Issues Fixed in Cloudera Manager 5

The Cloudera Manager Python API client released in 5.16.1 missed changes that were introduced in version 5.15, including changes related to Backup and Disaster Recovery (BDR) Hive Replication. Those missing changes have been ported.

Cloudera Bug: OPSAPS-48873

This fix handles the scenario for multiple nameservices in the dfs.nameservices configuration. Now the feature cross-checks that with the fs.defaultFS configured in core-site.xml.

Cloudera Bug: OPSAPS-48579

This fix aligns multi-thread Hive replication error handling with the single-thread case. Multi-thread Hive replication now has the appropriate error types, suppressed by the replication.hive.ignoreTableNotFound and replication.hive.ignoreDataBaseNotFound safety valves implicitly.

Cloudera Bug: OPSAPS-49987

Yarn Application Masters fail because the container-executor.cfg file is missing when a YARN application is executed concurrently with a Deploy Client Configurations job. The container-executor hierarchy has been moved to /var/lib/yarn-ce, which is not modified by the Deploy Client Configuration command.

Cloudera Bug: OPSAPS-24398

The abort functionality now works as expected.

Cloudera Bug: OPSAPS-39694

Fixed an issue with HDFS replication where reserved raw data is replicated with the delete strategy.

Cloudera Bug: OPSAPS-47244

When Threshold settings are saved with values such as Any or Never, a bug in the validation code prevented the user from saving the threshold to a specific value. This is now fixed.

Cloudera Bug: OPSAPS-46657

Fixed a bug where Cloudera Manager did not allow Gateway roles for Isilon clusters, which prevented replications jobs from running.

Cloudera Bug: OPSAPS-46154

Google Chrome version 66, released on 28 April 2018, introduced behavior changes which can trigger unintended modification of existing configuration values in Cloudera Manager. If a page contains a password field, the browser aggressively applies auto-complete form data to the first text field and first password form fields. These changes are applied without user input or explicit notification (fields are highlighted).

Cloudera Bug: OPSAPS-46118

Spark now correctly respects auth_to_local name rules for HDFS services with cross-realm trust configured.

Cloudera Bug: OPSAPS-46103

In Cloudera Manager, host installation and upgrade does not work when using key-based host authentication with SSH where the private key is protected by a passphrase.

Cloudera Bug: OPSAPS-45571

Fixed an issue where Cloudera Manager agent installation or upgrade failed due to misconfigured or problematic third-party repositories that were interfering with the process.

Cloudera Bug: OPSAPS-45576

Some sensitive authentication configurations were not emitted for the Yarn Node Manager when using LDAP group mapping. This is now corrected for clusters running CDH 5.5 and higher where encryption is available for those sensitive configurations.

Cloudera Bug: OPSAPS-45440

The Enable Trial workflow previously finished on the upgrade page, now it goes back to the Home page upon completion.

Cloudera Bug: OPSAPS-45444

Fixed an issue where Flume used default values for Kafka TLS settings. For further details, see the original Known Issue.

Note that this fix causes Flume to be marked as having a stale configuration. To resolve the staleness, restart Flume.

Cloudera Bug: OPSAPS-45669

The new Cloudera Manager Upgrade page doesn't load in IE9, 10 or 11 due to using a feature that is not supported in IE. This is now fixed in 5.15.1.

Cloudera Bug: OPSAPS-45779

Users were previously able to go directly to the configuration history and rollback page using the URL, even though the link itself is not visible. This is now protected.

Cloudera Bug: OPSAPS-45781

The Instances page and the All Hosts page now do not reload when a command finishes.

Cloudera Bug: OPSAPS-45761

Fixed an issue where Cloudera Manager did not install Kudu packages when CDH was installed using packages instead of parcels.

Cloudera Bug: OPSAPS-45692

When the Reports Manager is not installed, Cloudera Manager Admin Console pages now display correctly and irrelevant links have been removed.

Cloudera Bug: OPSAPS-44873

When enabling kerberos for a cluster running TLS, the system cannot use the privileged ports ( < 1024). Instead, the wizard will prompt user to use the appropriate port values.

Cloudera Bug: OPSAPS-33345

Kafka broker and MirrorMaker processes now listen on only the loopback interface for JMX connections. This caused Cloudera Manager to report that Kafka had stale configurations.

Cloudera Bug: OPSAPS-47365

Hive tables created by Kudu are now excluded from Backup and Disaster Recovery replication.

Cloudera Bug: OPSAPS-46549

Fixed an issue where some roles that required restarts were not correctly identified after starting a role marked as Started with Outdated Configuration.

Cloudera Bug: OPSAPS-45237

The new Host Inspector will now warn if user doesn't belong to its own group

Cloudera Bug: OPSAPS-46592

Fixed a NPE on the new Cloudera Manager Upgrade page. This only happens when the agent could not retrieve the host status.

Cloudera Bug: OPSAPS-46616

Cloudera Bug: OPSAPS-47620

Fixed an issue where some roles that required restarts were not correctly identified after starting a role marked as "Started with Outdated Configuration".

Cloudera Bug: OPSAPS-47775, OPSAPS-47493

Releases affected: 5.13, 5.14, 5.15

Cloudera Bug: OPSAPS-47620

Kafka broker and MirrorMaker processes now listen on only the loopback interface for JMX connections. This caused Cloudera Manager to report that Kafka had stale configurations.

Cloudera Bug: OPSAPS-47365

Fixed an issue where Flume used default values for Kafka TLS settings. For further details, see the original Known Issue.

Note that this fix causes Flume to be marked as having a stale configuration. To resolve the staleness, restart Flume.

Cloudera Bug: OPSAPS-45669

Fixed an issue where, due to a security vulnerability, a Cloudera Manager read-only user can access sensitive cluster information.

For the latest update on this issue, see the corresponding Knowledge article:

TSB 2018-306: Cloudera Manager Information Disclosure

Cloudera Bug: OPSAPS-45688

Technical Service Bulletin 2018-321 (TSB)

One type of page in Cloudera Manager uses a returnUrl parameter to redirect the user to another page in Cloudera Manager once a wizard is completed. The validity of this parameter was not checked. As a result, the user could be automatically redirected to an attacker’s external site or perform a malicious JavaScript function that results in cross-site scripting (XSS).

With this fix, Cloudera Manager no longer allows any value in the returnUrl parameter with patterns such as http://, https://, //, or javascript. The only exceptions to this rule are the SAML login/logout URLs, since they are explicitly configured and are not passed via the returnUrl parameter.

Products affected: Cloudera Manager

Releases affected:

• 5.15.0 and all earlier releases

Users affected: The following Cloudera Manager roles: “cluster administrator”, “full administrators”, and “configurators”.

Date/time of detection: June 20, 2018

Detected by: Mohit Rawat & Ekta Mittal

Severity (Low/Medium/High): 8.8 High (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Impact: Open redirects can silently redirect a victim to an attacker’s site. XSS vulnerabilities can be used to steal credentials or to perform arbitrary actions as the targeted user.

CVE: CVE-2018-15913

Immediate action required: Upgrade to Cloudera Manager 5.15.1 or higher

Addressed in release/refresh/patch:

• Cloudera Manager 5.15.1 and higher
• Cloudera Manager 6.0.0

Fixed an issue where Flume used default values for Kafka TLS settings. For further details, see the original Known Issue.

Note that this fix causes Flume to be marked as having a stale configuration. To resolve the staleness, restart Flume.

Cloudera Bug: OPSAPS-45669

Abort Installation button causes errors When installing or upgrading hosts using the Upgrade or Installation wizards, when the ""abort"" link is clicked an error message is displayed. (waiting for answer in comments)

Cloudera Bug: OPSAPS-45655

The Host Inspector was reporting JDKs installed with a different installation path as different JDK versions.

Cloudera Bug: OPSAPS-44931

The Enable Trial workflow previously finished on the upgrade page, now it goes back to the Home page upon completion.

Cloudera Bug: OPSAPS-45444

Some sensitive authentication configurations were not emitted for the Yarn Node Manager when using LDAP group mapping. This is now corrected for clusters running CDH 5.5 and higher where encryption is available for those sensitive configurations.

Cloudera Bug: OPSAPS-45440

Users were previously able to go directly to the configuration history and rollback page using the URL, even though the link itself is not visible. This is now protected.

Cloudera Bug: OPSAPS-45781

The new Cloudera Manager Upgrade page doesn't load in IE9, 10 or 11 due to using a feature that is not supported in IE. This is now fixed in 5.15.1.

Cloudera Bug: OPSAPS-45779

Fixed a bug where Cloudera Manager did not allow Gateway roles for Isilon clusters, which prevented replications jobs from running.

Cloudera Bug: OPSAPS-46154

Fixed a bug where Cloudera Backup and Disaster Recovery could not import Hive metadata that included a Partitioned View with a null StorageDescriptor.

Cloudera Bug: OPSAPS-45900

When Threshold settings are saved with values such as Any or Never, a bug in the validation code prevented the user from saving the threshold to a specific value. This is now fixed.

Cloudera Bug: OPSAPS-46657

The Instances page and the All Hosts page now do not reload when a command finishes.

Cloudera Bug: OPSAPS-45761

Fixed a NPE on the new Cloudera Manager Upgrade page. This only happens when the agent could not retrieve the host status.

Cloudera Bug: OPSAPS-46616

Spark now correctly respects auth_to_local name rules for HDFS services with cross-realm trust configured.

Cloudera Bug: OPSAPS-46103

Yarn Application Masters fail because the container-executor.cfg file is missing when a YARN application is executed concurrently with a Deploy Client Configurations job. The container-executor hierarchy has been moved to /var/lib/yarn-ce, which is not modified by the Deploy Client Configuration command.

Cloudera Bug: OPSAPS-24398

When doing a package installation or upgrade of CDH, no versions of CDH5 are shown in the Cloudera Manager Admin Console.

Cloudera Bug: OPSAPS-45732

Fixed an issue where, due to a security vulnerability, a Cloudera Manager read-only user can access sensitive cluster information.

For the latest update on this issue, see the corresponding Knowledge article:

TSB 2018-306: Cloudera Manager Information Disclosure

Cloudera Bug: OPSAPS-45688

Fixed the cross-site vulnerability described in TSB-2018-285 (XSS Scripting Vulnerability in Cloudera Manager). For more information, see the Known Issue description

Cloudera Bug: DOCS-3186

Fixed an issue where Path A (non-production) installations of Cloudera Manager do not work on SLES version 12.

See TSB-279 for more information.

Cloudera Bug: OPSAPS-44284

Fixed an issue where duplicate hostnames appeared when editing configuration overrides for Host level configurations.

Cloudera Bug: OPSAPS-44814

Fixed an issue where the Cloudera Manager logo might not get refreshed in the browser automatically when upgrading from Cloudera Manager 5.10 to 5.11 or higher. This issue caused the logo to disappear.

Cloudera Bug: OPSAPS-44676

Fixed an issue where an exception is thrown when collecting replication diagnostics for a Hive replication schedule between two clusters managed by a single Cloudera Manager.

Cloudera Bug: OPSAPS-45197

Fixed an issue where the YARN NodeManager may show as being stale due to System Resources even when it is not. The named-cpu value may show as changed even though it was not modified.

Cloudera Bug: OPSAPS-43973

Fixed multiple false warning log message issue during HDFS-S3 restore operation.

Cloudera Bug: OPSAPS-43681

Fixed an issue that caused Hive replications to fail due to conflicting Hive replication schedules when there are two clusters managed by the same Cloudera Manager.

Cloudera Bug: OPSAPS-43652

Fixed an issue where Cloudera Manager did not generate the aclSubmitApps element in the fair-scheduler.xml file when a user did not specify any user or groups for the root pool. Cloudera Manager now automatically generates aclSubmitAppswith a space character. This change means the default is no access for all users.

Cloudera Bug: OPSAPS-45046

This fix upgrades the PostgreSQL JDBC driver. The new JDBC driver only supports PostgreSQL versions 8.2 and higher. RHEL5 defaults to PostgreSQL 8.1.

Cloudera Bug: OPSAPS-43624

Fixed an issue where an agent heartbeat fails and leads to the agent not connecting to the Cloudera Manager Server.

Cloudera Bug: OPSAPS-44971

Fixed an issue where the Apply Host Template feature in the Add Host wizard was broken.

Cloudera Bug: OPSAPS-45334

Fixed an issue where, under certain conditions, the Cloudera Manager Agent stops heart beating with the Cloudera Manager Server due to Avro RPC parsing errors.

Cloudera Bug: OPSAPS-45282

Fixed an issue where a user sees an error message about Mismatched input PATTERN.

Cloudera Bug: OPSAPS-42437

Fixes an issue in Cloudera Manager agent where cgroup soft and hard memory limits were not applied on the host.

Cloudera Bug: OPSAPS-45229

In Cloudera Manager, host installation and upgrade does not work when using key-based host authentication with SSH where the private key is protected by a passphrase.

Cloudera Bug: OPSAPS-45571

Fixed an issue where replication fails when two clusters use HDFS HA, and the nameservice names are the same.

Both the source and destination clusters must upgrade to a release that contains the fix.

Cloudera Bug: OPSAPS-43556

Fixed in: Cloudera Manager 5.15.0, 5.14.3, 5.13.3

Fixed an issue that occurred when using Cloudera Manager for cross-cluster replication of HDFS and Hive. Unnecessary warning logs are printed during the initial phase of replication (‘copy listing’). These logs were printed for each and every file that Cloudera Backup and Disaster Recovery (BDR) copies. This causes very verbose log output which slows down this phase of the replication job and can affect overall replication times considerably. This happens only when both source and target clusters are running Cloudera Manager 5.14.0.

See TSB-290 for more information.

Fixed Versions: Cloudera Manager 5.15.0, 5.14.1

Cloudera Bug: OPSAPS-44160

Fixed an issue where scheduled Snapshot and Replication jobs can be skipped if there are too many commands scheduled to run at the same time (more than 100), or if Cloudera Manager has paused due to garbage collection.

Fixed Versions: Cloudera Manager 5.15.0, 5.14.2, 5.13.2

Cloudera Bug: OPSAPS-44153

Cloudera Backup and Disaster Recovery added a workaround for the Hive bug HIVE-15653 and now preserves table statistics for unpartitioned tables during subsequent runs.

Fixed Versions: Cloudera Manager 5.15.0, 5.14.2, 5.13.2

Cloudera Bug: OPSAPS-44070

Fixed an issue where the header in the HDFS Replication performance file (in CSV format) does not match its contents.

Fixed in: Cloudera Manager 5.15.0, 5.14.2, 513.2

Cloudera Bug: OPSAPS-43997

Fixed an issue where HDFS to Amazon S3 or Hive to Amazon S3 replication jobs fail when an expired delegation token is used to run a MapReduce/YARN job.

Cloudera Bug: OPSAPS-44008

Fixed configuration of Kerberos credentials for the Spark History Server in CDH 5.4.

Cloudera Bug: OPSAPS-43985

Fixed an issue where replication commands sometimes fail because of concurrent executions in the database.

Cloudera Bug: OPSAPS-43964

For CDH5.13.0 and higher, when Hive is used with Sentry, Hive Proxy Groups should contain either a wildcard ('*') for the Sentry Group for Sentry to work with Hive. If this is not present, Cloudera Manager adds the Sentry Group to Hive Proxy Groups when upgrading CDH.

