cloudera Manager and CDH are upgraded
Oozie health will go bad if high availability is enabled in a kerberized cluster with Cloudera Manager 5.0 and CDH 5.0 and Cloudera Manager and CDH are then upgraded to 5.1 or higher.
Cloudera Bug: OPSAPS-23872
Workaround: Disable Oozie HA and then re-enable HA again.
HDFS/Hive replication fails when replicating to target cluster that runs CDH 4.0 and has Kerberos enabled
Cloudera Bug: OPSAPS-25945
Workaround: None.
Issues Fixed in Cloudera Manager 5.3.2
The Review Changes page sometimes hangs
The Review Changes page hangs due to the inability to handle the "File missing" scenario.
Cloudera Bug: OPSAPS-24872
High volume of TGT events against AD server with "bad token" messages
A fix has been made to how Kerberos credential caching is handled by management services, resulting in a reduction in the number of Kerberos Ticket Granting Ticket (TGT) requests from the cluster to a KDC. This would have been noticed as "Bad Token" messages being seen in high volume in KDC logging and unnecessarily causing re-authentication by management services.
Cloudera Bug: OPSAPS-24800
Accumulo missing kinit when running with Kerberos
Cloudera Manager is unable to run Accumulo when hostname command does not return FQDN of hosts.
Cloudera Bug: OPSAPS-24792
HiveServer2 leaks threads when using impersonation
For CDH 5.3 and higher, Cloudera Manager will configure HiveServer2 to use the HDFS cache even when impersonation is on. For earlier CDH, there were bugs with the cache when impersonation was in use, so it is still disabled.
Cloudera Bug: OPSAPS-24751
Deploying client configurations fails if there are dead hosts present in the cluster
If there are hosts in the cluster where the Cloudera Manager agent heartbeat is not working, then deploying client configurations does not work. Starting with Cloudera Manager 5.3.2, such hosts are ignored while deploying client configurations. When the issues with the host are fixed, Cloudera Manager will show those hosts as having stale client configurations, at which point you can redeploy them.
Cloudera Bug: OPSAPS-24748
Health test monitors free space available on the wrong filesystem
The Cloudera Manager Health Test to monitor free space available for the Cloudera Manager Agent's process directory monitors space on the wrong filesystem. It should monitor the tmpfs that the Cloudera Manager Agent creates, but instead monitors the Cloudera Manager Agent working directory.
Cloudera Bug: OPSAPS-24733
Starting ZooKeeper Servers from Service or Instance page fails
Stopped ZooKeeper servers cannot be started from the Service or Instance page, but only from the Role page of the server using the start action for the role.
Cloudera Bug: OPSAPS-24725
Flume Metrics page does not render agent metrics
Starting in Cloudera Manager 5.3, some or all Flume component data was missing from the Flume Metrics Details page.
Cloudera Bug: OPSAPS-24525
Broken link to help pages on Chart Builder page
The help icon (question mark) on the Chart Builder page returns a 404 error.
Cloudera Bug: OPSAPS-24424
Import MapReduce configurations to YARN now handles NodeManager vcores and memory
Running the wizard to import MapReduce configurations to YARN will now populate yarn.nodemanager.resource.cpu-vcores and yarn.nodemanager.resource.memory-mb correctly based on equivalent MapReduce configuration.
Cloudera Bug: OPSAPS-21540; KI added Cloudera Manager5.1.0
Issues Fixed in Cloudera Manager 5.3.1
Deploy client configuration across cluster after upgrade from Cloudera Manager 4.x to 5.3
Following a 4.x -> 5.3 upgrade, you must deploy client configuration across the entire cluster before deleting any gateway roles, any services, or any hosts. Otherwise the existing 4.x client configurations may be left registered and orphaned on the hosts where they were deployed, requiring you to manually intervene to delete them.
Cloudera Bug: OPSAPS-24279
Deploy client configuration across cluster after upgrade from Cloudera Manager 4.x to 5.3
Following a 4.x -> 5.3 upgrade, you must deploy client configuration across the entire cluster before deleting any gateway roles, any services, or any hosts. Otherwise the existing 4.x client configurations may be left registered and orphaned on the hosts where they were deployed, requiring you to manually intervene to delete them.
Cloudera Bug: OPSAPS-24279
Oozie health bad when Oozie is HA, cluster is kerberized, and Cloudera Manager and CDH are upgraded
Oozie health will go bad if high availability is enabled in a kerberized cluster with Cloudera Manager 5.0 and CDH 5.0 and Cloudera Manager and CDH are then upgraded to 5.1 or higher.
Cloudera Bug: OPSAPS-2387
Workaround: Disable Oozie HA and then re-enable HA again.
Deploy client configuration no longer fails after 60 seconds
When configuring a gateway role on a host that already contains a role of the same type—for example, an HDFS gateway on a DataNode—the deploy client configuration command no longer fails after 60 seconds.
Cloudera Bug: OPSAPS-24426
service cloudera-scm-server force_start now works
Cloudera Bug: OPSAPS-24489
After deleting services, the Cloudera Manager Server log no longer contains foreign key constraint failure exceptions
Cloudera Bug: OPSAPS-24377
When using Isilon, Cloudera Manager now sets mapred_submit_replication correctly
When EMC Isilon storage is used, there is no DataNode, so you cannot set mapred_submit_replication to a number smaller than or equal to the number of DataNodes in the network. Cloudera Manager now does the following when setting mapred_submit_replication:
- If using HDFS, sets to a minimum of 1 and issues a warning when greater than the number of DataNodes
- If using Isilon, sets to 1 and does not check against the number of DataNodes
Cloudera Bug: OPSAPS-24391
The Cloudera Manager Agent now sets the file descriptor ulimit correctly on Ubuntu
Cloudera Bug: OPSAPS-24416
During upgrade, bootstrapping the standby NameNode step no longer fails with standby NameNode connection refused when connecting to active NameNode
Cloudera Bug: OPSAPS-24074
Deploy krb5.conf now also deploys it on hosts with Cloudera Management Service roles
Cloudera Bug: OPSAPS-21329
Cloudera Manager allows upgrades to unknown CDH maintenance releases
Cloudera Manager 5.3.0 supports any CDH release less than or equal to 5.3, even if the release did not exist when Cloudera Manager 5.3.0 was released. For packages, you cannot currently use the upgrade wizard to upgrade to such a release. This release adds a custom CDH field for the package case, where you can type in a version that did not exist at the time of the Cloudera Manager release.
Cloudera Bug: OPSAPS-24355
impalad memory limit units error in EnableLlamaRMCommand
The EnableLlamaRMCommand sets the value of the impalad memory limit to equal the NM container memory value. But the latter is in MB, and the former is in bytes. Previously, the command did not perform the conversion; this has been fixed.
Running MapReduce v2 jobs are now visible using the Application Master view
In the Application view, selecting Application Master for a MRv2 job previously resulted in no action.