Cloudera Bug: OPSAPS-43809

Fixed an issue where collection of diagnostic bundles would lead to slow file descriptor leaks in Cloudera Manager Server that eventually cause the server to become non-operational or unresponsive.

Cloudera Bug: OPSAPS-44922

Fixed a bug in the host installation/upgrade wizard that occurred when retrying individual hosts. The error message "Configurator not found" might appear and prevent installation or upgrade of all hosts.

Cloudera Bug: OPSAPS-44694

Fixed an issue where, due to a security vulnerability, a Cloudera Manager read-only user can access sensitive cluster information.

For the latest update on this issue, see the corresponding Knowledge article:

TSB 2018-306: Cloudera Manager Information Disclosure

Cloudera Bug: OPSAPS-45688

Fixed a bug where Cloudera Manager did not allow Gateway roles for Isilon clusters, which prevented replications jobs from running.

Cloudera Bug: OPSAPS-46154

Google Chrome version 66, released on 28 April 2018, introduced behavior changes which can trigger unintended modification of existing configuration values in Cloudera Manager. If a page contains a password field, the browser aggressively applies auto-complete form data to the first text field and first password form fields. These changes are applied without user input or explicit notification (fields are highlighted).

Cloudera Bug: OPSAPS-46118

Fixed a bug where Cloudera Backup and Disaster Recovery could not import Hive metadata that included a Partitioned View with a null StorageDescriptor.

Cloudera Bug: OPSAPS-45900

Users were previously able to go directly to the configuration history and rollback page using the URL, even though the link itself is not visible. This is now protected.

Cloudera Bug: OPSAPS-45781

Some sensitive authentication configurations were not emitted for the Yarn Node Manager when using LDAP group mapping. This is now corrected for clusters running CDH 5.5 and higher where encryption is available for those sensitive configurations.

Cloudera Bug: OPSAPS-45440

Fixed an issue where an exception is thrown when collecting replication diagnostics for a Hive replication schedule between two clusters managed by a single Cloudera Manager.

Cloudera Bug: OPSAPS-45197

Fixes an issue in Cloudera Manager agent where cgroup soft and hard memory limits were not applied on the host.

Cloudera Bug: OPSAPS-45229

Yarn Application Masters fail because the container-executor.cfg file is missing when a YARN application is executed concurrently with a Deploy Client Configurations job. The container-executor hierarchy has been moved to /var/lib/yarn-ce, which is not modified by the Deploy Client Configuration command.

Cloudera Bug: OPSAPS-24398

In Cloudera Manager, host installation and upgrade does not work when using key-based host authentication with SSH where the private key is protected by a passphrase.

Cloudera Bug: OPSAPS-45571

When doing a package installation or upgrade of CDH, no versions of CDH5 are shown in the Cloudera Manager Admin Console.

Cloudera Bug: OPSAPS-45732

Fixed the cross-site vulnerability described in TSB-2018-285 (XSS Scripting Vulnerability in Cloudera Manager). For more information, see the Known Issue description

Cloudera Bug: DOCS-3186

Fixed an issue where replication fails when two clusters use HDFS HA, and the nameservice names are the same.

Both the source and destination clusters must upgrade to a release that contains the fix.

Cloudera Bug: OPSAPS-43556

Fixed in: Cloudera Manager 5.15.0, 5.14.3, 5.13.3

Fixed an issue that caused HDFS and Hive replications to fail if the destination cluster is managed by Cloudera Manager 5.14.2.

For more information, see TSB-305.

Cloudera Bug: OPSAPS-45600

Fixed the cross-site vulnerability described in TSB-2018-285 (XSS Scripting Vulnerability in Cloudera Manager). For more information, see the Known Issue description

Cloudera Bug: DOCS-3186

The Host > Resources page now reports the correct units for the CGroup Hard Memory resource.

Cloudera Bug: OPSAPS-41473

Fixed an issue where scheduled Snapshot and Replication jobs can be skipped if there are too many commands scheduled to run at the same time (more than 100), or if Cloudera Manager has paused due to garbage collection.

Fixed Versions: Cloudera Manager 5.15.0, 5.14.2, 5.13.2

Cloudera Bug: OPSAPS-44153

Fixed an issue where the header in the HDFS Replication performance file (in CSV format) does not match its contents.

Fixed in: Cloudera Manager 5.15.0, 5.14.2, 513.2

Cloudera Bug: OPSAPS-43997

Fixed an issue where HDFS to Amazon S3 or Hive to Amazon S3 replication jobs fail when an expired delegation token is used to run a MapReduce/YARN job.

Cloudera Bug: OPSAPS-44008

Fixed a bug in the host installation/upgrade wizard that occurred when retrying individual hosts. The error message "Configurator not found" might appear and prevent installation or upgrade of all hosts.

Cloudera Bug: OPSAPS-44694

Fixed an issue where replication commands sometimes fail because of concurrent executions in the database.

Cloudera Bug: OPSAPS-43964

For CDH5.13.0 and higher, when Hive is used with Sentry, Hive Proxy Groups should contain either a wildcard ('*') for the Sentry Group for Sentry to work with Hive. If this is not present, Cloudera Manager adds the Sentry Group to Hive Proxy Groups when upgrading CDH.

Cloudera Bug: OPSAPS-43809

Fixed configuration of Kerberos credentials for the Spark History Server in CDH 5.4.

Cloudera Bug: OPSAPS-43985

Fixed an issue where collection of diagnostic bundles would lead to slow file descriptor leaks in Cloudera Manager Server that eventually cause the server to become non-operational or unresponsive.

Cloudera Bug: OPSAPS-44922

Cloudera Backup and Disaster Recovery added a workaround for the Hive bug HIVE-15653 and now preserves table statistics for unpartitioned tables during subsequent runs.

Fixed Versions: Cloudera Manager 5.15.0, 5.14.2, 5.13.2

Cloudera Bug: OPSAPS-44070

This issue, which was also reported in TSB-2018-276, is fixed in CDH 5.13.2. For further details, see the original Known Issue.

Fixed an issue that occurred when a user upgrades to Cloudera Manager 5.14.0, and after all the agents have been updated to 5.14.0. The user sees an Upgrade Wizard, and is asked to select where to place the Navigator Metadata Server, Navigator Audit Server, and the Reports Manager roles. The Continue button is disabled until user adds one of these roles.

See TSB-289.

Cloudera Bug: OPSAPS-44629

Cloudera Bug: OPSAPS-44629

Fixed an issue that occurred when using Cloudera Manager for cross-cluster replication of HDFS and Hive. Unnecessary warning logs are printed during the initial phase of replication (‘copy listing’). These logs were printed for each and every file that Cloudera Backup and Disaster Recovery (BDR) copies. This causes very verbose log output which slows down this phase of the replication job and can affect overall replication times considerably. This happens only when both source and target clusters are running Cloudera Manager 5.14.0.

See TSB-290 for more information.

Fixed Versions: Cloudera Manager 5.15.0, 5.14.1

Cloudera Bug: OPSAPS-44160

As of CDH 5.12 and later, the Hue Load balancer started throwing transient 502 proxy error that appear as a red popup on Hue web pages. This happens frequently on a secure cluster. The Hue server's runcpserver.log file does not log these 502 errors. The error is logged in /var/log/hue-httpd/error_log. Cloudera Manager now properly configures the Hue load balancer to avoid these issues.

Cloudera Bug: OPSAPS-43317

Fixed a bug that occurred when a Cloudera Manager user with the User Administrator goes to the Settings page. The Redaction Parameters for Diagnostic Bundles parameter displays the following error message:

Invalid JSON configuration: SyntaxError: Unexpected token * in JSON at position 0.

Cloudera Bug: OPSAPS-41286

Previously, if the customer selects the Skip Host Inspector option, the wizard proceeds to the next page but the command still runs in the background and the user sees the message "There is already a pending command on this entity." Cloudera Manager now ensures that the Host Inspector command is aborted when user selects Skip Host Inspector. It is still possible that other commands (scheduled or not) will run at the same time as the upgrade command. In this case, user will still see the same error message.

Cloudera Bug: OPSAPS-43740

The feature that compares the configuration between multiple services or multiple clusters on the configuration page threw an error in Cloudera Manager 5.13. This is now fixed.

Cloudera Bug: OPSAPS-43130

Since Cloudera Manager 5.12, the ability to send a Test Alert has been broken. This is now fixed.

Cloudera Bug: OPSAPS-42826

Previously, when configuring the HBase Thrift Server security in a Kerberized cluster, incorrect warnings such as "When HBase is configured to use Kerberos, HBase Thrift Authentication is ignored when Enable TLS/SSL for HBase Thrift Server over HTTP is enabled" would appear. With this fix, these warnings are eliminated.

Cloudera Bug: OPSAPS-41441

When creating the "Historical Disk Usage By User" report from the Cluster > Cluster_name > Reports page, the download button did not honor the chosen metric. This is now fixed.

Cloudera Bug: OPSAPS-43474

Fixed a bug causing broken Impala monitoring functionality when password authentication is enabled for the Impala Daemon Web server.

Cloudera Bug: OPSAPS-43216

When the External Authentication type is set to LDAP, and the LDAP server is Active Directory, and the LDAP Group Search Base field is configured to be the root of the directory tree, authentication may fail with a PartialResultException message in the logs. This exception is now handled so that authentication succeeds.

Cloudera Bug: OPSAPS-43262

Fixed an issue where Internet Explorer defaults to DocMode 7 due to the removal of the X-UA-Compatible header in Cloudera Manager 5.12. When the user uses Compatibility Mode in Internet Explorer 9, 10, 11, or Edge, the browser is incorrectly identified as Internet Explorer 7.0 and as a result Cloudera Manager issues an error message (You are using an unsupported browser) and does not allow the user to log in.

Cloudera Bug: OPSAPS-42870

Fixed a bug where Hive Replications can fail intermittently on the first step. The failure message says: "The remote command failed with error message: Hive Replication Export Step failed".

See TSB-276.

Fixed in: Cloudera Manager 5.14.0, 5.13.1

Cloudera Bug: OPSAPS-43676

The Hive Replication Diagnostic bundle now collects the HDFS Replication step's process log files.

Cloudera Bug: OPSAPS-43583

Fixed a bug that caused Hive Replication jobs to fail in unsecured clusters during the transfer step if the proxy user is not a superuser on the replication source.

Cloudera Bug: OPSAPS-43505

Fixed an issue where the output of the lsof command that is captured in support bundles showed open files per-thread as well as per-process. This could cause the size of the support bundle to increase significantly, and in some cases could cause the host statistics collection phase of support bundle collection to fail. Because the per-thread information is generally redundant, it has been removed from the lsof output.

Cloudera Bug: OPSAPS-42646

Fixes an issue with refreshing parcels. Information about all available parcels was failing to refresh if one of the repositories contained an invalid manifest file.

Cloudera Bug: OPSAPS-43614

Fixed an issue of missing Impala and Kudu role logs in the diagnostic bundle when their log directories have broken symlinks.

Cloudera Bug: OPSAPS-41194

This fixes a known issue with Hive and HDFS replication where those replications fail if the /user/$proxyuser or /user/hdfs directories are encrypted. The bug was introduced in Cloudera Manager 5.12 for Hive Replication and in Cloudera Manager 5.13 for HDFS Replication.

Cloudera Bug: OPSAPS-42439

This fixes a known issue where a restart of Cloudera Manager that occurs while HDFS or Hive replication jobs are running can cause a duplicate replication job to be started.

Cloudera Bug: OPSAPS-42557

Fixes a bug where ACLs and external attributes (Xattrs) may be copied over during HDFS and Hive replication even when they have not changed.

Cloudera Bug: OPSAPS-42818

This fixes an issue in Cloudera Manager in which progress markers for HDFS Replication were not visible in the Admin Console.

Cloudera Bug: OPSAPS-42805

Fixes a bug where ACLs and external attributes (Xattrs) may be copied over during HDFS and Hive replication even when they have not changed.

Cloudera Bug: OPSAPS-42818

Fixes an issue where descriptor generation fails and the Cloudera Management Service fails to start if any Gateway roles have a configuration override.

Cloudera Bug: OPSAPS-43517

Fixes a bug introduced in Cloudera Manager 5.13 where a replication command is aborted, the next run of the command fails with the following error message: "Another HDFS replication command .... is in progress".

Cloudera Bug: OPSAPS-42808

Fixed an issue affecting the reliable generation of diagnostic bundles when some hosts are in an unhealthy state.

Cloudera Bug: OPSAPS-42720

Fixes a bug where some Hive logs would be duplicated in diagnostic bundles.

Cloudera Bug: OPSAPS-41611

Cloudera Manager now validates that custom services (CSDs) cannot define an invalid threshold for the role health of a service that affects overall service health. Now the thresholds for these health warnings ("percentGreenForGreen" and "percentYellowGreenForYellow ") must be less than 100%.

Cloudera Bug: OPSAPS-42853

Fixed an issue where the validation warning for "Max Message Size for Hive MetaStore" configuration parameter could not be suppressed. The new behavior allows any validations to be suppressed.

Cloudera Bug: OPSAPS-43320

This fixes an issue in which a replication job that replicates the /user directory in HDFS using the "delete missing" delete policy causes other concurrent replication jobs to fail.

Cloudera Bug: OPSAPS-43050

The Spark History Server now respects the configured Kerberos-to-local user name mappings of the HDFS service.

Cloudera Bug: OPSAPS-42577

The Impala queries page now shows the state of running queries correctly instead of calling them Finished.

Cloudera Bug: OPSAPS-43410

Fixed a bug where rolling upgrades of CDH could fail when certain services Cloudera Manager expects to be able to restart without downtime are already stopped. Now, Cloudera Manager tolerates this and starts those services after upgrade as part of the cluster's rolling restart.

Cloudera Bug: OPSAPS-42515

Fixed a bug with the pagination on the All Recent Commands page in which commands were not always listed consistently.

Cloudera Bug: OPSAPS-43052

Before Cloudera Manager 5.14, the getAllSchedules API returned a list of failed files for all runs of a schedule. This operation slows down execution of the API and has been changed so that a list of failed files is returned only when the view is specified as full.

Cloudera Bug: OPSAPS-42587

Live monitoring of throughput and estimated completion time for HDFS and Hive Replications running using Cloudera Manager Backup and Disaster Recovery (BDR) are now available in log files.

Cloudera Bug: OPSAPS-42756

Changing the list of trusted Kerberos realms no longer requires a restart of Cloudera Manager.

Cloudera Bug: OPSAPS-43237

Fixed an inefficiency in staleness checking and checking host status that caused slowness in the Cloudera Manager Admin Console.

Cloudera Bug: OPSAPS-42698

Fixes an issue during HDFS NameNode migration between hosts, where the "Saving Namespace" step may timeout if the fsimage size is large.

Cloudera Bug: OPSAPS-38236

Added installation and upgrade events for the Cloudera Manager agent software running on a cluster host to the diagnostic bundle.

Cloudera Bug: OPSAPS-42468

Hive-related log files included in diagnostic bundle are now be limited to 100MB (before compression).

Cloudera Bug: OPSAPS-41610

When partitions are deleted from a Hive table on the source cluster, Cloudera Backup and Disaster Recovery now correctly deletes the same partitions on Hive replication target. This fixes the bug introduced in Cloudera Manager 5.8.

Cloudera Bug: OPSAPS-42613

Fixes a bug that caused a possible leak of sensitive cloud account information because redaction of these job configuration properties was not enabled by default for MapReduce jobs.

Cloudera Bug: OPSAPS-43753

A number of cross-site scripting issues have been identified through internal auditing and have all been fixed.

Cloudera Bug: OPSAPS-42828

Fixed an issue where the cluster utilization report APIs did not work if the end time of the report was not specified with the to parameter. End time is meant to be an optional parameter, and now such API calls work without the to parameter.

Cloudera Bug: OPSAPS-42820

Fixed an issue where BDR replication fails if the user directory of the user specified in the Run as Peer User or Run as username field in the replication schedule is encrypted.

Fixed in: Cloudera Manager 5.14.0, 5.13.1

Cloudera Bug: OPSAPS-42445

Fixed the cross-site vulnerability described in TSB-2018-285 (XSS Scripting Vulnerability in Cloudera Manager). For more information, see the Known Issue description

Cloudera Bug: DOCS-3186

Fixed an issue where collection of diagnostic bundles would lead to slow file descriptor leaks in Cloudera Manager Server that eventually cause the server to become non-operational or unresponsive.

Cloudera Bug: OPSAPS-44922

Fixed an issue where replication fails when two clusters use HDFS HA, and the nameservice names are the same.

Both the source and destination clusters must upgrade to a release that contains the fix.

Cloudera Bug: OPSAPS-43556

Fixed in: Cloudera Manager 5.15.0, 5.14.3, 5.13.3

Fixed the cross-site vulnerability described in TSB-2018-285 (XSS Scripting Vulnerability in Cloudera Manager). For more information, see the Known Issue description

Cloudera Bug: DOCS-3186

This issue, which was also reported in TSB-2018-276, is fixed in CDH 5.13.2. For further details, see the original Known Issue.

For CDH5.13.0 and higher, when Hive is used with Sentry, Hive Proxy Groups should contain either a wildcard ('*') for the Sentry Group for Sentry to work with Hive. If this is not present, Cloudera Manager adds the Sentry Group to Hive Proxy Groups when upgrading CDH.

Cloudera Bug: OPSAPS-43809

Fixed an issue where HDFS to Amazon S3 or Hive to Amazon S3 replication jobs fail when an expired delegation token is used to run a MapReduce/YARN job.

Cloudera Bug: OPSAPS-44008

Fixed a bug that occurred when a Cloudera Manager user with the User Administrator goes to the Settings page. The Redaction Parameters for Diagnostic Bundles parameter displays the following error message:

Invalid JSON configuration: SyntaxError: Unexpected token * in JSON at position 0.

Cloudera Bug: OPSAPS-41286

Previously, if the customer selects the Skip Host Inspector option, the wizard proceeds to the next page but the command still runs in the background and the user sees the message "There is already a pending command on this entity." Cloudera Manager now ensures that the Host Inspector command is aborted when user selects Skip Host Inspector. It is still possible that other commands (scheduled or not) will run at the same time as the upgrade command. In this case, user will still see the same error message.

Cloudera Bug: OPSAPS-43740

The Hive Replication Diagnostic bundle now collects the HDFS Replication step's process log files.

Cloudera Bug: OPSAPS-43583

The feature that compares the configuration between multiple services or multiple clusters on the configuration page threw an error in Cloudera Manager 5.13. This is now fixed.

Cloudera Bug: OPSAPS-43130

When creating the "Historical Disk Usage By User" report from the Cluster > Cluster_name > Reports page, the download button did not honor the chosen metric. This is now fixed.

Cloudera Bug: OPSAPS-43474

Fixed an issue where replication commands sometimes fail because of concurrent executions in the database.

Cloudera Bug: OPSAPS-43964

Fixed a bug that caused Hive Replication jobs to fail in unsecured clusters during the transfer step if the proxy user is not a superuser on the replication source.

Cloudera Bug: OPSAPS-43505

Fixed a bug where Hive Replications can fail intermittently on the first step. The failure message says: "The remote command failed with error message: Hive Replication Export Step failed".

See TSB-276.

Fixed in: Cloudera Manager 5.14.0, 5.13.1

Cloudera Bug: OPSAPS-43676

Fixed an issue of missing Impala and Kudu role logs in the diagnostic bundle when their log directories have broken symlinks.

Cloudera Bug: OPSAPS-41194

Fixed an issue where scheduled Snapshot and Replication jobs can be skipped if there are too many commands scheduled to run at the same time (more than 100), or if Cloudera Manager has paused due to garbage collection.

Fixed Versions: Cloudera Manager 5.15.0, 5.14.2, 5.13.2

Cloudera Bug: OPSAPS-44153

Cloudera Backup and Disaster Recovery added a workaround for the Hive bug HIVE-15653 and now preserves table statistics for unpartitioned tables during subsequent runs.

Fixed Versions: Cloudera Manager 5.15.0, 5.14.2, 5.13.2

Cloudera Bug: OPSAPS-44070

Fixed an issue where the header in the HDFS Replication performance file (in CSV format) does not match its contents.

Fixed in: Cloudera Manager 5.15.0, 5.14.2, 513.2

Cloudera Bug: OPSAPS-43997

Fixed a bug causing broken Impala monitoring functionality when password authentication is enabled for the Impala Daemon Web server.

Cloudera Bug: OPSAPS-43216

Fixed configuration of Kerberos credentials for the Spark History Server in CDH 5.4.

Cloudera Bug: OPSAPS-43985

Fixed an issue where the output of the lsof command that is captured in support bundles showed open files per-thread as well as per-process. This could cause the size of the support bundle to increase significantly, and in some cases could cause the host statistics collection phase of support bundle collection to fail. Because the per-thread information is generally redundant, it has been removed from the lsof output.

Cloudera Bug: OPSAPS-42646

Fixed an issue where BDR replication fails if the user directory of the user specified in the Run as Peer User or Run as username field in the replication schedule is encrypted.

Fixed in: Cloudera Manager 5.14.0, 5.13.1

Cloudera Bug: OPSAPS-42445

Added installation and upgrade events for the Cloudera Manager agent software running on a cluster host to the diagnostic bundle.

Cloudera Bug: OPSAPS-42468

A number of cross-site scripting issues have been identified through internal auditing and have all been fixed.

Cloudera Bug: OPSAPS-42828

Fixed an issue where Internet Explorer defaults to DocMode 7 due to the removal of the X-UA-Compatible header in Cloudera Manager 5.12. When the user uses Compatibility Mode in Internet Explorer 9, 10, 11, or Edge, the browser is incorrectly identified as Internet Explorer 7.0 and as a result Cloudera Manager issues an error message (You are using an unsupported browser) and does not allow the user to log in.

Cloudera Bug: OPSAPS-42870

Fixes a bug where ACLs and external attributes (Xattrs) may be copied over during HDFS and Hive replication even when they have not changed.

Cloudera Bug: OPSAPS-42818

This fixes a known issue with Hive and HDFS replication where those replications fail if the /user/$proxyuser or /user/hdfs directories are encrypted. The bug was introduced in Cloudera Manager 5.12 for Hive Replication and in Cloudera Manager 5.13 for HDFS Replication.

Cloudera Bug: OPSAPS-42439

Fixes a bug introduced in Cloudera Manager 5.13 where a replication command is aborted, the next run of the command fails with the following error message: "Another HDFS replication command .... is in progress".

Cloudera Bug: OPSAPS-42808

Cloudera Bug: OPSAPS-9586

Live monitoring of throughput and estimated completion time for HDFS and Hive Replications running using Cloudera Manager Backup and Disaster Recovery (BDR) are now available in log files.

Cloudera Bug: OPSAPS-42756

Fixes an issue where descriptor generation fails and the Cloudera Management Service fails to start if any Gateway roles have a configuration override.

Cloudera Bug: OPSAPS-43517

Hive-related log files included in diagnostic bundle are now be limited to 100MB (before compression).

Cloudera Bug: OPSAPS-41610

Fixed an issue affecting the reliable generation of diagnostic bundles when some hosts are in an unhealthy state.

Cloudera Bug: OPSAPS-42720

Fixes a bug where some Hive logs would be duplicated in diagnostic bundles.

Cloudera Bug: OPSAPS-41611

Fixes a bug introduced in Backup and Disaster Recovery for Cloudera Manager 5.8 where HDFS and Hive replication were not dropping partitions on the target cluster that had been dropped on the source cluster.

Cloudera Bug: OPSAPS-43282

Previously, when configuring the HBase Thrift Server security in a Kerberized cluster, incorrect warnings such as "When HBase is configured to use Kerberos, HBase Thrift Authentication is ignored when Enable TLS/SSL for HBase Thrift Server over HTTP is enabled" would appear. With this fix, these warnings are eliminated.

Cloudera Bug: OPSAPS-41441

Cloudera Manager now validates that custom services (CSDs) cannot define an invalid threshold for the role health of a service that affects overall service health. Now the thresholds for these health warnings ("percentGreenForGreen" and "percentYellowGreenForYellow ") must be less than 100%.

Cloudera Bug: OPSAPS-42853

This fixes a known issue where a restart of Cloudera Manager that occurs while HDFS or Hive replication jobs are running can cause a duplicate replication job to be started.

Cloudera Bug: OPSAPS-42557

Fixed an issue where the validation warning for "Max Message Size for Hive MetaStore" configuration parameter could not be suppressed. The new behavior allows any validations to be suppressed.

Cloudera Bug: OPSAPS-43320

This fixes an issue in which a replication job that replicates the /user directory in HDFS using the "delete missing" delete policy causes other concurrent replication jobs to fail.

Cloudera Bug: OPSAPS-43050

This fixes an issue in Cloudera Manager in which progress markers for HDFS Replication were not visible in the Admin Console.

Cloudera Bug: OPSAPS-42805

This fixes a bug in which, under certain conditions after a YARN or cluster restart, Cloudera Manager would delete the local directory used by the YARN NodeManager for creation of YARN container cgroups. On systems configured to use cgroups for YARN CPU isolation, this would prevent new YARN workloads from running on specific hosts until the directory was recreated manually.

Cloudera Bug: OPSAPS-40755

Fixed an inefficiency in staleness checking and checking host status that caused slowness in the Cloudera Manager Admin Console.

Cloudera Bug: OPSAPS-42698

For HDFS and Hive replication, copying data in chunks sized by bytes, not a fixed number of files is now the default behavior.

Cloudera Bug: OPSAPS-42682

Changing the list of trusted Kerberos realms no longer requires a restart of Cloudera Manager.

Cloudera Bug: OPSAPS-43237

This fix delivers a big performance boost by parallelizing the process of checking for changes in file permissions, ACLs, and external attributes. Directory permissions are now preserved in the CopyMapper phase instead of theCopyCommitter phase.

Cloudera Bug: OPSAPS-42834

The Spark History Server now respects the configured Kerberos-to-local user name mappings of the HDFS service.

Cloudera Bug: OPSAPS-42577

Fixes an issue during HDFS NameNode migration between hosts, where the "Saving Namespace" step may timeout if the fsimage size is large.

Cloudera Bug: OPSAPS-38236

The Spark service health now reflects the health of its configured roles.

Cloudera Bug: OPSAPS-34698

The communications timeout between two peer Cloudera Manager servers for communication during BDR replication has been increased to 10 seconds.

Cloudera Bug: OPSAPS-39225

The new metrics are for JVM Heap usage of the Catalog Server and Hedged reads.

Cloudera Bug: OPSAPS-39831, OPSAPS-40212, OPSAPS-40771

Fixed a bug that caused a ClassCastException during upgrade of clusters with custom (CSD) services that explicitly define rolling restart steps for master roles.

Cloudera Bug: OPSAPS-40182

Fixes an issue with staleness detection logic. The new staleness detection logic, introduced in 5.11.0, caused a regression where it does not mark all the services stale. This affects rolling restart of the services.

Cloudera Bug: OPSAPS-40332

Fixed an issue where YARN applications may not exit gracefully or clean-up properly if hosts are decommissioned while application containers are still running. This could lead to unexpected container/application failure and/or orphaned container processes on YARN worker nodes. Now, when decommissioning a NodeManager or host running a NodeManager, Cloudera Manager first waits for the configured YARN graceful decommission timeout (if applicable), and allows additional time for ResourceManager to properly terminate the NodeManager and its child processes.

Cloudera Bug: OPSAPS-40731

Fixed an issue where all health events are ignored and no alerts get sent when the Health Event Startup Policy is set to none.

Cloudera Bug: OPSAPS-40851

Fixed an issue where log files did not get collected correctly as part of diagnostic bundles because they contained non-ASCII characters.

Cloudera Bug: OPSAPS-40949

Fixed an issue where an exception might be thrown when searching a log when the log file size is larger than 2 GB.

Cloudera Bug: OPSAPS-41710

Fixed an issue where an NullPointerException occurred when accessing the service status page in the Cloudera Manager Admin Console while stopping a role.

Cloudera Bug: OPSAPS-41222

The default upper limit for the Reports Manager's Maximum Document Buffer Size configuration parameter has been increased to 2047 MB.

Cloudera Bug: OPSAPS-41358

Fixed an issue where the Memory Spilled metric for each Impala query was not correctly populated. This prevented various features that depend on this metric from functioning correctly. For example, the Spilled Memory tab of the Cluster Utilization Report was not populated with data.

Cloudera Bug: OPSAPS-41447

In previous releases, when using the Cloudera Navigator HSM KMS (for use with a Thales or Luna Hardware Security Module), the KMS's trust store password was displayed in some process logs on the KMS hosts. While the trust store password is not considered sensitive, some customers set their trust store password to the same value as their key store password, which is sensitive. In this release, the HMS KMS's trust store password is no longer displayed.

Cloudera Bug: OPSAPS-41626

Fixed an issue where using Apache httpd 2.4 as the Hue load balancer caused Hue logins to fail when TLS is enabled for Hue. This change requires Cloudera Manager to set the use_x_forwarded_host parameter in the hue.ini file to "true". After upgrading Cloudera Manager, Cloudera Manager will report that the Hue Server and Load Balancer role configurations are stale. If your cluster is affected by this bug, you must restart the Hue service.

Cloudera Bug: OPSAPS-41850

While upgrading to Cloudera Manager 5.12 and CDH 5.12, Cloudera Manager added a new Hive Metastore validation step that is executed as a part of the CDH upgrade command to detect any corruption in the Hive Metastore. In 5.12, when corruption is detected and validation fails, the upgrade command fails and leaves the cluster in an intermediate state, meaning that some services may be started while others are stopped, which is not desirable.

This issue has been fixed In Cloudera Manager 5.12.1. Because it is possible for Hive to tolerate some forms of minor schema corruption, and because it is impossible to run the schema validation tool prior to CDH 5.12, the Hive Metastore validation is now executed as the last step of the upgrade command, which occurs after all the services in the cluster have fully been upgraded and restarted. Although this step still appears to be part of upgrade step, your upgrade is actually complete and you can deal with schema integrity issues following the upgrade. If you see this step failing, exit the upgrade wizard and contact Cloudera Support for assistance repairing any schema corruption. You may then re-run the validation tool manually from the Hive service actions menu after repair is complete to verify a successful repair.

Cloudera Bug: OPSAPS-41936

In some previous versions of Cloudera Manager, the default value of yarn.scheduler.fair.assignmultiple was incorrect and can cause problems in CDH 5.5 and 5.6. This has been fixed. Note: if you use CDH versions 5.5.x or 5.6.x and upgrade to CM 5.13, you may see a staleness indicator for the YARN service. The staleness shows yarn.scheduler.fair.max.assign as being added. This is expected, and you should restart the YARN service to avoid a serious bug in the Resource Manager (YARN-4477).