Deleting services no longer results in foreign key constraint exceptions
The Cloudera Manager Server log previously showed several foreign key constraint exceptions that were associated with deleted services. This has been fixed.
HiveServer2 keystore and LDAP group mapping passwords are no longer exposed in client configuration files
The HiveServer2 keystore password and LDAP group mapping passwords were emitted into the client configuration files. This exposed the passwords in plain text in a world-readable file. This has been fixed.
Cloudera Bug: OPSAPS-24442, OPSAPS-24469
A cross-site scripting vulnerability in Cloudera Management Service web UIs fixed
Cloudera Bug: OPSAPS-24080
The high availability wizard now sets the HDFS dependency on ZooKeeper
Cloudera Bug: OPSAPS-24420
- Create and start a ZooKeeper service if one does not exist.
- Go to the HDFS service.
- Click the Configuration tab.
- Select .
- Select .
- Locate the ZooKeeper Service property or search for it by typing its name in the Search box. Select the ZooKeeper service you created.
To apply this configuration property to other role groups as needed, edit the value for the appropriate role group. See Modifying Configuration Properties Using Cloudera Manager.
- Click Save Changes to commit the changes.
BDR no longer assumes superuser is common if clusters have the same realm
If source and destination clusters are in the same Kerberos realm, Cloudera Manager assumed that superuser of the destination is also the superuser on the source cluster. However, HDFS can be configured so that this is not the case.
Cloudera Bug: OPSAPS-24417
Issues Fixed in Cloudera Manager 5.3.0
Setting the default umask in HDFS fails in new configuration layout
Setting the default umask in the HDFS configuration section to 002 in the new configuration layout displays an error:"Could not parse: Default Umask : Could not parse parameter 'dfs_umaskmode'. Was expecting an octal value with a leading 0. Input: 2", preventing the change from being submitted.
Cloudera Bug: OPSAPS-24340
Workaround: Submit the change using the classic configuration layout.
Spark and Spark (standalone) services fail to start if you upgrade to CDH 5.2.x parcels from an older CDH package
Spark and Spark standalone services fail to start if you upgrade to CDH 5.2.x parcels from an older CDH package.
Workaround: After upgrading rest of the services, uninstall the old CDH packages, and then start the Spark service.
Cloudera Bug: OPSAPS-24005
Fixed MapReduce Usage by User reports when using an Oracle database backend
Setting the default umask in HDFS fails in new configuration layout
Setting the default umask in the HDFS configuration section to 002 in the new configuration layout displays an error:"Could not parse: Default Umask : Could not parse parameter 'dfs_umaskmode'. Was expecting an octal value with a leading 0. Input: 2", preventing the change from being submitted.
Workaround: Submit the change using the classic configuration layout.
Cloudera Bug: OPSAPS-24340
Enabling Integrated Resource Management for Impala sets Impala Daemon Memory Limit Incorrectly
The Enable Integrated Resource Management command for Impala (available from the Actions pull-down menu on the Impala service page) sets the Impala Daemon Memory Limit to an unusably small value. This can cause Impala queries to fail.
Workaround 1: Upgrade to Cloudera Manager 5.3.
- Run the Enable Integrated Resource Management wizard up to the Restart Cluster step. Do not click Restart Now.
- Click on the leave this wizard link to exit the wizard without restarting the cluster.
- Go to the YARN service page. Click Configuration, expand the category NodeManager Default Group, and click Resource Management.
- Note the value of the Container Memory property.
- Go to the Impala service page and click Configuration. Type impala daemon memory limit into the search box.
- Set the value of the Impala Daemon Memory Limit property to the value noted in step 4 above.
- Restart the cluster.
Cloudera Bug: OPSAPS-24255
Rolling restart and upgrade of Oozie fails if there is a single Oozie server
Rolling restart and upgrade of Oozie fails if there is only a single Oozie server. Cloudera Manager will show the error message "There is already a pending command on this role."
Workaround: If you have a single Oozie server, do a normal restart.
Cloudera Bug: OPSAPS-23954
Allow "Started but crashed" processes to be restarted by a Start command
In Cloudera Manager 5.3, it is now possible to restart a crashed process with the Start command and not just the Restart command.
Cloudera Bug: OPSAPS-23567
Add dependency from Agent to Daemons package to yum
In Cloudera Manager 5.3, an explicit dependency has been added from the Agent package to the Daemons package so that upgrading Cloudera Manager 5.2.0 or later to Cloudera Manager 5.3 causes the agent to be upgraded as well. Previously, the Cloudera Manager installer always installed both packages, but this is now enforced at the package dependency level as well.
Cloudera Bug: OPSAPS-24079
Issues Fixed in Cloudera Manager 5.2.8
Apache Commons Collections deserialization vulnerability
Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.
In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.
The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.
Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.
Users affected: All
Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.
Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.
Issues Fixed in Cloudera Manager 5.2.7
Sensitive Information in Cloudera Manager Diagnostic Support Bundles
Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.
Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.
Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.
- Users storing sensitive data in advanced configuration snippets
Severity: High
Impact: Possible transmission of sensitive data
CVE: CVE-2015-6495
- Upgrade Cloudera Manager to one of the following releases: Cloudera Manager 5.4.6, 5.3.7, 5.2.7, 5.1.6, 5.0.7, 4.8.6
Issues Fixed in Cloudera Manager 5.2.6
Cloudera Manager Agent may become slow or get stuck when responding to commands and when sending heartbeats to Cloudera Manager Server
This issue can occur when Cloudera Navigator auditing is turned on. The auditing code reads audit logs and sends them to the Audit Server. It acquires a lock to protect the list of roles being audited. The same list is also modified by the Cloudera Manager Agent's main thread when a role is started or stopped. If the Audit thread takes too much time to send audits to the Audit Server (which can happen if there is backlog of audit logs), it starves the main Agent thread. This causes the main Agent thread to not send heartbeats and to not respond to commands from the Cloudera Manager Server.
Cloudera Bug: TSB-60
Problems restarting the NameNode
The NameNode would not restart due to a blocked thread that was processing audit events.
Cloudera Bug: OPSAPS-26129
Cloudera Manager reports the wrong value for Impala bytes read from cache
Instead of cached bytes, it reported the value of short-circuit bytes.
Cloudera Bug: OPSAPS-26938
Directory operational reports do not return results
- Overpopulated Directories
- Large Directories
- Custom reports where Replication= 0
Cloudera Bug: OPSAPS-26178
Cloudera Manager uses Xalan 2.7.2
The version of Xalan used in Cloudera Manager has been upgraded to version 2.7.2 to address a possible vulnerability.
Cloudera Bug: CDH-27059
Cluster name changed to "cluster" after upgrade
After upgrading CDH, the display name of the cluster no longer changes to “cluster”.
Cloudera Bug: OPSAPS-25279
Cloudera Manager monitors the wrong directory for space threshold warnings
Cloudera Manager was monitoring the disk space thresholds using the /var/run/cloudera-scm-agent directory. Cloudera Manager now monitors the correct directory: /var/run/cloudera-scm-agent/process.