Cloudera Bug: OPSAPS-42118

Fixed an issue where the Apply Host Template feature in the Add Hosts Wizard did not apply the host template.

Cloudera Bug: OPSAPS-42134

Fixed an issue where Advanced Configuration Snippets for the Hue Load Balancer were not able to override the settings SSLProtocol and SSLCipherSuite.

Cloudera Bug: OPSAPS-42187

Fixed an issue where Cloudera Manager did not track the Active Controller in Kafka correctly if there were multiple Kafka services running under the same Cloudera Manager instance.

Cloudera Bug: OPSAPS-42216

This change sets the JVM property ReservedCodeCacheSize to 256MB in the default JVM startup options for HBase roles. This change attempts to prevent performance issues seen when HBase uses Java 7. The value set is the same as the default when using Java 8.

Cloudera Bug: OPSAPS-42259

Fixed a NullPointerException on the Command Details page that caused the Deploy Client Configuration status to not display.

Cloudera Bug: OPSAPS-42390

Fixed an issue where a replication schedule copying the /user/, /user/hdfs or /user/$bdr_user directory with the Delete Policy set to delete missing files can cause other replication jobs that run simultaneously to fail.

Cloudera Bug: OPSAPS-42492

Fixed a bug where rolling upgrades of CDH could fail when certain services Cloudera Manager expects to be able to restart without downtime are already stopped. Now, Cloudera Manager tolerates this and starts those services after upgrade as part of the cluster's rolling restart.

Cloudera Bug: OPSAPS-42515

Fixed an issue affecting the reliable generation of diagnostic bundles when some hosts are in an unhealthy state.

Cloudera Bug: OPSAPS-42720

Fixed an issue where a replication schedule copying the /user/, /user/hdfs or /user/$bdr_user directory with the Delete Policy set to delete missing files can cause other replication jobs that run simultaneously to fail.

Cloudera Bug: OPSAPS-42492

Fixed a bug where rolling upgrades of CDH could fail when certain services Cloudera Manager expects to be able to restart without downtime are already stopped. Now, Cloudera Manager tolerates this and starts those services after upgrade as part of the cluster's rolling restart.

Cloudera Bug: OPSAPS-42515

The Spark History Server now respects the configured Kerberos-to-local user name mappings of the HDFS service.

Cloudera Bug: OPSAPS-42577

In some previous versions of Cloudera Manager, the default value of yarn.scheduler.fair.assignmultiple was incorrect and can cause problems in CDH 5.5 and 5.6. This has been fixed. Note: if you use CDH versions 5.5.x or 5.6.x and upgrade to CM 5.13, you may see a staleness indicator for the YARN service. The staleness shows yarn.scheduler.fair.max.assign as being added. This is expected, and you should restart the YARN service to avoid a serious bug in the Resource Manager (YARN-4477).

Cloudera Bug: OPSAPS-42118

Fixed an issue where the Apply Host Template feature in the Add Hosts Wizard did not apply the host template.

Cloudera Bug: OPSAPS-42134

Previously, when configuring the HBase Thrift Server security in a Kerberized cluster, incorrect warnings such as "When HBase is configured to use Kerberos, HBase Thrift Authentication is ignored when Enable TLS/SSL for HBase Thrift Server over HTTP is enabled" would appear. With this fix, these warnings are eliminated.

Cloudera Bug: OPSAPS-41441

Fixed an issue in the Install Details dialog that scrolling position was not respected and always moves to the very top. Now it stays in the location that user has scrolled to.

Cloudera Bug: OPSAPS-40836

This fixes a bug in which, under certain conditions after a YARN or cluster restart, Cloudera Manager would delete the local directory used by the YARN NodeManager for creation of YARN container cgroups. On systems configured to use cgroups for YARN CPU isolation, this would prevent new YARN workloads from running on specific hosts until the directory was recreated manually.

Cloudera Bug: OPSAPS-40755

Cloudera Bug: OPSAPS-9586

Fixed an issue where the validation warning for "Max Message Size for Hive MetaStore" configuration parameter could not be suppressed. The new behavior allows any validations to be suppressed.

Cloudera Bug: OPSAPS-43320

This fixes an issue in which a replication job that replicates the /user directory in HDFS using the "delete missing" delete policy causes other concurrent replication jobs to fail.

Cloudera Bug: OPSAPS-43050

New Behavior: CM will show a suppressible warning when Sentry Policy files are used when the service can be configured to work with the Sentry Service in that CDH version. Note: HBase Solr Indexer does not currently support the Sentry Service in any CDH version and only supports policy files. Therefore, this validation warning will not be available for HBase Solr Indexer.

Cloudera Bug: OPSAPS-42865

Fixed an issue where Internet Explorer defaults to DocMode 7 due to the removal of the X-UA-Compatible header in Cloudera Manager 5.12. When the user uses Compatibility Mode in Internet Explorer 9, 10, 11, or Edge, the browser is incorrectly identified as Internet Explorer 7.0 and as a result Cloudera Manager issues an error message (You are using an unsupported browser) and does not allow the user to log in.

Cloudera Bug: OPSAPS-42870

This fix delivers a big performance boost by parallelizing the process of checking for changes in file permissions, ACLs, and external attributes. Directory permissions are now preserved in the CopyMapper phase instead of theCopyCommitter phase.

Cloudera Bug: OPSAPS-42834

Fixes a bug where ACLs and external attributes (Xattrs) may be copied over during HDFS and Hive replication even when they have not changed.

Cloudera Bug: OPSAPS-42818

Fixed a NullPointerException on the Command Details page that caused the Deploy Client Configuration status to not display.

Cloudera Bug: OPSAPS-42390

Fixed an issue where using Apache httpd 2.4 as the Hue load balancer caused Hue logins to fail when TLS is enabled for Hue. This change requires Cloudera Manager to set the use_x_forwarded_host parameter in the hue.ini file to "true". After upgrading Cloudera Manager, Cloudera Manager will report that the Hue Server and Load Balancer role configurations are stale. If your cluster is affected by this bug, you must restart the Hue service.

Cloudera Bug: OPSAPS-41850

In previous releases, when using the Cloudera Navigator HSM KMS (for use with a Thales or Luna Hardware Security Module), the KMS's trust store password was displayed in some process logs on the KMS hosts. While the trust store password is not considered sensitive, some customers set their trust store password to the same value as their key store password, which is sensitive. In this release, the HMS KMS's trust store password is no longer displayed.

Cloudera Bug: OPSAPS-41626

Cloudera Bug: OPSAPS-41020

While upgrading to Cloudera Manager 5.12 and CDH 5.12, Cloudera Manager added a new Hive Metastore validation step that is executed as a part of the CDH upgrade command to detect any corruption in the Hive Metastore. In 5.12, when corruption is detected and validation fails, the upgrade command fails and leaves the cluster in an intermediate state, meaning that some services may be started while others are stopped, which is not desirable.

This issue has been fixed In Cloudera Manager 5.12.1. Because it is possible for Hive to tolerate some forms of minor schema corruption, and because it is impossible to run the schema validation tool prior to CDH 5.12, the Hive Metastore validation is now executed as the last step of the upgrade command, which occurs after all the services in the cluster have fully been upgraded and restarted. Although this step still appears to be part of upgrade step, your upgrade is actually complete and you can deal with schema integrity issues following the upgrade. If you see this step failing, exit the upgrade wizard and contact Cloudera Support for assistance repairing any schema corruption. You may then re-run the validation tool manually from the Hive service actions menu after repair is complete to verify a successful repair.

Cloudera Bug: OPSAPS-41936

Fixed an issue where the Memory Spilled metric for each Impala query was not correctly populated. This prevented various features that depend on this metric from functioning correctly. For example, the Spilled Memory tab of the Cluster Utilization Report was not populated with data.

Cloudera Bug: OPSAPS-41447

The default upper limit for the Reports Manager's Maximum Document Buffer Size configuration parameter has been increased to 2047 MB.

Cloudera Bug: OPSAPS-41358

Fixed an issue where an exception might be thrown when searching a log when the log file size is larger than 2 GB.

Cloudera Bug: OPSAPS-41710

Fixed an issue where YARN applications may not exit gracefully or clean-up properly if hosts are decommissioned while application containers are still running. This could lead to unexpected container/application failure and/or orphaned container processes on YARN worker nodes. Now, when decommissioning a NodeManager or host running a NodeManager, Cloudera Manager first waits for the configured YARN graceful decommission timeout (if applicable), and allows additional time for ResourceManager to properly terminate the NodeManager and its child processes.

Cloudera Bug: OPSAPS-40731

When viewing agent logs in Internet Explorer, the logs may render as HTML instead of text. This has been fixed by forcing browsers to render the log page as text.

Cloudera Bug: OPSAPS-41122

The Thread CPU Time and Total Time attributes of Impala Query Monitoring are now correctly populated.

Cloudera Bug: OPSAPS-39647

Fixed an issue where renaming an empty directory on Amazon S3 when using DynamoDB with S3Guard may fail

Cloudera bug: CDH-51869

Apache bug: HADOOP-14036

Changing permissions or removing files in the /tmp directory can cause Hue to fail because the Hue Kerberos ticket cache file, located by default in the /tmp directory, is no longer available. The default location has been changed to /var/run/hue.

You can change the location of the Hue Kerberos ticket cache by changing the Hue Kerberos Credentials Cache Directory property. In Cloudera Manager, go to the Hue service, select the Configuration tab, and search for the property. Restart the Hue service to enable the change.

After upgrading Cloudera Manager you must also restart the Hue service.

Cloudera Bug: OPSAPS-26101

Fixed how null values for the maintenanceOwners parameter are handled when creating clusters with the Cloudera Manager API.

Cloudera Bug: OPSAPS-32880

Fixed an issue where an upgrade continues even if hosts have a warning. Host warnings must be resolved before an upgrade can complete.

Cloudera Bug: OPSAPS-40945

Fixed an issue where BDR replication jobs fail on a Kerberos enabled cluster if the job duration is longer than the renewal interval for the hdfs delegation token. With this fix, both the delegation token and Kerberos ticket are renewed until the max lifetime of token/ticket (default value is 7 days). This enables longer replications without needing to bring down the source cluster.

Cloudera Bug: OPSAPS-32811

IMPALA-5253 contained a security fix for clusters using Impala with TLS (SSL) security enabled. This fix was also made in several maintenance versions of CDH that require you to upgrade Cloudera Manager. If you upgrade to a CDH version with this fix without upgrading Cloudera Manager, Impala will not function when TLS is enabled for Impala. You should upgrade Cloudera Manager first if you want to move to a CDH version with the security fix.

This issue affects upgrades of Cloudera Manager and CDH to version 5.11.1.

There are two ways you can workaround this issue:

Cloudera bug: OPSAPS-41218

Fixed an issue where Hive replication fails if the same name is used for a table on the target cluster which is also used for a view on the source cluster. With this change, Hive replication properly handles all cases where a view and table on source/target clusters have the same name.

Cloudera Bug: OPSAPS-36302

Fixed an issue where LDAP domain names could not contain underscores. This fix affects Cloudera Manager, Hue and Cloudera Navigator.

Cloudera Bug: OPSAPS-40487

Cloudera Bug: OPSAPS-40040

For CDH versions 5.8 and higher, the Low Watermark for Memstore Flush configuration parameter is associated with the HBase parameter hbase.regionserver.global.memstore.lowerLimit.

This value represents the fullness threshold of the memstore as a percentage of memstore capacity. The default value for this parameter was incorrectly set too low at .38. This can cause severe under utilization of the memstore.

The default has been corrected to be .95. When upgrading to a version of Cloudera Manager with this fix, if the value was previously set to the old default of .38, it will automatically be increased to the new default, which may cause Cloudera Manager to mark your HBase service as having a stale configuration, requiring a restart.

Additionally, if an existing Low Watermark for Memstore Flush configuration parameter has a value <= .9, it will be flagged as a configuration warning.

Fixed in: Cloudera Manager 5.12, 5.11.1, 5.10.2, 5.9.3, 5.8.5

Cloudera Bug: OPSAPS-38468

Fixed an issue where accessing Sqoop2 with Hue fails with the following error: Sqoop error: Could not get connectors.

CDH 5.5.0 or higher clusters running a Hue Service require a restart of Hue services because of a new configuration file. This new configuration file is required for Hue's Sqoop2 Application functions in secure settings, but it will show up whether or not Sqoop or security settings are in use.

Cloudera Bug: OPSAPS-27286

Fixed an issue when the Oozie Load Balancer field in the Oozie configuration is not set and Oozie high availability is in use (two or more Oozie Server roles are deployed). This now creates a validation error and Cloudera Manager does not let you start or restart Oozie until the problem is fixed.

Fixed in: Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-39372

HDFS client data-transfer encryption cipher related properties are now published to HTTPFs. Previously they were emitted just to HDFS Gateways, which caused HTTPFs performance to suffer when Data Transfer Encryption was turned on. When upgrading to Cloudera Manager 5.12, all HTTPFs instances will be marked stale, and a restart of those roles is required for these properties to take effect.

Cloudera Bug: OPSAPS-39981

Fixed an issue where some configuration files (core-site.xml) were missing from Sentry configuration.

Cloudera Bug: OPSAPS-33710

To enhance security, when API debugging is enabled, the entire API request and response is no longer printed at the DEBUG log level. To see the request/response, set the logging level to TRACE. Note that this may expose sensitive information in the logs.

Cloudera Bug: OPSAPS-34538

Fixed an issue where the ntpdc command was used in the host Clock Offset health test even if the command is deprecated for an operating system.

Cloudera Bug: OPSAPS-38268

Fixes an issue where an ArrayIndexOutOfBoundsException can be thrown by Reports Manager.

Fixed in Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40914

Improved password handling for the Spark History Server. After upgrading to Cloudera Manager 5.12, Cloudera Manager may consider the Spark service as having a stale configuration due to this change, requiring a restart.

Cloudera Bug: OPSAPS-40298

Fixed an issue where restarting an agent on newer Linux distributions such as Ubuntu 16.04 or Red Hat 7 would result in process run directories being remounted and lost.

Cloudera Bug: OPSAPS-41259

Fixed an issue where secret data, including passwords and other data, can be exposed in the /var/run/cloudera-scm-agent/process-name/proc.json or /var/run/cloudera-scm-agent/process-name/config.zip files because these files are world readable. See TSB-235 for more information.

Fixed in: Cloudera Manager 5.12, 5.11, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40536

Certain files that may contain sensitive information can no longer be downloaded from the Processes tab in Cloudera Manager. If access to those files is required, you must log into the appropriate host.

Cloudera Bug: OPSAPS-40309

Fixed an issue where downloading the command output did not generate a unique file name.

Cloudera Bug: OPSAPS-40249

Fixed an issue where a CSD descriptor was not respecting the correct authorization for start/stop when specifying a service-level stopRunner (which enables graceful shutdown). This could cause some user roles to be able to start but not stop some services.

Cloudera Bug: OPSAPS-41030

Fixed an issue with the SSL handshake in Hue when Apache httpd 2.4 or higher is used as the load balancer. The Hue load balancer previously set the ProxyPreserveHost directive to On, when it should have been set to Off. This causes problems making SSL connections when using Apache httpd 2.4 or higher. The error caused problems when verifying the CN, which older versions of Apache httpd did not encounter because they did not properly verify the CN.

When upgrading Cloudera Manager, the Hue load balancer may be marked as having a stale configuration. If you are experiencing issues connecting to Hue with SSL, restart the Hue service to update the configuration.

Cloudera Bug: OPSAPS-40700

When an external user authenticating via LDAP or Active Directory fails to login to Cloudera Manager, the failure stack trace is now logged in the Cloudera Manager server log to help debug the failure.

Cloudera Bug: OPSAPS-40065

/api//clusters/clusterName/services/serviceName/roles?filter=type==ROLE_TYPE

Cloudera Bug: OPSAPS-40184

Fixed an issue with Cluster Templates where role level configuration was not getting exported. This was causing cluster to fail when trying user try to import a cluster template exported from a cluster on which HDFS HA was enabled.

Cloudera Bug: OPSAPS-31528

Fixed a typo on the Dynamic Resource Pools page that prevents Internet Explorer from rendering the add/edit resource pool dialog box.

Cloudera Bug: OPSAPS-40522

Fixed an issue where, when using TLS, hostnames were not verified during agent to server communication. To fix this, Cloudera Manager has a new setting: Verify Agent Hostname Against Certificate. When enabled, agent hostnames must match the hostname in the agent certificate, which is validated when agents send heartbeats to the Cloudera Manager Server.

Cloudera Bug: OPSAPS-40125

Fixed an issue where the user administrator role was disallowed from managing S3 configuration.

Cloudera Bug: OPSAPS-40083

sudo service cloudera-scm-server restart

Fixed in: Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40987

Fixed an issue where the Impala Peak Memory Usage page in the Cluster Utilization Report did not display any data in Cloudera Manager.

Fixed in: Cloudera Manager 5.12, 5.11.2, 5.9.3

Cloudera Bug: OPSAPS-39836

Fixed an issue where a NullPointerException occurred when viewing the configuration page for alerts.

Fixed in Cloudera Manager 5.12, 5.11.2, 5.10.2

Cloudera Bug: OPSAPS-39296

Fixed an issue where restarting an agent on newer Linux distributions such as Ubuntu 16.04 or Red Hat 7 would result in process run directories being remounted and lost.

Cloudera Bug: OPSAPS-41259

IMPALA-5253 contained a security fix for clusters using Impala with TLS (SSL) security enabled. This fix was also made in several maintenance versions of CDH that require you to upgrade Cloudera Manager. If you upgrade to a CDH version with this fix without upgrading Cloudera Manager, Impala will not function when TLS is enabled for Impala. You should upgrade Cloudera Manager first if you want to move to a CDH version with the security fix.

This issue affects upgrades of Cloudera Manager and CDH to version 5.11.1.

There are two ways you can workaround this issue:

Cloudera bug: OPSAPS-41218

Cloudera Bug: OPSAPS-41020

sudo service cloudera-scm-server restart

Fixed in: Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40987

Fixes an issue where an ArrayIndexOutOfBoundsException can be thrown by Reports Manager.

Fixed in Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40914

Fixed an issue where YARN applications may not exit gracefully or clean-up properly if hosts are decommissioned while application containers are still running. This could lead to unexpected container/application failure and/or orphaned container processes on YARN worker nodes. Now, when decommissioning a NodeManager or host running a NodeManager, Cloudera Manager first waits for the configured YARN graceful decommission timeout (if applicable), and allows additional time for ResourceManager to properly terminate the NodeManager and its child processes.

Cloudera Bug: OPSAPS-40731

Fixed an issue where the Impala Peak Memory Usage page in the Cluster Utilization Report did not display any data in Cloudera Manager.

Fixed in: Cloudera Manager 5.12, 5.11.2, 5.9.3

Cloudera Bug: OPSAPS-39836

Fixed an issue when the Oozie Load Balancer field in the Oozie configuration is not set and Oozie high availability is in use (two or more Oozie Server roles are deployed). This now creates a validation error and Cloudera Manager does not let you start or restart Oozie until the problem is fixed.

Fixed in: Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-39372

Fixed an issue where a NullPointerException occurred when viewing the configuration page for alerts.

Fixed in Cloudera Manager 5.12, 5.11.2, 5.10.2

Cloudera Bug: OPSAPS-39296

Fixed an issue where Cloudera Manager made requests to googleapi.com to download some of its required fonts, which fails if the browser does not have Internet access. Cloudera Manager now includes all of the necessary fonts.

Cloudera Bug:OPSAPS-40609.

Fixed an issue where running the cloudera-manager-installer.bin installer file (as described in the documentation) fails on Ubuntu 16.04 LTS (Xenial).

Cloudera Bug: DOCS-2037.

Fixed an issue where some Linux distributions could not connect to Oozie with curl through HTTPS when DHE-based ciphers are present.

Cloudera Bug: OPSAPS-40407

/api//clusters/clusterName/services/serviceName/roles?filter=type==ROLE_TYPE

Cloudera Bug: OPSAPS-40184

Fixed how null values for the maintenanceOwners parameter are handled when creating clusters with the Cloudera Manager API.

Fixed in: Cloudera Manager 5.12, 5.11.1, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-32880

Fixed an issue where Cloudera Manager provided configuration for the hive-site.xml file even if the HBase Service setting in Hive is not selected, which could cause unnecessary errors when Hive-on-Spark attempts to connect to HBase. Cloudera Manager now correctly emits the HBase-related configuration in the hive-site.xml only when Hive is dependent on HBase.

When you upgrade Cloudera Manager from an older version to one of the fixed versions, many services may have stale configurations. You must restart of all the stale services in order for them to receive the updated configuration in the hive-site.xml file.

Cloudera Bug: OPSAPS-39021

Fixed an issue where accessing Sqoop2 with Hue fails with the following error: Sqoop error: Could not get connectors.

CDH 5.5.0 or higher clusters running a Hue Service require a restart of Hue services because of a new configuration file. This new configuration file is required for Hue's Sqoop2 Application functions in secure settings, but it will show up whether or not Sqoop or security settings are in use.

Cloudera Bug: OPSAPS-27286

Fixed how null values for the maintenanceOwners parameter are handled when creating clusters with the Cloudera Manager API.

Cloudera Bug: OPSAPS-32880

Fixed an issue where LDAP domain names could not contain underscores. This fix affects Cloudera Manager, Hue and Cloudera Navigator.

Cloudera Bug: OPSAPS-40487

Cloudera Bug: OPSAPS-40040

Fixed an issue in the stop command execution for CSD services authored to use a service-level graceful shutdown. The stop command could be shown with the second step (forced kill) marked as failed when all roles were already stopped. This issue also affects shutdown of Kafka using Cloudera Manager 5.11.0 and can impact Kafaka upgrades.

Fixed in: Cloudera Manager 5.11.1, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40002

Fixed an issue where the total_kudu_rows_upserted_rate_across_kudu_replicas metric was not included in the Workload Summary for Kudu.

Cloudera Bug: OPSAPS-40551

For CDH versions 5.8 and higher, the Low Watermark for Memstore Flush configuration parameter is associated with the HBase parameter hbase.regionserver.global.memstore.lowerLimit.

This value represents the fullness threshold of the memstore as a percentage of memstore capacity. The default value for this parameter was incorrectly set too low at .38. This can cause severe under utilization of the memstore.

The default has been corrected to be .95. When upgrading to a version of Cloudera Manager with this fix, if the value was previously set to the old default of .38, it will automatically be increased to the new default, which may cause Cloudera Manager to mark your HBase service as having a stale configuration, requiring a restart.

Additionally, if an existing Low Watermark for Memstore Flush configuration parameter has a value <= .9, it will be flagged as a configuration warning.

Fixed in: Cloudera Manager 5.12, 5.11.1, 5.10.2, 5.9.3, 5.8.5

Cloudera Bug: OPSAPS-38468

Fixed an issue where the ntpdc command was used in the host Clock Offset health test even if the command is deprecated for an operating system.

Cloudera Bug: OPSAPS-38268

Fixed a typo on the Dynamic Resource Pools page that prevents Internet Explorer from rendering the add/edit resource pool dialog box.

Cloudera Bug: OPSAPS-40522

Fixed an issue with Cluster Templates where role level configuration was not getting exported. This was causing cluster to fail when trying user try to import a cluster template exported from a cluster on which HDFS HA was enabled.

Cloudera Bug: OPSAPS-31528

Fixed an issue where the new Graceful Shutdown Timeout configuration property does not work as expected. As a result, Kafka takes an additional 30 seconds (by default) to shut down, but will still only have 30 seconds to complete its controlled shutdown, before Cloudera Manager forcibly shuts down Kafka brokers regardless of the configured timeout.

Fixed in Cloudera Manager 5.11.1.

Cloudera Bug: OPSAPS-40106.

Fixed an issue where ResourceManager state store recovery may fail. The YARN service will become stale when a cluster containing a YARN service with a ZooKeeper dependency set is upgraded to Cloudera Manager 5.10.1+ or 5.11+. Restart the YARN service normally or with a rolling restart.

Cloudera Bug: OPSAPS-38908

Cloudera Bug: OPSAPS-38908

Fixed an issue where a read-only Cloudera Manager user can discover the usernames of other users and elevate the privileges of another user. A user cannot elevate their own privilege.

Cloudera Bug: OPSAPS-34124

Fixed an issue where the cloudera-server-db fast_stop command fails on non-sytemd Debian systems like Debian 7 with a command not found error.

Cloudera Bug: OPSAPS-39393

Fixed an issue where the API to export cluster templates exported settings that were auto-configured. Auto-configured settings should not be exported in the cluster template.

Cloudera Bug: OPSAPS-39031

Fixed an issue that caused pauses and slow performance of the Cloudera Manager Admin Console occur after creating a peer.

Fixed in Cloudera Manager 5.11

Cloudera Bug: OPSAPS-38868.

Fixed an issue where the JVM Heap Memory Usage chart for ZooKeeper displayed the wrong value for maximum memory.

Cloudera Bug: OPSAPS-38821

Fixed an issue where an error occurs when starting the NodeManager because the /tmp directory is mounted as noexec.

Cloudera Bug: OPSAPS-33053

Fixed an issue where generating Kerberos credentials failed when Active Directory properties like OU have a space in them or are too long to fit in a line.

Cloudera Bug: OPSAPS-37100

Python 2.7 and later enables certificate chain validation by default, and specifying a custom SSL context with an CA certificate may be required to prevent connection errors. The ApiResource constructor in the Cloudera Manager Python API now takes an optional "ssl_context" argument where a custom SSL context can be provided. This allow clients to specify the CA certificate of the API endpoint's certificate.

Cloudera Bug: OPSAPS-31699

Fixed an issue where a force start of the Cloudera Manager server failed if Cloudera Manager used PostgreSQL.

Cloudera Bug: OPSAPS-32915

Fixed an issue where parcels could not be removed from the Cloudera Manager database when the manifest.json file is not available in the remote repository or removed from the remote location.

Cloudera Bug: OPSAPS-34964

Fixed an issue where the Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled for Navigator Metadata Server.

Fixed in 5.11, 5.10.1, ,5.9.2, 5.7.6

Cloudera Bug: OPSAPS-38865

When setting up the KMS ACLs for HDFS encryption, the warning "Suspicious non-ASCII punctuation character "’" at character position 9118" displays. This warning can be safely ignored, and editing any KMS ACL in Cloudera Manager will make the warning disappear. This bug fix removes this warning.

Fixed in Cloudera Manager 5.11.0, 5.10.1

Cloudera Bug: OPSAPS-38670

Fixed an issue that occurred when Kafka was configured to use Sentry for authorization, and Kafka was not version 2.1 or higher, which caused Kafka to fail with the following exception: java.lang.ClassNotFoundException: org.apache.sentry.kafka.authorizer.SentryKafkaAuthorizer.

Cloudera Bug: OPSAPS-37907

Fixed in: Cloudera Manager 5.11.0, 5.10.1

Fixed Cloudera Manager agent problem that requires hard restart when an invalid regular expression is used to specify tables in Hive replication.

Fixed in: Cloudera Manager 5.11.0, 5.10.1, 5.9.2

Cloudera Bug: OPSAPS-38946 and OPSAPS-36974

Fixed an issue where a change to a Hive view on a source cluster was not reflected in the target cluster after Hive Replication with the Force Overwrite option selected.

Cloudera Bug: OPSAPS-39034

During a CDH upgrade, the Sentry Database Upgrade step will be performed only when necessary. Previously, the Sentry Database Upgrade step always ran.

Cloudera Bug: OPSAPS-25405

Fixed an issue where a NullPointerException is thrown when using Hive Replication with SSL enabled on an Impala service but not on other Hadoop services.

Cloudera Bug: OPSAPS-38700

Fixed in Cloudera Manager 5.11, 5.10.1, 5.9.2

Fixed an issue where LDAP domain names could not contain underscores. This fix affects Cloudera Manager, Hue and Cloudera Navigator.

Cloudera Bug: OPSAPS-40487

For CDH versions 5.8 and higher, the Low Watermark for Memstore Flush configuration parameter is associated with the HBase parameter hbase.regionserver.global.memstore.lowerLimit.

This value represents the fullness threshold of the memstore as a percentage of memstore capacity. The default value for this parameter was incorrectly set too low at .38. This can cause severe under utilization of the memstore.

The default has been corrected to be .95. When upgrading to a version of Cloudera Manager with this fix, if the value was previously set to the old default of .38, it will automatically be increased to the new default, which may cause Cloudera Manager to mark your HBase service as having a stale configuration, requiring a restart.

Additionally, if an existing Low Watermark for Memstore Flush configuration parameter has a value <= .9, it will be flagged as a configuration warning.

Fixed in: Cloudera Manager 5.12, 5.11.1, 5.10.2, 5.9.3, 5.8.5

Cloudera Bug: OPSAPS-38468

Fixed an issue where if Sentry crashed with an OutOfMemory error, the generated dump file name was not unique, and therefore the file could be overwritten on subsequent occurrences of the error. This has been fixed to include the PID in the dump file name, which is the standard practice for other CDH services.

Cloudera Bug: OPSAPS-40600

Fixed an issue in the stop command execution for CSD services authored to use a service-level graceful shutdown. The stop command could be shown with the second step (forced kill) marked as failed when all roles were already stopped. This issue also affects shutdown of Kafka using Cloudera Manager 5.11.0 and can impact Kafaka upgrades.

Fixed in: Cloudera Manager 5.11.1, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40002

/api//clusters/clusterName/services/serviceName/roles?filter=type==ROLE_TYPE

Cloudera Bug: OPSAPS-40184

Cloudera Bug: OPSAPS-40040

Fixed a typo on the Dynamic Resource Pools page that prevents Internet Explorer from rendering the add/edit resource pool dialog box.

Cloudera Bug: OPSAPS-40522

Fixed an issue where Cloudera Manager provided configuration for the hive-site.xml file even if the HBase Service setting in Hive is not selected, which could cause unnecessary errors when Hive-on-Spark attempts to connect to HBase. Cloudera Manager now correctly emits the HBase-related configuration in the hive-site.xml only when Hive is dependent on HBase.

When you upgrade Cloudera Manager from an older version to one of the fixed versions, many services may have stale configurations. You must restart of all the stale services in order for them to receive the updated configuration in the hive-site.xml file.

Cloudera Bug: OPSAPS-39021

Fixed an issue where the cloudera-server-db fast_stop command fails on non-sytemd Debian systems like Debian 7 with a command not found error.