Cloudera Bug: OPSAPS-24529
Default timeout value for the Hive MetaStore changed to 60 seconds
The default value in the Hive Service Monitor Client Config Overrides property for the hive.metastore.client.socket.timeout property is now 60.
Cloudera Bug: OPSAPS-24346
Changing client configuration overrides
Changes made to client configuration overrides did not take effect until the service was restarted.
Cloudera Bug: OPSAPS-25194
Issues Fixed in Cloudera Manager 5.2.5
Slow staleness calculation can lead to ZooKeeper data loss when new servers are added
In Cloudera Manager 5, starting new ZooKeeper Servers shortly after adding them can cause ZooKeeper data loss when the number of new servers exceeds the number of old servers.
Cloudera Bug: OPSAPS-25966
Permissions set incorrectly on YARN Keytab files
Permissions on YARN Keytab files for NodeManager were set incorrectly to allow read access to any user.
Cloudera Bug: OPSAPS-25390, TSB-48
Issues Fixed in Cloudera Manager 5.2.2
Impalad memory limit units error in EnableLlamaRMCommand has been fixed
The EnableLlamaRMCommand sets the value of the impalad memory limit to equal the NM container memory value. But the latter is in MB, and the former is in bytes. Previously, the command did not perform the conversion; this has been fixed.
Fixed MapReduce Usage by User reports when using an Oracle database backend
HiveServer2 keystore and LDAP group mapping passwords are no longer exposed in client configuration files
The HiveServer2 keystore password and LDAP group mapping passwords were emitted into the client configuration files. This exposed the passwords in plain text in a world-readable file. This has been fixed.
Cloudera Bug: OPSAPS-24442, OPSAPS-24469
Running MapReduce v2 jobs are now visible using the Application Master view
In the Application view, selecting Application Master for a MRv2 job previously resulted in no action.
Deleting services no longer results in foreign key constraint exceptions
The Cloudera Manager Server log previously showed several foreign key constraint exceptions that were associated with deleted services. This has been fixed.
Issues Fixed in Cloudera Manager 5.2.1
“POODLE” vulnerability on TLS/SSL enabled ports
The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack takes advantage of a cryptographic flaw in the obsolete TLS/SSLv3 protocol, after first forcing the use of that protocol. The only solution is to disable TLS/SSLv3 entirely. This requires changes across a wide variety of components of CDH and Cloudera Manager in 5.2.0 and all earlier versions. Cloudera Manager 5.2.1 provides these changes for Cloudera Manager 5.2.0 deployments. All Cloudera Manager 5.2.0 users should upgrade to 5.2.1 as soon as possible. For more information, see the Cloudera Security Bulletin.
Can use the log4j advanced configuration snippet to override the default audit logging configuration even if not using Navigator
In Cloudera Manager 5.2.0 only, it was not possible to use the log4j advanced configuration snippet to override the default audit logging configuration when Navigator was not being used.
Cloudera Bug: OPSAPS-23864
Cloudera Manager now collects metrics for CDH 5.0 DataNodes and NameNodes
A number of NameNode and DataNode charts show no data and a number of NameNode and DataNode health checks show unknown results. Metric collection for CDH 5.1 roles is unaffected.
Cloudera Bug: OPSAPS-23363
Workaround: None.
The Reports Manager and Event Server Thrift servers no longer crash on HTTP requests
HTTP queries against the Reports Manager and Event Server Thrift server would earlier cause it to crash with out-of-memory exception.
Cloudera Bug: OPSAPS-23160
Replication commands now use the correct JAVA_HOME if an override has been provided for it
ZooKeeper connection leaks from HBase clients in Service Monitor have been fixed
When a parcel is activated, user home directories are now created with umask 022 instead of using the "useradd" default 077
Cloudera Bug: OPSAPS-23680
Issues Fixed in Cloudera Manager 5.2.0
Bug in openssl-1.0.1e-15 disrupts TLS/SSL communication between Cloudera Manager Agents and CDH services
This issue was observed in TLS/SSL-enabled clusters running CentOS 6.4 and 6.5, where the Cloudera Manager Agent failed when trying to communicate with CDH services. You can see the bug report here.
Cloudera Bug: OPSAPS-23324
Workaround: Upgrade to openssl-1.0.1e-16.el6_5.7.x86_64.
Alternatives database points to client configurations of deleted service
In the past, if you created a service, deployed its client configurations, and then deleted that service, the client configurations lived in the alternative database, with a possibly high priority, until cleaned up manually. Now, for a given "alternatives path" (for example /etc/hadoop/conf) if there exist both "live" client configurations (ones that would be pushed out with deploy client configurations for active services) and ones that have been "orphaned" client configurations (the service they correspond to has been deleted), the orphaned ones will be removed from the alternatives database. In other words, to trigger cleanup of client configurations associated with a deleted service you must create a service to replace it.
Cloudera Bug: OPSAPS-13336
The YARN property ApplicationMaster Max Retries has no effect in CDH 5
The issue arises because yarn.resourcemanager.am.max-retries was replaced with yarn.resourcemanager.am.max-attempts.
Cloudera Bug: OPSAPS-21797
- Add the following to ResourceManager Advanced Configuration Snippet for yarn-site.xml, replacing MAX_ATTEMPTS with the
desired maximum number of attempts:
<property> <name>yarn.resourcemanager.am.max-attempts</name><value>MAX_ATTEMPTS</value> </property>
- Restart the ResourceManager(s) to pick up the change.
The Spark History Server does not start when Kerberos authentication is enabled.
The Spark History Server does not start when managed by a Cloudera Manager 5.1 instance when Kerberos authentication is enabled.
- Go to the Spark service.
- Expand the category.
- Add the following configuration to the History Server Environment Advanced Configuration Snippet property:
SPARK_HISTORY_OPTS=-Dspark.history.kerberos.enabled=true \ -Dspark.history.kerberos.principal=principal \ -Dspark.history.kerberos.keytab=keytab
Cloudera Bug: CDH-19867
Hive replication issue with TLS enabled
Hive replication will fail when the source Cloudera Manager instance has TLS enabled, even though the required certificates have been added to the target Cloudera Manager's trust store.
Cloudera Bug: OPSAPS-22159
Workaround: Add the required Certificate Authority or self-signed certificates to the default Java trust store, which is typically a copy of the cacerts file named jssecacerts in the $JAVA_HOME/jre/lib/security/ path of your installed JDK. Use keytool to import your private CA certificates into the jssecacert file.
The Spark Upload Jar command fails in a secure cluster
The Spark Upload Jar command fails in a secure cluster.
Cloudera Bug: OPSAPS-19856
Workaround: To run Spark on YARN, manually upload the Spark assembly jar to HDFS /user/spark/share/lib. The Spark assembly jar is located on the local filesystem, typically in /usr/lib/spark/assembly/lib or /opt/cloudera/parcels/CDH/lib/spark/assembly/lib.
Clients of the JobHistory Server Admin Interface Require Advanced Configuration Snippet
Clients of the JobHistory server administrative interface, such as the mapred hsadmin tool, may fail to connect to the server when run on hosts other than the one where the JobHistory server is running.
Cloudera Bug: OPSAPS-20347
<property> <name>mapreduce.history.admin.address</name> <value>JOBHISTORY_SERVER_HOST:10033</value> </property>
Issues Fixed in Cloudera Manager 5.1.7
Apache Commons Collections deserialization vulnerability
Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.
In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.
The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.
Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.
Users affected: All
Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.
Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.
Issues Fixed in Cloudera Manager 5.1.6
Sensitive Information in Cloudera Manager Diagnostic Support Bundles
Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.
Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.
Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.
- Users storing sensitive data in advanced configuration snippets
Severity: High
Impact: Possible transmission of sensitive data
CVE: CVE-2015-6495
- Upgrade Cloudera Manager to one of the following releases: Cloudera Manager 5.4.6, 5.3.7, 5.2.7, 5.1.6, 5.0.7, 4.8.6
Cloudera Manager Agent may become slow or get stuck when responding to commands and when sending heartbeats to Cloudera Manager Server
This issue can occur when Cloudera Navigator auditing is turned on. The auditing code reads audit logs and sends them to the Audit Server. It acquires a lock to protect the list of roles being audited. The same list is also modified by the Cloudera Manager Agent's main thread when a role is started or stopped. If the Audit thread takes too much time to send audits to the Audit Server (which can happen if there is backlog of audit logs), it starves the main Agent thread. This causes the main Agent thread to not send heartbeats and to not respond to commands from the Cloudera Manager Server.
Fixed Issues in Cloudera Manager 5.1.5
Slow staleness calculation can lead to ZooKeeper data loss when new servers are added
In Cloudera Manager 5, starting new ZooKeeper Servers shortly after adding them can cause ZooKeeper data loss when the number of new servers exceeds the number of old servers.
Cloudera Bug: OPSAPS-25966
Permissions set incorrectly on YARN Keytab files
Permissions on YARN Keytab files for NodeManager were set incorrectly to allow read access to any user.
Cloudera Bug: OPSAPS-25390, TSB-48
Fixed Issues in Cloudera Manager 5.1.4
“POODLE” vulnerability on TLS/SSL enabled ports
The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack takes advantage of a cryptographic flaw in the obsolete TLS/SSLv3 protocol, after first forcing the use of that protocol. The only solution is to disable TLS/SSLv3 entirely. This requires changes across a wide variety of components of CDH and Cloudera Manager. Cloudera Manager 5.1.4 provides these changes for Cloudera Manager 5.1.x deployments. All Cloudera Manager 5.1.x users should upgrade to 5.1.4 as soon as possible. For more information, see the Cloudera Security Bulletin.
Issues Fixed in Cloudera Manager 5.1.3
Improved speed and heap usage when deleting hosts on cluster with long history
Speed and heap usage have been improved when deleting hosts on clusters that have been running for a long time.
When there are multiple clusters, each cluster's topology files and validation for legal topology is limited to hosts in that cluster
When there are multiple clusters, each cluster's topology files and validation for legal topology is limited to hosts in that cluster. Most commands will now fail up front if the cluster's topology is invalid.
The size of the statement cache has been reduced for Oracle databases
For users of Oracle databases, the size of the statement cache has been reduced to help with memory consumption.
Improvements to memory usage of "cluster diagnostics collection" for large clusters.
Memory usage of "cluster diagnostics collection" has been improved for large clusters.
Issues Fixed in Cloudera Manager 5.1.2
If a NodeManager that is used as ApplicationMaster is decommissioned, YARN jobs will hang
Cloudera Bug: OPSAPS-21797
Jobs can hang on NodeManager decommission due to a race condition when continuous scheduling is enabled.
- Go to the YARN service.
- Expand the category.
- Uncheck the Enable Fair Scheduler Continuous Scheduling checkbox.
- Click Save Changes to commit the changes.
- Restart the YARN service.
Could not find a healthy host with CDH 5 on it to create HiveServer2 error during upgrade
When upgrading from CDH 4 to CDH 5, if no parcel is active then the error message "Could not find a healthy host with CDH5 on it to create HiveServer2" displays. This can happen when transitioning from packages to parcels, or if you explicitly deactivate the CDH 4 parcel (which is not necessary) before upgrade.
Workaround: Wait 30 seconds and retry the upgrade.
Cloudera Bug: OPSAPS-21942
AWS installation wizard requires Java 7u45 to be installed on Cloudera Manager Server host
Cloudera Manager 5.1 installs Java 7u55 by default. However, the AWS installation wizard does not work with Java 7u55 due to a bug in the jClouds version packaged with Cloudera Manager.
- Stop the Cloudera Manager Server.
sudo service cloudera-scm-server stop
- Uninstall Java 7u55 from the Cloudera Manager Server host.
- Install Java 7u45 (which you can download from http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html#jdk-7u45-oth-JPR) on the Cloudera Manager Server host.
- Start the Cloudera Manager Server.
sudo service cloudera-scm-server start
- Run the AWS installation wizard.
Cloudera Bug: OPSAPS-21855
The YARN property ApplicationMaster Max Retries has no effect in CDH 5
The issue arises because yarn.resourcemanager.am.max-retries was replaced with yarn.resourcemanager.am.max-attempts.
Cloudera Bug: OPSAPS-21797; KI added Cloudera Manager 5.1.0
- Add the following to ResourceManager Advanced Configuration Snippet for yarn-site.xml, replacing MAX_ATTEMPTS with the
desired maximum number of attempts:
<property> <name>yarn.resourcemanager.am.max-attempts</name><value>MAX_ATTEMPTS</value> </property>
- Restart the ResourceManager(s) to pick up the change.
(BDR) Replications can be affected by other replications or commands running at the same time
Replications can be affected by other replications or commands running at the same time, causing replications to fail unexpectedly or even be silently skipped sometimes. When this occurs, a StaleObjectException is logged to the Cloudera Manager logs. This is known to occur even with as few as four replications starting at the same time.
Cloudera Bug: OPSAPS-21918
Issues Fixed in Cloudera Manager 5.1.1
Checking "Install Java Unlimited Strength Encryption Policy Files" During Add Cluster or Add/Upgrade Host Wizard on RPM based distributions if JDK 7 or above is pre-installed will cause Cloudera Manager and CDH to fail
If you have manually installed Oracle's official JDK 7 or 8 rpm on a host (or hosts), and check the Install Java Unlimited Strength Encryption Policy Files checkbox in the Add Cluster or Add Host wizard when installing Cloudera Manager on that host (or hosts), or when upgrading Cloudera Manager to 5.1, Cloudera Manager installs JDK 6 policy files, which will prevent any Java programs from running against that JDK. Additionally, if this situation does apply, Cloudera Manager/CDH will also choose that particular Java as the default to run against, meaning that Cloudera Manager/CDH fail to start, throwing the following message in logs: Caused by: java.lang.SecurityException: The jurisdiction policy files are not signed by a trusted signer!.