Cloudera Bug: OPSAPS-39393

Fixed how null values for the maintenanceOwners parameter are handled when creating clusters with the Cloudera Manager API.

Cloudera Bug: OPSAPS-32880

Fixed an issue where large diagnostic bundles, such as ones greater than 4 GB, fail to upload.

Cloudera Bug: OPSAPS-40100

Fixed an issue where a NullPointerException occurred when viewing the configuration page for alerts.

Fixed in Cloudera Manager 5.12, 5.11.2, 5.10.2

Cloudera Bug: OPSAPS-39296

Fixed an issue where ResourceManager state store recovery may fail. The YARN service will become stale when a cluster containing a YARN service with a ZooKeeper dependency set is upgraded to Cloudera Manager 5.10.1+ or 5.11+. Restart the YARN service normally or with a rolling restart.

Cloudera Bug: OPSAPS-38908

Cloudera Bug: OPSAPS-38908

Fixed an issue where a read-only Cloudera Manager user can discover the usernames of other users and elevate the privileges of another user. A user cannot elevate their own privilege.

Cloudera Bug: OPSAPS-34124

When setting up the KMS ACLs for HDFS encryption, the warning "Suspicious non-ASCII punctuation character "’" at character position 9118" displays. This warning can be safely ignored, and editing any KMS ACL in Cloudera Manager will make the warning disappear. This bug fix removes this warning.

Fixed in Cloudera Manager 5.11.0, 5.10.1

Cloudera Bug: OPSAPS-38670

Fixes a bug where some Hadoop services did not recognize the Impala SSL configuration, which caused Hive replications to fail when SSL is enabled. To enable SSL, see: Configuring TLS/SSL for HDFS, YARN and MapReduce.

This support also ensures that connection to Impala is successful when SSL is enabled even if Kerberos is not enabled.

Fixed in: Cloudera Manager 5.10.1, 5.9.2, 5.8.4

Cloudera Bug: OPSAPS-38700

Fixed an issue where the Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled for Navigator Metadata Server.

Fixed in 5.11, 5.10.1, ,5.9.2, 5.7.6

Cloudera Bug: OPSAPS-38865

Spark client configuration has been fixed to avoid application failures in certain cases when launching applications in YARN cluster mode.

Fixed in Cloudera Manager 5.10.1, 5.9.2

Cloudera Bug: OPSAPS-39118

Fixed Cloudera Manager agent problem that requires hard restart when an invalid regular expression is used to specify tables in Hive replication.

Fixed in: Cloudera Manager 5.11.0, 5.10.1, 5.9.2

Cloudera Bug: OPSAPS-38946 and OPSAPS-36974

Fixed an issue that occurred when Kafka was configured to use Sentry for authorization, and Kafka was not version 2.1 or higher, which caused Kafka to fail with the following exception: java.lang.ClassNotFoundException: org.apache.sentry.kafka.authorizer.SentryKafkaAuthorizer.

Cloudera Bug: OPSAPS-37907

Fixed in: Cloudera Manager 5.11.0, 5.10.1

Fixed an issue where a NullPointerException is thrown when using Hive Replication with SSL enabled on an Impala service but not on other Hadoop services.

Cloudera Bug: OPSAPS-38700

Fixed in Cloudera Manager 5.11, 5.10.1, 5.9.2

Fixes an issue where the Cluster Import command fails after updating parcel repositories and when the parameter addRepositories=true is included in the command and there are no pre-configured repositories in the cluster.

Cloudera Bug: OPSAPS-33059

On a parcels install, Hue can be set up with an Oracle Database. This requires placing required Oracle packages in a specific location. See Hue Custom Databases.

Cloudera Bug: OPSAPS-34339

On a packages install, Hue can be set up with an Oracle Database and proceed past the Test Connection page in the setup wizard. This requires placing required Oracle packages in a specific location. See Hue Custom Databases.

Cloudera Bug: OPSAPS-34608

Cloudera Manager used to work with only 'public' schema in PostgreSQL. With this change, Cloudera Manager now supports custom schema names. Cloudera Manager relies on the schema search path in PostgreSQL, which can be set for a user or database. For more information, see https://www.postgresql.org/docs/current/static/ddl-schemas.html.

Cloudera Bug: OPSAPS-33752

Trust store passwords are not required. This fixes a bug where some Cloudera components erroneously reported that a password was required.

Cloudera Bug: OPSAPS-38183

Fixes a database constraint violation that occurs when you use Cloudera Manager to delete a host that has cluster-wide configurations. (Kerberos configurations, for example.)

Cloudera Bug: OPSAPS-38150

Cloudera Express no longer shows configurations that requires a license to manage.

Cloudera Bug: OPSAPS-38214

Cloudera Bug: OPSAPS-38133

This fixes an issue where YARN utilization report may not work when MapReduce job output is specified as "Compressed" and a compression codec is used for it.

Cloudera Bug: OPSAPS-38460

Fixed an issue where the load on the Cloudera Manager database increases significantly on clusters with 100-200 nodes or more and when there are host-level configuration overrides. This has been resolved by using a smaller default value for the default_batch_fetch_size property in the hibernate configuration.

Fixed in: Cloudera Manager 5.10.0, 5.9.2, 5.8.4, 5.7.6

Cloudera Bug: OPSAPS-37985

Fixed an issue where CSD-based services could not use certain special characters like '$' without getting an exception. This is most frequently an issue for passwords.

Cloudera Bug: OPSAPS-37542

If a user did not make any resource policy change on an existing cluster, the default scheduling policy used is FAIR, but the Cloudera Manager Admin console incorrectly displays the policy as DRF. This is now fixed to show FAIR. When the user creates new clusters, the default scheduling policy will be DRF.

Cloudera Bug: OPSAPS-37478

The quick time selection (30m, 1h, etc) on custom dashboards now work correctly.

Cloudera Bug: OPSAPS-37190

In Cloudera Manager 5.9 and lower, the HDFS property Safemode Minimum DataNodes has a default value of 0. This property configures the number of DataNodes that must register with the NameNode before the NameNode exits safe mode. This property now has a default value of 1 in CDH 5.9 and higher

In an empty cluster (that is, a cluster with no HDFS data) where the property is set to 0, this has the side effect of extending the duration of startup safe mode by about 30 seconds. For non-empty clusters, this change has no visible effect. This change only applies to new CDH 5.9 and higher clusters created with Cloudera Manager 5.10 or higher. Existing CDH 5.9 clusters are not affected; pre-CDH 5.9 clusters that are upgraded to CDH 5.9 or higher are also unaffected.

Cloudera Bug: OPSAPS-36988

Only the Hue server now only generates the HSTS HTTP header. Previously, both the Hue server and Hue Load Balancer generated the HSTS HTTP header.

Cloudera Bug: OPSAPS-35536

Prevent duplicate hosts from being reported in Cloudera Manager due to use of the AWS instance ID as a unique host identifier. Cloudera Manager now uses a random number as the host unique identifier instead. This prevents a duplicate host issue when host is running on a cloud service such as AWS and the host is added using the Cloudera Manager wizard and manually added later.

Cloudera Bug: OPSAPS-35282

Previously, some users found that '******' were inserted in the database literally. Cloudera Manager now performs a check on this special string prevents it from being stored in the Cloudera Manager database.

Cloudera Bug: OPSAPS-34252

Cloudera Manager now generates a proper error message when the database does not exist and the username and password do exist. Cloudera Manager now displays the message "Able to find the Database server, but not the specified database. Please check if the database name is correct and make sure that the user can access the database."

Cloudera Bug: OPSAPS-33915

Parameters of databases, tables, partitions, and indexes are replicated by default during Hive replications. You can disable this replication. See Replication of Parameters.

Cloudera Bug: OPSAPS-38197

The Web server of the HDFS NFS Gateway that is used to publish metrics and view configurations is now covered by SSL protection when enabled across the HDFS service. This fixes an issue that caused a failure when starting the Web interface for the NFS gateway.

Cloudera Bug: OPSAPS-33202

Fixed an issue where a race condition can happen when getting the log links for unhealthy roles and then causes a null pointer exception for the Cloudera Manager homepage.

Cloudera Bug: OPSAPS-32804

When passwords change, the stale configuration icons displays. When you click one of these icons, the Stale Configurations page displays but the page does not indicate which passwords have changed.

Cloudera Bug: OPSAPS-29146

Fixes an issue where an ArrayIndexOutOfBoundsException can be thrown by Reports Manager.

Fixed in Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40914

Fixed an issue when the Oozie Load Balancer field in the Oozie configuration is not set and Oozie high availability is in use (two or more Oozie Server roles are deployed). This now creates a validation error and Cloudera Manager does not let you start or restart Oozie until the problem is fixed.

Fixed in: Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-39372

sudo service cloudera-scm-server restart

Fixed in: Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40987

For CDH versions 5.8 and higher, the Low Watermark for Memstore Flush configuration parameter is associated with the HBase parameter hbase.regionserver.global.memstore.lowerLimit.

This value represents the fullness threshold of the memstore as a percentage of memstore capacity. The default value for this parameter was incorrectly set too low at .38. This can cause severe under utilization of the memstore.

The default has been corrected to be .95. When upgrading to a version of Cloudera Manager with this fix, if the value was previously set to the old default of .38, it will automatically be increased to the new default, which may cause Cloudera Manager to mark your HBase service as having a stale configuration, requiring a restart.

Additionally, if an existing Low Watermark for Memstore Flush configuration parameter has a value <= .9, it will be flagged as a configuration warning.

Fixed in: Cloudera Manager 5.12, 5.11.1, 5.10.2, 5.9.3, 5.8.5

Cloudera Bug: OPSAPS-38468

Fixed how null values for the maintenanceOwners parameter are handled when creating clusters with the Cloudera Manager API.

Cloudera Bug: OPSAPS-32880

Fixed an issue in the stop command execution for CSD services authored to use a service-level graceful shutdown. The stop command could be shown with the second step (forced kill) marked as failed when all roles were already stopped. This issue also affects shutdown of Kafka using Cloudera Manager 5.11.0 and can impact Kafaka upgrades.

Fixed in: Cloudera Manager 5.11.1, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40002

Fixed an issue where if Sentry crashed with an OutOfMemory error, the generated dump file name was not unique, and therefore the file could be overwritten on subsequent occurrences of the error. This has been fixed to include the PID in the dump file name, which is the standard practice for other CDH services.

Cloudera Bug: OPSAPS-40600

Cloudera Bug: OPSAPS-40040

Fixed an issue where secret data, including passwords and other data, can be exposed in the /var/run/cloudera-scm-agent/process-name/proc.json or /var/run/cloudera-scm-agent/process-name/config.zip files because these files are world readable. See TSB-235 for more information.

Fixed in: Cloudera Manager 5.12, 5.11, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40536

Fixed an issue where the Impala Peak Memory Usage page in the Cluster Utilization Report did not display any data in Cloudera Manager.

Fixed in: Cloudera Manager 5.12, 5.11.2, 5.9.3

Cloudera Bug: OPSAPS-39836

The recommended value for Max Message Size for Hive MetaStore configuration parameter should be at least 10% of the value for the Java Heap Size of Hive Metastore Server in Bytes parameter, but should never exceed 2147483647B. Previously, the validator for Max Message Size for Hive MetaStore was showing an incorrect value in its validation message. This validator is now fixed to show the correct recommended value.

Cloudera Bug: OPSAPS-38434

/api//clusters/clusterName/services/serviceName/roles?filter=type==ROLE_TYPE

Cloudera Bug: OPSAPS-40184

Fixed an issue where a read-only Cloudera Manager user can discover the usernames of other users and elevate the privileges of another user. A user cannot elevate their own privilege.

Cloudera Bug: OPSAPS-34124

Fixed an issue where the load on the Cloudera Manager database increases significantly on clusters with 100-200 nodes or more and when there are host-level configuration overrides. This has been resolved by using a smaller default value for the default_batch_fetch_size property in the hibernate configuration.

Fixed in: Cloudera Manager 5.10.0, 5.9.2, 5.8.4, 5.7.6

Cloudera Bug: OPSAPS-37985

Fixed an issue where the Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled for Navigator Metadata Server.

Fixed in 5.11, 5.10.1, ,5.9.2, 5.7.6

Cloudera Bug: OPSAPS-38865

Fixed Cloudera Manager agent problem that requires hard restart when an invalid regular expression is used to specify tables in Hive replication.

Fixed in: Cloudera Manager 5.11.0, 5.10.1, 5.9.2

Cloudera Bug: OPSAPS-38946 and OPSAPS-36974

Spark client configuration has been fixed to avoid application failures in certain cases when launching applications in YARN cluster mode.

Fixed in Cloudera Manager 5.10.1, 5.9.2

Cloudera Bug: OPSAPS-39118

Fixed an issue where CSD-based services could not use certain special characters like '$' without getting an exception. This is most frequently an issue for passwords.

Cloudera Bug: OPSAPS-37542

Fixed an issue where a NullPointerException is thrown when using Hive Replication with SSL enabled on an Impala service but not on other Hadoop services.

Cloudera Bug: OPSAPS-38700

Fixed in Cloudera Manager 5.11, 5.10.1, 5.9.2

The quick time selection (30m, 1h, and so on) on custom dashboards does not work in 5.9.x.

Cloudera Bug: OPSAPS-37190

When creating a Hive Replication schedule that copies Hive data from S3 and you select the Reference Data From Cloud option, Hive table Views are not restored correctly and result in a Null Pointer Exception when querying data from the view.

Cloudera Bug: OPSAPS-37549

HS2 now supports LDAP and Kerberos authentication on the same instance for CDH 5.7.0 or higher. Previously, this was considered an error.

Cloudera Bug: OPSAPS-34310

Cloudera Manager used to work with only the public schema in Postgresql. With this change, Cloudera Manager now supports custom schema names. Cloudera Manager relies on the schema search path in postgresql, which can be set for a user, database, etc: See https://www.postgresql.org/docs/current/static/ddl-schemas.html

Cloudera Bug: OPSAPS-33752

Fixes an issue where the Alert Publisher throws "unsigned 32bit value" error after long uptime. TimeTick is an extension of UnsignedInteger32 type. TimeTick represents time in 1/100 seconds. Its value range is 0 to 4294967295. Activity Monitor's uptime is a Java long type that can exceed the range of TimeTicks. Before this fix, long uptime could cause the Alert Publisher to throw the "unsigned 32bit value" error.

Cloudera Bug: OPSAPS-35564

When upgrading to Cloudera Manager 5.9 or later, YARN will become stale due to the following properties changing to be emitted to the Resource Manager role only:

• yarn.scheduler.fair.user-as-default-queue
• yarn.scheduler.fair.preemption
• yarn.scheduler.fair.sizebasedweight
• yarn.scheduler.fair.assignmultiple
• yarn.scheduler.fair.locality.threshold.node
• yarn.scheduler.fair.locality.threshold.rack

This fixes a problem where changes to these configurations would mark too many roles as stale. You can safely ignore staleness to any role caused by the removal of these configuration parameters.

Cloudera Bug: OPSAPS-32610

Changed default value for load_catalog_in_background to false. This fixes catalog scalability issues observed in Impala since v2.2.

Cloudera Bug: OPSAPS-35869

Fixed an issue in Cloudera Manager 5.8.1 where the first time Oozie is run it fails if using Kerberos custom principals.

Cloudera Bug: OPSAPS-35822

Fixed an issue in the export cluster template code path where it was failing because of stale configuration settings in the Cloudera Manager database. This can occur when configurations are deprecated on older CDH releases.

Cloudera Bug: OPSAPS-35586

Cloudera recommends that you place your Kafka host in the same logical cluster as your Sentry host. However, if you deploy Kafka as a separate logical cluster, you can deploy a dummy Sentry service on Kafka's logical cluster with an override for Sentry-site.xml to point to the Sentry service on first logical cluster, and then it can be turned off. This is a workaround that allows Cloudera Manager to generate the appropriate Sentry client configurations for Kafka.

Cloudera Bug: OPSAPS-35369

If the Sentry Upgrade command fails, you can now retry the command.

Cloudera Bug: OPSAPS-35365

Fixed an issue where the Impala Breakpad script fails if you try to collect more than 10 MB of dumps from a single role.

Cloudera Bug: OPSAPS-34971

HDFS-S3 replication supports incremental backups using snapshot diffs. HDFS-S3 replication does not support incremental restore using snapshot diff.

Cloudera Bug: OPSAPS-34987

Cloudera Bug: OPSAPS-35262

Fixed the initial sort order on the instances page.

Cloudera Bug: OPSAPS-35268

There is a permission issue on the Cluster Status page where the grid is never enabled, and on the View Page where the grid is always enabled for all users. The former change allows the user to customize the Cluster status page. The latter change ensures that users do not get errors when customizing specific view pages.

Cloudera Bug: OPSAPS-34526

AWS S3 credentials, if specified in the job configuration by setting fs.s3a.access.key and fs.s3a.secret.key, were shown as clear text in MapReduce UIs. The credentials are now redacted by default in all MapReduce UIs.

Cloudera Bug: OPSAPS-36840

Fixed an issue in Cloudera Manager client versions 5.8, 5.8.1, and 5.8.2 where ApiCollectDiagnosticDataArguments was incompatible with Cloudera Manager versions lower than 5.8.

Cloudera Bug: OPSAPS-36315

Fixed the API command documentation to include the canRetry attribute. Added a new method, ApiCommand.getCanRetry() and deprecated the method ApiCommand.isCanRetry().

Cloudera Bug: OPSAPS-36009

python api changes for hdfs cloud replication.

Cloudera Bug: OPSAPS-35892

Fixed an issue that prevented the display of Impala usage on the Cluster Utilization page when there are two Impala services in the same cluster. The UI shows usage for the first Impala service only.

Cloudera Bug: OPSAPS-34495

Fixed an issue where a stale configuration page would take a lot of time to load for a large cluster.

Cloudera Bug: OPSAPS-34497

Fixed the Install Oozie Share Lib action so that the Oozie service is informed that there is a new shared library installed. This eliminates the need for a separate manual restart.

Cloudera Bug: OPSAPS-26825

After upgrading to 5.7 or later, you might see a reduced Java heap maximum on Impala Catalog Server due to a change in its default value. Upgrading from Cloudera Manager lower than 5.7 to Cloudera Manager 5.8.2 no longer causes any effective change in the Impala Catalog Server Java Heap size.

When upgrading from Cloudera Manager 5.7 or later to Cloudera Manager 5.8.2, if the Impala Catalog Server Java Heap Size is set at the default (4GB), it is automatically changed to either 1/4 of the physical RAM on that host, or 32GB, whichever is lower. This can result in a higher or a lower heap, which could cause additional resource contention or out of memory errors, respectively.

Cloudera Bug: OPSAPS-34039

Cloudera Manager Server now runs services using the user ID with which that single-user mode is configured. If single-user mode is configured on the agents to use the user cloudera-scm, then an attempt to run Hive as the user hive fails.

Cloudera Bug: OPSAPS-35621

YARN usage aggregation job now runs successfully on clusters where LZO compression is being used.

Cloudera Bug: OPSAPS-33356

When selecting a role to run HDFS Snapshot command, Cloudera Manager selects a non-decommissioned host in Active status. Also, hosts in maintenance mode have a lower priority than the ones in active state.

Cloudera Bug: OPSAPS-33144

For CSD development, there are now deprecation warnings in the CLI validation tool and the Maven validation plugin. These indications provide guidance for future behavior changes in the support of CSD services in Cloudera Manager. A deprecation warning is shown when applicable, but does not affect the outcome of the validation.

Cloudera Bug: OPSAPS-33510

One-off requests, such as "Inspect Hosts," do not re-execute.

Cloudera Bug: OPSAPS-34255

Hive Replication now replicates the Serde Properties and also copies the corresponding HDFS file.

Cloudera Bug: OPSAPS-34354

Passing a legal XML value to Fair Scheduler XML Advanced Configuration Snippet (Safety Valve) no longer causes a parsing error.

Cloudera Bug: OPSAPS-34329

Customers using Incremental HDFS replication had an issue where if an excluded file (through exclusion filters) is renamed to an included file, the new file was not copied to the destination cluster. This issue is resolved as part of this fix.

Cloudera Bug: OPSAPS-34066

Fixed an issue related to the first run failing when some of the hosts are in bad health. This fix involves adding an extra stop to wait for hosts to report correct the parcel version before proceeding.

Cloudera Bug: OPSAPS-33766

This fix provides some wait time before the SCM agent attempts to remove control groups (cgroups) again after initial failure.

Cloudera Bug: OPSAPS-32331

SMON blindly fell back to Oozie's instrumentation endpoint if it had any problems with the metrics endpoint. Now, SMON falls back only if the metrics endpoint returns a 503 error code, which is the only case it could possibly have success with instrumentation endpoint.

Cloudera Bug: OPSAPS-31988

Client configuration deployment logs are now collected as a part of diagnostics support bundle, which were unintentionally removed in Cloudera Manager 5.3.

Cloudera Bug: OPSAPS-31377

You can increase the number of threads used to upload the Oozie sharelib to HDFS. This significantly reduces the time it takes for this operation. This feature is available starting in CDH 5.9.0.

Cloudera Bug: OPSAPS-31078

Before this fix, the host inspector incorrectly warned about kernel version "2.6.32-504.16.2" as "non-recommended"

Cloudera Bug: OPSAPS-35170

With this fix, the preventative steps in TSB-181 are no longer required.

Cloudera Bug: OPSAPS-35294

Rolling upgrade will no longer fail if services are stopped.

Cloudera Bug: OPSAPS-34322

Enabled redaction of sensitive information from Flume configuration.

Cloudera Bug: OPSAPS-34506

See Redaction of Sensitive Information from Diagnostic Bundles.

Cloudera Bug: OPSAPS-34621

If the HDFS File Browser were kept open for long periods of time, it could cause a memory leak that would cause Cloudera Manager to crash. This fix addresses the issue.

Cloudera Bug: OPSAPS-35168

Disabled second level hibernate cache, which was causing the cache to become "stale" under load. There is no significant difference in Cloudera Manager performance after disabling the cache.

Cloudera Bug: OPSAPS-34010

Installing CDH using Packages on Debian 8.2 through the Cloudera Manager wizard could install the incorrect CDH binaries, leading to failures in starting the cluster. Certain packages are available in both the default repository and the Cloudera repository, which could result in the wizard using the wrong one. The Cloudera Manager wizard now ensures the correct binaries are selected. Workaround: Use the parcels format or manually install the correct packages.

Cloudera Bug: OPSAPS-36100

Support Bundles started collecting Impala minidumps bundles in Cloudera Manager 5.8.0 and higher. It was generating an empty TAR file if no bundles were found. With this fix, no empty TAR files are generated.

Cloudera Bug: OPSAPS-34887

Cloudera Manager now shows the correct label when performing HA.

Cloudera Bug: OPSAPS-30777

Fixed an issue where the heartbeat fails with a host that has a mount point backed by cloud storage, such as AWS.

Cloudera Bug: OPSAPS-35742

Fixed the presumption that any default-named group exists in hosts. YARN cgroup containers do not require the Impala user/group to be present in hosts.

Cloudera Bug: OPSAPS-35242

Fixed a bug where OutOfMemory errors in the Catalog Server might lead to killing multiple Java processes, including other roles on the same host.

Cloudera Bug: OPSAPS-33991

Fixed an issue where a read-only Cloudera Manager user can discover the usernames of other users and elevate the privileges of another user. A user cannot elevate their own privilege.

Cloudera Bug: OPSAPS-34124

During the execution of First-Run command, the command only waits for the Cloudera Manager Agent to detect CDH parcels and does not wait for any other activated parcels. Previously, it was waiting for agents to detect all the activated parcels.

Cloudera Bug: OPSAPS-38304

Fixed an issue where Cloudera Manager provided configuration for the hive-site.xml file even if the HBase Service setting in Hive is not selected, which could cause unnecessary errors when Hive-on-Spark attempts to connect to HBase. Cloudera Manager now correctly emits the HBase-related configuration in the hive-site.xml only when Hive is dependent on HBase.

When you upgrade Cloudera Manager from an older version to one of the fixed versions, many services may have stale configurations. You must restart of all the stale services in order for them to receive the updated configuration in the hive-site.xml file.

Cloudera Bug: OPSAPS-39021

/api//clusters/clusterName/services/serviceName/roles?filter=type==ROLE_TYPE

Cloudera Bug: OPSAPS-40184

Nested User Pools (except existingSecondaryGroup) now support create=true|false as a checkbox in the UI.

Cloudera Bug: OPSAPS-39625

For CDH versions 5.8 and higher, the Low Watermark for Memstore Flush configuration parameter is associated with the HBase parameter hbase.regionserver.global.memstore.lowerLimit.

This value represents the fullness threshold of the memstore as a percentage of memstore capacity. The default value for this parameter was incorrectly set too low at .38. This can cause severe under utilization of the memstore.

The default has been corrected to be .95. When upgrading to a version of Cloudera Manager with this fix, if the value was previously set to the old default of .38, it will automatically be increased to the new default, which may cause Cloudera Manager to mark your HBase service as having a stale configuration, requiring a restart.

Additionally, if an existing Low Watermark for Memstore Flush configuration parameter has a value <= .9, it will be flagged as a configuration warning.

Fixed in: Cloudera Manager 5.12, 5.11.1, 5.10.2, 5.9.3, 5.8.5

Cloudera Bug: OPSAPS-38468

Fixed an issue where a race condition can happen when getting the log links for unhealthy roles and then causes a null pointer exception for the Cloudera Manager homepage.

Cloudera Bug: OPSAPS-32804

Using special characters such as the dollar sign ($) for passwords and other user-supplied values with CSD-based services (those added to Cloudera Manager with custom service descriptors) raised exceptions. This has been resolved.

Cloudera Bug: OPSAPS-37542

Error when distributing to host: No such torrent:parcel_name.torrent

Workaround: Remove the file /opt/cloudera/parcel-cache/parcel_name.torrent from the host.

Cloudera Bug: OPSAPS-37183

Hive Replication now replicates the Serde Properties and also copies the corresponding HDFS file.

Cloudera Bug: OPSAPS-34354

Fixes a bug where some Hadoop services did not recognize the Impala SSL configuration, which caused Hive replications to fail when SSL is enabled. To enable SSL, see: Configuring TLS/SSL for HDFS, YARN and MapReduce.

This support also ensures that connection to Impala is successful when SSL is enabled even if Kerberos is not enabled.

Fixed in: Cloudera Manager 5.10.1, 5.9.2, 5.8.4

Cloudera Bug: OPSAPS-38700

Fixed an issue where the load on the Cloudera Manager database increases significantly on clusters with 100-200 nodes or more and when there are host-level configuration overrides. This has been resolved by using a smaller default value for the default_batch_fetch_size property in the hibernate configuration.

Fixed in: Cloudera Manager 5.10.0, 5.9.2, 5.8.4, 5.7.6

Cloudera Bug: OPSAPS-37985

Lengthy queries (such as Impala DDLs) sometimes overloaded the SMON (service monitor) heap, resulting in out-of-memory exceptions (OOME). With this release, queries are limited to 10k characters by default. This setting can be adjusted using the safety valve mechanism (Advanced Configuration Snippet) in Cloudera Manager.

Cloudera Bug: OPSAPS-37053

When Cloudera Manager manages multiple clusters, there is no per user tracking for historical applications and queries across clusters. Instead, Historical Applications by User and Historical Queries by User show applications and queries per user and pool. (A pool is associated with a specific cluster.)

Cloudera Bug: OPSAPS-34986.

Fixes heartbeat failure with a host that has a mount point backed by cloud storage, such as AWS.

Cloudera Bug: OPSAPS-36144.

You can configure hive.meetastore.max.message.size using Max Message Size for Hive MetaStore. The default setting is 100MB. This can cause staleness during a Cloudera Manager upgrade.

Cloudera Bug: OPSAPS-34098.

HS2 now supports LDAP and Kerberos authentication on the same instance for CDH 5.7.0 and higher.

Cloudera Bug: OPSAPS-34310.

Installing CDH using Packages on Debian 8.2 through the Cloudera Manager wizard could install the incorrect CDH binaries, leading to failures in starting the cluster. Certain packages are available in both the default repository and the Cloudera repository, which caused the installer to get confused and pick the wrong one. Cloudera Manager's wizard now ensures the correct binaries are selected.

Cloudera Bug: OPSAPS-36971.

Changed default value for load_catalog_in_background to false. This fixes catalog scalability issues observed in Impala since v2.2.

Cloudera Bug: OPSAPS-35869.

Fixed an issue in Cloudera Manager client versions 5.8, 5.8.1, and 5.8.2 where ApiCollectDiagnosticDataArguments was incompatible with Cloudera Manager versions lower than 5.8.

Cloudera Bug: OPSAPS-36315

Support Bundles started collecting Impala minidump bundles with Cloudera Manager 5.8 and higher. If no bundles were found, Cloudera Manager generated an empty TAR file. With this fix, no empty TAR files are generated.

Cloudera Bug: OPSAPS-34887

Fixed a bug where OutOfMemory errors in the Catalog Server could lead to killing multiple java processes including other roles on the same host.

Cloudera Bug: OPSAPS-33991

If the Sentry Upgrade command fails, you can now retry the command.

Cloudera Bug: OPSAPS-35365

Cloudera Manager used to work with only 'public' schema in PostgreSQL. With this change, Cloudera Manager supports custom schema names. Cloudera Manager relies on the schema search path in PostgreSQL, which can be set for a user, database, and so on. https://www.postgresql.org/docs/current/static/ddl-schemas.html

Cloudera Bug: OPSAPS-33752

The redaction of potentially sensitive parameters in advanced configuration snippets is extended to those commonly used by the Azure Data Lake.

Cloudera Bug: OPSAPS-29523

Customers using Incremental HDFS replication had an issue where if an excluded file (through exclusion filters) is renamed to an 'included' file, the new file is still not copied to the destination cluster. This issue is resolved as part of this fix.

Cloudera Bug: OPSAPS-34066

Hive Replication now replicates the Serde Properties and also copies the corresponding HDFS file.

Cloudera Bug: OPSAPS-34354

Solr server initialization can take up to 60 secs to complete. During this time interval, Solr server does not respond to the solrd watchdog requests. This can result in solrd watchdog terminating the Solr server process. The default timeout duration for watchdog is increased to 70 secs.

Cloudera Bug: OPSAPS-34320

In Cloudera Manager 5.7, adding any new service to your cluster can cause the YARN setting for mapreduce.job.reduces to change unexpectedly. Adding a service no longer causes this problem.

Cloudera Bug: OPSAPS-34151

Hive Metastore max message size can be configured now using Max Message Size for Hive MetaStore. It defaults to 100MB. It can cause staleness for customers on Cloudera Manager upgrade.