- JDK 7 Instructions: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html
- JDK 8 Instructions: http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
Cloudera Bug: OPSAPS-21914
Issues Fixed in Cloudera Manager 5.1.0
Changes to property for yarn.nodemanager.remote-app-log-dir are not included in the JobHistory Server yarn-site.xml and Gateway yarn-site.xml
When "Remote App Log Directory" is changed in YARN configuration, the property yarn.nodemanager.remote-app-log-dir are not included in the JobHistory Server yarn-site.xml and Gateway yarn-site.xml.
Cloudera Bug: OPSAPS-20906; KI added Cloudera Manager 5.0.1
<property> <name>yarn.nodemanager.remote-app-log-dir</name> <value>/path/to/logs</value> </property>
Secure CDH 4.1 clusters have Hue and Impala share the same Hive
In a secure CDH 4.1 cluster, Hue and Impala cannot share the same Hive instance. If "Bypass Hive Metastore Server" is disabled on the Hive service, then Hue will not be able to talk to Hive. Conversely, if "Bypass Hive Metastore" enabled on the Hive service, then Impala will have a validation error.
Cloudera Bug: OPSAPS-20482
Severity: High
Workaround: Upgrade to CDH 4.2.
The command history has an option to select the number of commands, but does not always return the number you request
Cloudera Bug: OPSAPS-17243
Workaround: None.
Hue does not support YARN ResourceManager High Availability
Cloudera Bug: OPSAPS-18473
- Go to the Hue service.
- Click the Configuration tab.
- Select .
- Select .
- Locate the Hue Server Advanced Configuration Snippet (Safety Valve) for hue_safety_valve_server.ini property or search for it by typing its name in the Search box.
- In the Hue Server Advanced Configuration Snippet for hue_safety_valve_server.ini field, add the following:
[hadoop] [[ yarn_clusters ]] [[[default]]] resourcemanager_host=<hostname of active ResourceManager> resourcemanager_api_url=http://<hostname of active resource manager>:<web port of active resource manager> proxy_api_url=http://<hostname of active resource manager>:<web port of active resource manager>
The default web port of Resource Manager is 8088. - Click Save Changes to have these configurations take effect.
- Restart the Hue service.
Cloudera Manager does not support encrypted shuffle.
Encrypted shuffle has been introduced in CDH 4.1, but it is not currently possible to enable it through Cloudera Manager.
Cloudera Bug: OPSAPS-8480
Severity: Medium
Workaround: None.
Hive CLI does not work in CDH 4 when "Bypass Hive Metastore Server" is enabled
Hive CLI does not work in CDH 4 when "Bypass Hive Metastore Server" is enabled.
Cloudera Bug: OPSAPS-20721
Workaround: Configure Hive and disable the "Bypass Hive Metastore Server" option.
Alternatively, an approach can be taken that will cause the "Hive Auxiliary JARs Directory" to not work, but will enable basic Hive commands to work. Add the following to "Gateway Client Environment Advanced Configuration Snippet for hive-env.sh," then re-deploy the Hive client configuration:
HIVE_AUX_JARS_PATH=" AUX_CLASSPATH=/usr/share/java/mysql-connector-java.jar:/usr/share/java/oracle-connector-java.jar:$(find /usr/share/cmf/lib/postgresql-jdbc.jar 2> /dev/null | tail -n 1)
Incorrect Absolute Path to topology.py in Downloaded YARN Client Configuration
The downloaded client configuration for YARN includes the topology.py script. The location of this script is given by the net.topology.script.file.name property in core-site.xml. But the core-site.xml file downloaded with the client configuration has an incorrect absolute path to /etc/hadoop/... for topology.py. This can cause clients that run against this configuration to fail (including Spark clients run in yarn-client mode, as well as YARN clients).
Cloudera Bug: OPSAPS-20337
Workaround: Edit core-site.xml to change the value of the net.topology.script.file.name property to the path where the downloaded copy of topology.py is located. This property must be set to an absolute path.
search_bind_authentication for Hue is not included in .ini file
When search_bind_authentication is set to false, Cloudera Manager does not include it in hue.ini.
Cloudera Bug: OPSAPS-20926
[desktop] [[ldap]] search_bind_authentication=false
Erroneous warning displayed on the HBase configuration page on CDH 4.1 in Cloudera Manager 5.0.0
An erroneous "Failed parameter validation" warning is displayed on the HBase configuration page on CDH 4.1 in Cloudera Manager 5.0.0
Severity: Low
Cloudera Bug: OPSAPS-20310
Workaround: Use CDH4.2 or higher, or ignore the warning.
Host recommissioning and decommissioning should occur independently
In large clusters, when problems appear with a host or role, administrators may choose to decommission the host or role to fix it and then recommission the host or role to put it back in production. Decommissioning, especially host decommissioning, is slow, hence the importance of parallelization, so that host recommissioning can be initiated before decommissioning is done.
Cloudera Bug: OPSAPS-19055
Fixed Issues in Cloudera Manager 5.0.8
Apache Commons Collections deserialization vulnerability
Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.
In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.
The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.
Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.
Users affected: All
Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.
Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.
Fixed Issues in Cloudera Manager 5.0.7
Sensitive Information in Cloudera Manager Diagnostic Support Bundles
Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.
Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.
Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.
- Users storing sensitive data in advanced configuration snippets
Severity: High
Impact: Possible transmission of sensitive data
CVE: CVE-2015-6495
- Upgrade Cloudera Manager to one of the following releases: Cloudera Manager 5.4.6, 5.3.7, 5.2.7, 5.1.6, 5.0.7, 4.8.6
Cloudera Manager Agent may become slow or get stuck when responding to commands and when sending heartbeats to Cloudera Manager Server
This issue can occur when Cloudera Navigator auditing is turned on. The auditing code reads audit logs and sends them to the Audit Server. It acquires a lock to protect the list of roles being audited. The same list is also modified by the Cloudera Manager Agent's main thread when a role is started or stopped. If the Audit thread takes too much time to send audits to the Audit Server (which can happen if there is backlog of audit logs), it starves the main Agent thread. This causes the main Agent thread to not send heartbeats and to not respond to commands from the Cloudera Manager Server.
Fixed Issues in Cloudera Manager 5.0.6
Slow staleness calculation can lead to ZooKeeper data loss when new servers are added
In Cloudera Manager 5, starting new ZooKeeper Servers shortly after adding them can cause ZooKeeper data loss when the number of new servers exceeds the number of old servers.
Cloudera Bug: OPSAPS-25966
Fixed Issues in Cloudera Manager 5.0.5
“POODLE” vulnerability on TLS/SSL enabled ports
The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack takes advantage of a cryptographic flaw in the obsolete TLS/SSLv3 protocol, after first forcing the use of that protocol. The only solution is to disable TLS/SSLv3 entirely. This requires changes across a wide variety of components of CDH and Cloudera Manager. Cloudera Manager 5.0.5 provides these changes for Cloudera Manager 5.0.x deployments. All Cloudera Manager 5.0.x users should upgrade to 5.0.5 as soon as possible. For more information, see the Cloudera Security Bulletin.
Issues Fixed in Cloudera Manager 5.0.2
Cloudera Manager Impala Query Monitoring does not work with Impala 1.3.1
Impala 1.3.1 contains changes to the runtime profile format that break the Cloudera Manager Query Monitoring feature. This leads to exceptions in the Cloudera Manager Service Monitor logs, and Impala queries no longer appear in the Cloudera Manager UI or API. The issue affects Cloudera Manager 5.0 and 4.6 - 4.8.2.
Cloudera Bug: OPSAPS-20744; KI added Cloudera Manager 5.0.1
Workaround: None. The issue will be fixed in Cloudera Manager 4.8.3 and Cloudera Manager 5.0.1. To avoid the Service Monitor exceptions, turn off the Cloudera Manager Query Monitoring feature by going to
and setting the Query Monitoring Period to 0 seconds. Note that the Impala Daemons must be restarted when changing this setting, and the setting must be restored once the fix is deployed to turn the query monitoring feature back on. Impala queries will then appear again in Cloudera Manager’s Impala query monitoring feature.Issues Fixed in Cloudera Manager 5.0.1
Upgrade from Cloudera Manager 5.0.0 beta 1 or beta 2 to Cloudera Manager 5.0.0 requires assistance from Cloudera Support
Contact Cloudera Support before upgrading from Cloudera Manager 5.0.0 beta 1 or beta 2 to Cloudera Manager 5.0.0.
Cloudera Bug: OPSAPS-19894
Workaround: Contact Cloudera Support.
Failure of HDFS Replication between clusters with YARN
HDFS replication between clusters in different Kerberos realms fails when using YARN if the target cluster is CDH 5.
Cloudera Bug: OPSAPS-19930
Workaround: Use MapReduce (MRv1) instead of YARN.
If installing CDH 4 packages, the Impala 1.3.0 option does not work because Impala 1.3 is not yet released for CDH 4.
If installing CDH 4 packages, the Impala 1.3.0 option listed in the install wizard does not work because Impala 1.3.0 is not yet released for CDH 4.
Cloudera Bug: OPSAPS-20406
Workaround: Install using parcels (where the unreleased version of Impala does not appear), or select a different version of Impala when installing with packages.
When updating dynamic resource pools, Cloudera Manager updates roles but may fail to update role information displayed in the UI
When updating dynamic resource pools, Cloudera Manager automatically refreshes the affected roles, but they sometimes get marked incorrectly as running with outdated configurations and requiring a refresh.
Cloudera Bug: OPSAPS-19863
Workaround: Invoke the Refresh Cluster command from the cluster actions drop-down menu.
Upgrade of secure cluster requires installation of JCE policy files
When upgrading a secure cluster via Cloudera Manager, the upgrade initially fails due to the JDK not having Java Cryptography Extension (JCE) unlimited strength policy files. This is because Cloudera Manager installs a copy of the Java 7 JDK during the upgrade, which does not include the unlimited strength policy files. To ensure that unlimited strength functionality continues to work, install the unlimited strength JCE policy files immediately after completing the Cloudera Manager Upgrade Wizard and before taking any other actions in Cloudera Manager.
Cloudera Bug: OPSAPS-18641
Workaround: Install the unlimited strength JCE policy files immediately after completing the Cloudera Manager Upgrade Wizard and before taking any other action in Cloudera Manager.
The Details page for MapReduce jobs displays the wrong id for YARN-based replications
The Details link for MapReduce jobs is wrong for YARN-based replications.
Cloudera Bug: OPSAPS-19874
Workaround: Find the job id in the link and then go to the YARN Applications page and look for the job there.
Reset non-default HDFS File Block Storage Location Timeout value after upgrade from CDH 4 to CDH 5
During an upgrade from CDH 4 to CDH 5, if the HDFS File Block Storage Locations Timeout was previously set to a custom value, it will now be set to 10 seconds or the custom value, whichever is higher. This is required for Impala to start in CDH 5, and any value under 10 seconds is now a validation error. This configuration is only emitted for Impala and no services should be adversely impacted.
Cloudera Bug: OPSAPS-20515
Workaround: None.
HDFS NFS gateway works only on RHEL and similar systems
HDFS NFS gateway works as shipped ("out of the box") only on RHEL-compatible systems, but not on SLES, Ubuntu, or Debian. Because of a bug in native versions of portmap/rpcbind, the HDFS NFS gateway does not work out of the box on SLES, Ubuntu, or Debian systems when CDH has been installed from the command-line, using packages. It does work on supported versions of RHEL-compatible systems on which rpcbind-0.2.0-10.el6 or later is installed, and it does work if you use Cloudera Manager to install CDH, or if you start the gateway as root. For more information, see supported versions.
Bug: 731542 (Red Hat), 823364 (SLES), 594880 (Debian)
- On Red Hat and similar systems, make sure rpcbind-0.2.0-10.el6 or later is installed.
- On SLES, Debian, and Ubuntu systems, do one of the following:
- Install CDH using Cloudera Manager; or
- As of CDH 5.1, start the NFS gateway as root; or
- Start the NFS gateway without using packages; or
- You can use the gateway by running rpcbind in insecure mode, using the -i option, but keep in mind that this allows anyone from a remote host to bind to the portmap.
Sensitive configuration values exposed in Cloudera Manager
Certain configuration values that are stored in Cloudera Manager are considered sensitive, such as database passwords. These configuration values should be inaccessible to non-administrator users, and this is enforced in the Cloudera Manager Administration Console. However, these configuration values are not redacted when they are read through the API, possibly making them accessible to users who should not have such access.
Cloudera Bug: OPSAPS-20782
Gateway role configurations not respected when deploying client configurations
Gateway configurations set for gateway role groups other than the default one or at the role level were not being respected.
Cloudera Bug: OPSAPS-9853
Documentation reflects requirement to enable at least Level 1 encryption before enabling Kerberos authentication
Cloudera Security documentation now indicates that before enabling Kerberos authentication you should first enable at least Level 1 encryption. For more information see Cloudera Security.
HDFS NFS gateway does not work on all Cloudera-supported platforms
The NFS gateway cannot be started on some Cloudera-supported platforms.
Cloudera Bug: OPSAPS-19957
Workaround: None. Fixed in Cloudera Manager 5.0.1.
Replace YARN_HOME with HADOOP_YARN_HOME during upgrade
If yarn.application.classpath was set to a non-default value on a CDH 4 cluster, and that cluster is upgraded to CDH 5, the classpath is not updated to reflect that $YARN_HOME was replaced with $HADOOP_YARN_HOME. This will cause YARN jobs to fail.
Cloudera Bug: OPSAPS-20348
Workaround: Reset yarn.application.classpath to the default, then re-apply your classpath customizations if needed.
Insufficient password hashing in Cloudera Manager
In versions of Cloudera Manager earlier than 4.8.3 and earlier than 5.0.1, user passwords are only hashed once. Passwords should be hashed multiple times to increase the cost of dictionary based attacks, where an attacker tries many candidate passwords to find a match. The issue only affects user accounts that are stored in the Cloudera Manager database. User accounts that are managed externally (for example, with LDAP or Active Directory) are not affected.
In addition, because of this issue, Cloudera Manager 4.8.3 cannot be upgraded to Cloudera Manager 5.0.0. Cloudera Manager 4.8.3 must be upgraded to 5.0.1 or later.
Cloudera Bug: OPSAPS-20537
Workaround: Upgrade to Cloudera Manager 5.0.1.
Upgrade to Cloudera Manager 5.0.0 from SLES older than Service Pack 3 with PostgreSQL older than 8.4 fails
Upgrading to Cloudera Manager 5.0.0 from SUSE Linux Enterprise Server (SLES) older than Service Pack 3 will fail if the embedded PostgreSQL database is in use and the installed version of PostgreSQL is less than 8.4.
Cloudera Bug: OPSAPS-20696
Workaround: Either migrate away from the embedded PostgreSQL database (use MySQL or Oracle) or upgrade PostgreSQL to 8.4 or greater.
MR1 to MR2 import fails on a secure cluster
When running the MR1 to MR2 import on a secure cluster, YARN jobs will fail to find container-executor.cfg.
Cloudera Bug: OPSAPS-18657
Workaround: Restart YARN after the import.
After upgrade from CDH 4 to CDH 5, Oozie is missing workflow extension schemas
After an upgrade from CDH 4 to CDH 5, Oozie does not pick up the new workflow extension schemas automatically. User will need to update oozie.service.SchemaService.wf.ext.schemas manually and add the schemas added in CDH 5: shell-action-0.3.xsd, sqoop-action-0.4.xsd, distcp-action-0.2.xsd, oozie-sla-0.1.xsd, oozie-sla-0.2.xsd. Note: None of the existing jobs will be affected by this bug, only new workflows that require new schemas.
Cloudera Bug: OPSAPS-20246
Workaround: Add the new workflow extension schemas to Oozie manually by editing oozie.service.SchemaService.wf.ext.schemas.
Issues Fixed in Cloudera Manager 5.0.0
HDFS replication does not work from CDH 5 to CDH 4 with different realms
HDFS replication does not work from CDH 5 to CDH 4 with different realms. This is because authentication fails for services in a non-default realm via the WebHdfs API due to a JDK bug. This has been fixed in JDK6-u34 (b03)) and in JDK7.
Cloudera Bug: OPSAPS-2017
Workaround: Use JDK 7 or upgrade JDK6 to at least version u34.
The Sqoop Upgrade command in Cloudera Manager may report success even when the upgrade fails
Cloudera Bug: CDH-17316
-
- Click the Sqoop service and then the Instances tab.
- Click the Sqoop server role then the Commands tab.
- Click the stdout link and scan for the Sqoop Upgrade command.
- In the All Recent Commands page, select the stdout link for latest Sqoop Upgrade command.
Cannot restore a snapshot of a deleted HBase table
If you take a snapshot of an HBase table, and then delete that table in HBase, you will not be able to restore the snapshot.
Cloudera Bug: OPSAPS-16881
Severity: Med
Workaround: Use the "Restore As" command to recreate the table in HBase.
Stop dependent HBase services before enabling HDFS Automatic Failover.
When enabling HDFS Automatic Failover, you need to first stop any dependent HBase services. The Automatic Failover configuration workflow restarts both NameNodes, which could cause HBase to become unavailable.
Cloudera Bug: OPSAPS-9645
Severity: Medium
New schema extensions have been introduced for Oozie in CDH 4.1
In CDH 4.1, Oozie introduced new versions for Hive, Sqoop and workflow schema. To use them, you must add the new schema extensions to the Oozie SchemaService Workflow Extension Schemas configuration property in Cloudera Manager.
Cloudera Bug: OPSAPS-10021
Severity: Low
Workaround: In Cloudera Manager, do the following:
- Go to the CDH 4 Oozie service page.
- Go to the Configuration tab, View and Edit.
- Search for "Oozie Schema". This should show the Oozie SchemaService Workflow Extension Schemas property.
- Add the following to the Oozie SchemaService Workflow Extension Schemas property:
shell-action-0.2.xsd hive-action-0.3.xsd sqoop-action-0.3.xsd
- Save these changes.
YARN Resource Scheduler user FairScheduler rather than FIFO.
Cloudera Manager 5.0.0 sets the default YARN Resource Scheduler to FairScheduler. If a cluster was previously running YARN with the FIFO scheduler, it will be changed to FairScheduler next time YARN restarts. The FairScheduler is only supported with CDH4.2.1 and later, and older clusters may hit failures and need to manually change the scheduler to FIFO or CapacityScheduler.
Cloudera Bug: OPSAPS-13335
Severity: Medium
- Go the YARN service Configuration page
- Search for "scheduler.class"
- Click in the Value field and select the schedule you want to use.
- Save your changes and restart YARN to update your configurations.
Resource Pools Summary is incorrect if time range is too large.
The Resource Pools Summary does not show correct information if the Time Range selector is set to show 6 hours or more.
Cloudera Bug: OPSAPS-16018
Severity: Medium
Workaround: None.
When running the MR1 to MR2 import on a secure cluster, YARN jobs will fail to find container-executor.cfg
Cloudera Bug: OPSAPS-18657
Workaround: Restart YARN after the import steps finish. This causes the file to be created under the YARN configuration path, and the jobs now work.
When upgrading to Cloudera Manager 5.0.0, the "Dynamic Resource Pools" page is not accessible
When upgrading to Cloudera Manager 5.0.0, users will not be able to directly access the "Dynamic Resource Pools" page. Instead, they will be presented with a dialog saying that the Fair Scheduler XML Advanced Configuration Snippet is set.
Cloudera Bug: OPSAPS-18768
- Go to the YARN service.
- Click the Configuration tab.
- Select .
- Select .
- Locate the Fair Scheduler XML Advanced Configuration Snippet property or search for it by typing its name in the Search box.
- Copy the value of the Fair Scheduler XML Advanced Configuration Snippet into a file.
- Clear the value of Fair Scheduler XML Advanced Configuration Snippet.
- Recreate the desired Fair Scheduler allocations in the Dynamic Resource Pools page, using the saved file for reference.
New Cloudera Enterprise licensing is not reflected in the wizard and license page
Cloudera Bug: OPSAPS-18241
Workaround: None.
The AWS Cloud wizard fails to install Spark due to missing roles
Cloudera Bug: OPSAPS-18937
- Use the Installation wizard.
- Open a new window, click the Spark service, click on the Instances tab, click Add, add all required roles to Spark. Once the roles are successfully added, click the Retry button in the Installation wizard.
Spark on YARN requires manual configuration
Spark on YARN requires the following manual configuration to work correctly: modify the YARN Application Classpath by adding /etc/hadoop/conf, making it the very first entry.
Cloudera Bug: OPSAPS-19788
Workaround: Add /etc/hadoop/conf as the first entry in the YARN Application classpath.
Monitoring works with Solr and Sentry only after configuration updates
Cloudera Manager monitoring does not work out of the box with Solr and Sentry on Cloudera Manager 5. The Solr service is in Bad health, and all Solr Servers have a failing "Solr Server API Liveness" health check.
Cloudera Bug: OPSAPS-18152
Severity: Medium
Workaround: Complete the configuration steps below:
- Create "HTTP" user and group on all machines in the cluster (with useradd 'HTTP' on RHEL-type systems).
- The instructions that follow this step assume there is no existing Solr Sentry policy file in use. In that case, first create the policy file on /tmp and
then copy it over to the appropriate location in HDFS that Solr Servers check. If there is already a Solr Sentry policy in use, it must be modified to add the following [group] / [role] entries for 'HTTP'. Create a file (for example, /tmp/cm-authz-solr-sentry-policy.ini) with the following contents:
[groups] HTTP = HTTP [roles] HTTP = collection = admin->action=query
- Copy this file to the location for the "Sentry Global Policy File" for Solr. The associated config name for this location is sentry.solr.provider.resource, and you can see the current value by navigating to the Sentry sub-category in the Service Wide configuration editing workflow in the Cloudera Manager UI. The default value for this entry is /user/solr/sentry/sentry-provider.ini. This refers to a path in HDFS.
- Check if you have entries in HDFS for the parent(s) directory:
sudo -u hdfs hadoop fs -ls /user
- You may need to create the appropriate parent directories if they are not present. For example:
sudo -u hdfs hadoop fs -mkdir /user/solr/sentry
- After ensuring the parent directory is present, copy the file created in step 2 to this location, as follows:
sudo -u hdfs hadoop fs -put /tmp/cm-authz-solr-sentry-policy.ini /user/solr/sentry/sentry-provider.ini
- Ensure that this file is owned/readable by the solr user (this is what the Solr Server runs as):
sudo -u hdfs hadoop fs -chown solr /user/solr/sentry/sentry-provider.ini
- Restart the Solr service. If both Kerberos and Sentry are being enabled for Solr, the MGMT services also need to be restarted. The Solr Server liveness health checks should clear up once SMON has had a chance to contact the servers and retrieve metrics.
Out-of-memory errors may occur when using the Reports Manager
Out-of-memory errors may occur when using the Cloudera Manager Reports Manager.
Cloudera Bug: OPSAPS-19980
Workaround: Set the value of the "Java Heap Size of Reports Manager" property to at least the size of the HDFS filesystem image (fsimage) and restart the Reports Manager.
Applying license key using Internet Explorer 9 and Safari fails
Cloudera Manager is designed to work with IE 9 and above and Safari. However the file upload widget used to upload a license currently does not work with IE 9 or Safari. Therefore, installing an enterprise license does not work.
Cloudera Bug: OPSAPS-17223
Workaround: Use another supported browser.
Issues Fixed in Cloudera Manager 5.0.0 Beta 2
The Sqoop Upgrade command in Cloudera Manager may report success even when the upgrade fails
Cloudera Bug: OPSAPS-18924
-
- Click the Sqoop service and then the Instances tab.
- Click the Sqoop server role then the Commands tab.
- Click the stdout link and scan for the Sqoop Upgrade command.
- In the All Recent Commands page, select the stdout link for latest Sqoop Upgrade command.
The HDFS Canary Test is disabled for secured CDH 5 services.
Due to a bug in Hadoop's handling of multiple RPC clients with distinct configurations within a single process with Kerberos security enabled, Cloudera Manager will disable the HDFS canary test when security is enabled so as to prevent interference with Cloudera Manager's MapReduce monitoring functionality.
Cloudera Bug: OPSAPS-16537
Severity: Medium
Workaround: None
Not all monitoring configurations are migrated from MR1 to MR2.
When MapReduce v1 configurations are imported for use by YARN (MR2), not all of the monitoring configuration values are currently migrated. Users may need to reconfigure custom values for properties such as thresholds.
Cloudera Bug: OPSAPS-16211
Severity: Medium
Workaround: Manually reconfigure any missing property values.
"Access Denied" may appear for some features after adding a license or starting a trial.
After starting a 60-day trial or installing a license for Enterprise Edition, you may see an "access denied" message when attempting to access certain Enterprise Edition-only features such as the Reports Manager. You need to log out of the Admin Console and log back in to access these features.
Cloudera Bug: OPSAPS-16686
Severity: Low
Workaround: Log out of the Admin Console and log in again.
Hue must set impersonation on when using Impala with impersonation.
When using Impala with impersonation, the impersonation_enabled flag must be present and configured in the hue.ini file. If impersonation is enabled in Impala (in other words, if Impala is using Sentry) then this flag must be set true. If Impala is not using impersonation, it should be set false (the default).
Cloudera Bug: OPSAPS-16011
- Go to the Hue Service Configuration Advanced Configuration Snippet for hue_safety_valve.ini under the Hue service Configuration settings, Service-Wide > Advanced category.
- Add the following, then uncomment the setting and set the value True or False as appropriate:
################################################################# # Settings to configure Impala ################################################################# [impala] .... # Turn on/off impersonation mechanism when talking to Impala ## impersonation_enabled=False
Cloudera Manager Server may fail to start when upgrading using a PostgreSQL database.
ERROR [main:dbutil.JavaRunner@57] Exception while executing com.cloudera.cmf.model.migration.MigrateConfigRevisions java.lang.RuntimeException: java.sql.SQLException: Batch entry <xxx> insert into REVISIONS (REVISION_ID, OPTIMISTIC_LOCK_VERSION, USER_ID, TIMESTAMP, MESSAGE) values (...) was aborted. Call getNextException to see the cause.
Cloudera Bug: OPSAPS-16971
alter table REVISIONS alter column MESSAGE type varchar(1048576);After that, your Cloudera Manager server should start up normally.
Issues Fixed in Cloudera Manager 5.0.0 Beta 1
After an upgrade from Cloudera Manager 4.6.3 to 4.7, Impala does not start.
After an upgrade from Cloudera Manager 4.6.3 to 4.7 when Navigator is used, Impala will fail to start because the Audit Log Directory property has not been set by the upgrade procedure.
Cloudera Bug: OPSAPS-15333; added with Cloudera Manager 4.7.0
Severity: Low.
Workaround: Manually set the property to /var/log/impalad/audit. See Configuring Service Auditing Properties for more information.