Cloudera Bug: OPSAPS-34098

In lower releases, there was an XSS vulnerability on the Kerberos page. This is now fixed.

Cloudera Bug: OPSAPS-33883

While trying to migrate Cloudera Manager using deployment.json file with existing Hive replication, schedules used to fail. This has been fixed in this release.

Cloudera Bug: OPSAPS-33927

After upgrading to 5.7 or later, customers could see a reduced Java heap maximum on Impala Catalog Server, due to a change in its default value. Upgrading from Cloudera Manager < 5.7 to Cloudera Manager 5.8.2 no longer sees any effective change in the Impala Catalog Server Java Heap size.

Cloudera Bug: OPSAPS-34039

In 5.8.1, Oozie first run fails if using kerberos custom principals. This is now fixed.

Cloudera Bug: OPSAPS-35822

The earlier known issue that running Hive Replication shows "Dry Run" in status message is fixed now.

Cloudera Bug: OPSAPS-33206

Policy for selecting a role to run HDFS Snapshot command: We select a non-decommissioned host that is in Active status. Also, hosts in maintenance mode have a lower priority than hosts in active state.

Cloudera Bug: OPSAPS-33144

The export cluster template code path was failing because of stale configuration in the Cloudera Manager database. Having a stale configuration in the database is possible. This could happen when configurations are deprecated on older CDH releases.

Cloudera Bug: OPSAPS-35586

With this fix, the preventative steps in TSB-181 are no longer required.

Cloudera Bug: OPSAPS-35294

When Impala uses SSL, Cloudera supports TLS Connection to Catalog Server. Customers are able to enable replication for any Impala UDFs/Metadata (in Hive Replication).

Cloudera Bug: OPSAPS-34801

Enabled redacting sensitive information from Flume configuration.

Cloudera Bug: OPSAPS-34506

Host inspector incorrectly warns about kernel version "2.6.32-504.16.2" as "non-recommended."

Cloudera Bug: OPSAPS-35170

Impala Breakpad script failure that happens when trying to collect more than 10 MB of dumps from a single role is fixed.

Cloudera Bug: OPSAPS-34971

After an "Install Oozie Share Lib" action, the Oozie service is informed that that there is a new shared lib installed. This eliminates the need for a separate manual restart.

Cloudera Bug: OPSAPS-26825

If the Sentry Gateway role is configured on any hosts of a CDH 5.7.x cluster, the upgrade process to CDH 5.8.x fails.

Upgrades to CDH 5.8.x now complete successfully.

Cloudera Bug: OPSAPS-35356

YARN log aggregation did not work when yarn.nodemanager.remote-app-log-dir was configured to a non-default location. Now this value is emitted in YARN client configuration, ensuring clients logs go to the proper location.

This fix causes staleness.

Cloudera Bug: OPSAPS-29422

Fixed an issue where the MapReduce2 property mapreduce.job.counters.max was not included in the configuration for the JobHistory Server, which could cause jobs to fail if there were too many counters. This might happen despite increasing the limit configured in Cloudera Manager. The property is now included in the JobHistory Server configuration, in addition to the related property mapreduce.job.counters.groups.max.

This fix causes staleness.

Cloudera Bug: OPSAPS-26705

Cloudera Bug: OPSAPS-26705

Kafka MirrorMaker would not start when Kafka is installed using packages. This occurred because KAFKA_HOME was not set to the correct default when starting MirrorMaker. This issue affected Cloudera Manager 5.4.0 and higher with Kafka 1.4.0 and higher.

Cloudera Bug: OPSAPS-33293

Kafka would not start when Kerberos is enabled and the default value of security.inter.broker.protocol was not changed. This occurred because Kafka tried to use the same port for SASL_PLAINTEXT and PLAINTEXT. By default, Cloudera Manager now infers the protocol based on the security settings.

This issue affected Cloudera Manager 5.5.2 and higher with Kafka 2.0.0 and higher.

Upgrading to Cloudera Manager 5.7.1 or higher upgrades currently configured values to INFERRED unless SSL/TLS is enabled and the values are currently either PLAINTEXT or SASL_PLAINTEXT. This does not cause any change in behavior.

Cloudera Bug: OPSAPS-31744

In an existing HDFS deployment with high availability, when you try to add or delete a nameservice and attempt to view the progress of the child commands, a stack trace is triggered if some of the child commands have not yet run. This fix eliminates the stack trace and informs you that the child commands have not yet been run.

Cloudera Bug: OPSAPS-33383

On Isilon systems, the owner that the file is being changed to must be present on the system. In general cases, the user is not present, so this command fails with an error message suggesting that the user is not part of the supergroup. This fix addresses the issue by not failing the command.

Cloudera Bug: OPSAPS-33145

With this change, properties of entities (database, table, partition, index) are not updated by default. You can choose to update properties by setting REPLICATE_PARAMETERS=true in Hive Replication Environment Advanced Configuration Snippet (Safety Valve).

Cloudera Bug: OPSAPS-33954

PROPERTIES_TO_UPDATE=INDICES,PARAMETERS,PARTITIONS,PRIVILEGES 

Cloudera Bug: OPSAPS-33953

Cloudera Bug: OPSAPS-29483

You can now configure Active Directory account properties. You can use custom values for objectClasses to configure accounts, including non-person objects.

Cloudera Bug: OPSAPS-30301

YARN log aggregation did not work when yarn.nodemanager.remote-app-log-dir was configured to a non-default location. Now this value is emitted in YARN client configuration, ensuring clients logs go to the proper location.

Cloudera Bug: OPSAPS-29422

If the Key Trustee server is configured with High Availability, the Key Management Service needs to use round-robin DNS.

Cloudera Bug: OPSAPS-29221

Active Directory Account Prefix was improperly implemented as a required configuration for Security/ Kerberos. The use of this configuration is now optional.

Cloudera Bug: OPSAPS-29196

Fixed an issue related to the first run failing when some of the hosts are in bad health. This fix involves adding an extra stop to wait for hosts to report the correct parcel version before proceeding.

Cloudera Bug: OPSAPS-33766

BDR is now supported on Isilon (including on clusters secured with Kerberos).

Cloudera Bug: OPSAPS-33758

HBase Secure Bulkload is now enabled for all CDH5.5 and higher clusters, regardless of whether Kerberos is enabled. Also fixed related issue where clusters with authentication (kerberos) but not authorization failed in Hbase-related MapReduce jobs.

Cloudera Bug: OPSAPS-33657

Trying to collect diagnostic data for a Hive replication schedule caused a Java stack trace to be shown on the page. This fix shows an error message instead of displaying a Java stack trace.

Cloudera Bug: OPSAPS-33438

Failed BDR jobs no longer report errors on "Collect diagnostic data" actions.

Cloudera Bug: OPSAPS-33474

Cloudera Manager 5.8 supports redaction of Advanced Configuration Snippet parameters in UI configuration pages. Redaction is based on matching keywords defined as sensitive, and detected within the contents of the Advanced Configuration Snippet text. Users who can edit the parameter still see the sensitive words, but users without edit privileges see only the redacted contents.

Cloudera Bug: OPSAPS-33401

Fixed an issue in the Take Snapshot dialog where the validation of the snapshot name could become "stuck" and prevent execution of the operation.

Cloudera Bug: OPSAPS-33464

The Replications page provides enhanced search functionality to filter schedules by any specified text. Searches occur within any of these schedule fields: HDFS paths, database names and table names.

Cloudera Bug: OPSAPS-33171

The Spark standalone service now works without an HDFS service. This requires Spark services to show up as stale and require a restart after upgrade to Cloudera Manager 5.7.1 and higher.

Cloudera Bug: OPSAPS-33509

In an existing HDFS High Availability setup, when the user tries to add or delete a nameservice and, in the process, attempts to get progress on the child commands, a stack trace is triggered if some of the child commands have not yet run. This fix eliminates the stack trace and informs the user that the child commands have not yet run.

Cloudera Bug: OPSAPS-33383

Replication schedules page load performance is improved.

Cloudera Bug: OPSAPS-33125

On Isilon systems, the owner to which the file is being changed must be present on the system. In general cases, the user is not present, so this command tends to fail with an error message suggesting that the user is not part of the supergroup. This fix addresses the issue by not failing the command.

Cloudera Bug: OPSAPS-33145

Hue service can now start with Isilon if Kerberos is enabled.

Cloudera Bug: OPSAPS-27441

Hive now has the property Enable Stored Notifications in Database. When set, Hive logs DDL notifications in Hive Metastore.

Cloudera Bug: OPSAPS-32629

YARN Allowed System Users now includes hbase by default. This is helpful when running certain tools for HBase that need to execute MapReduce jobs.

Cloudera Bug: OPSAPS-32631

When running an HDFS rebalance command on a kerberized cluster with a large amount of data, it could would take enough time to complete that authentication would expire and cause an error. Leveraging a new capability in HDFS, the rebalance command is now able to use a keytab file to automatically renew authentication before it expires.

Cloudera Bug: OPSAPS-32372

Cloudera Manager now supports deletion of entities from a target Hive database when those entities are deleted from source Hive database during Hive incremental replication.

Cloudera Bug: OPSAPS-32625

The default MapReduce service for a new replication schedule is YARN.

Cloudera Bug: OPSAPS-32650

BDR Administrator authority message is now more accurate: Create replication schedules and snapshot policies.

Cloudera Bug: OPSAPS-32521

Cloudera Manager 5.8 includes Hive incremental replication support.

Cloudera Bug: OPSAPS-32366

A security bug in the Cloudera Manager API allowed users with read-only permissions to view all the existing users in Cloudera Manager. This issue is now fixed.

Cloudera Bug: OPSAPS-32916

You can configure Time-to-live for Database Notifications in Hive for notifications present in the NOTIFICATION_LOG. The default is 2 days.

Cloudera Bug: OPSAPS-32898

Previously, the Clusters Menu expanded the first cluster by default. As the user expanded or collapsed the accordion, it remembered the configuration for the current session. When the user goes to the services, roles, or host of another cluster, it maintained the configuration of the previously expanded cluster (which might or might not match). In Cloudera Manager 5.7.1 and higher, Cloudera Manager records the last relevant cluster when the user visits a cluster, service, role or host page, and expands that cluster in the Clusters menu by default.

Cloudera Bug: OPSAPS-32850

In lower releases, if the configuration Impala Daemon Memory Limit is not set, the Impala Admission Control page throws a NullPointerException. This is now fixed.

Cloudera Bug: OPSAPS-33023

Enable Impala Admission Control and Enable Dynamic Resource Pools are now enabled by default. Customized configuration values are preserved during upgrade.

Cloudera Bug: OPSAPS-32737

BDR on Isilon storage is now supported with kerberized clusters.

Cloudera Bug: OPSAPS-32825

Support bundles now collect "minidumps" from Impala that help to debug Impala crash issues. As part of this functionality, Cloudera Manager exposes two properties for three roles (Impalad, Catalog Server, Statestore Server).

Cloudera Bug: OPSAPS-33050

With this change, the cloud HDFS path remains as it is after replication.

Cloudera Bug: OPSAPS-32022

mapreduce.shuffle.max.connections was emitted to files of YARN clients instead of the NodeManager. It is now correctly emitted only for the NodeManager.

Cloudera Bug: OPSAPS-31772

Kafka would not start when Kerberos was enabled and the security.inter.broker.protocol default was not changed. This occurred because Kafka would try to use the same port for SASL_PLAINTEXT and PLAINTEXT. By default, Kafka now infers the protocol based on the security settings. This issue affected Cloudera Manager 5.5.2 and higher with Kafka 2.0.0 and higher. Upgrading to Cloudera Manager 5.7.1 and higher upgrades currently configured values to INFERRED unless SSL / TLS is enabled and the values are currently either PLAINTEXT or SASL_PLAINTEXT. This does not cause any change in behavior.

Cloudera Bug: OPSAPS-31744

In Cloudera Manager 5.7, charts would not render in the Chart Builder page on IE9. This issue is fixed in Cloudera Manager 5.8.

Cloudera Bug: OPSAPS-31561

Cloudera Manager is now supported on Debian 8.2.

Cloudera Bug: OPSAPS-31296

All YARN roles are stopped and started together when the service stop or start command is issued with CDH 5.2 and higher. If CDH version is lower than 5.2, the previous behavior of stopping ResourceManagers before NodeManagers and starting them after NodeManagers stays the same.

Cloudera Bug: OPSAPS-30981

The default location for the HTTPFS TLS / SSL keystore was /var/run/hadoop-httpfs/.keystore, which could be deleted upon machine reboot. Newly created clusters now have an empty default. When upgrading to Cloudera Manager 5.7.1 or higher, the old value is maintained. There should be no disruption on upgrade, but Cloudera Manager presents a warning that the keystore is in a dangerous location. To fix this problem, move the files to a safe path on the new host, then update the configuration in Cloudera Manager to point to the new path.

Cloudera Bug: OPSAPS-27976

Cloudera Bug: OPSAPS-27020

The MapReduce2 property mapreduce.job.counters.max was not included in the configuration for the JobHistory Server, which could cause jobs to fail if there were too many counters. This might happen despite increasing the limit configured in Cloudera Manager. The property is now included in the JobHistory Server configuration, in addition to the related property mapreduce.job.counters.groups.max.

Cloudera Bug: OPSAPS-26705

Cloudera Manager now supports custom Kerberos principals for BDR.

Cloudera Bug: OPSAPS-24658

A new chart on the Impala service page shows query duration for completed Impala queries.

Cloudera Bug: OPSAPS-22909

Cloudera Bug: OPSAPS-22853

It is now possible to regenerate principals for Active Directory setups. This involves deletion of existing accounts and regeneration of new principals. Since some customers might not want to do this through Cloudera Manager, starting with Cloudera Manager 5.8 you can enable the new property Active Directory Delete Accounts on Credential Regeneration. Regenerating credentials with this setting enabled automatically deletes existing accounts and completes the regeneration. This setting is disabled by default. If disabled, regeneration of principals throws an error message saying that deletion of accounts is required. Cloudera Manager needs the new configuration to be set in order to delete accounts automatically.

Cloudera Bug: OPSAPS-22182

In lower releases, there was an XSS vulnerability on the Kerberos page. This is now fixed.

Cloudera Bug: OPSAPS-33883

In lower releases, there was an XSS vulnerability on the Add Hosts page. This is now fixed.

Cloudera Bug: OPSAPS-33905

In lower releases, there was an XSS vulnerability on the Host Templates page. This is now fixed.

Cloudera Bug: OPSAPS-33882

In lower releases, it was not obvious in the Send Diagnostics dialog whether data would be sent back to Cloudera. The dialog is enhanced to make this information more visible.

Cloudera Bug: OPSAPS-28674

Cloudera Manager supports the nestedUserQueue feature in the UI. You no longer have to use the safety valve to specify nestedUserQueues. This means you can make all jobs without specified user queues go to root.<YOUR_POOL>.<username> or root.<YOUR_POOL>.<primaryGroup> from the UI.

Cloudera Bug: OPSAPS-30156

Selecting Clone lets you create a new pool from the settings of an existing pool.

Cloudera Bug: OPSAPS-32471

Impala Admission Control now supports a global way of editing ACLs.

Cloudera Bug: OPSAPS-33963

During cluster creation, host templates are no longer created automatically.

Cloudera Bug: OPSAPS-32659

In lower releases, the modal dialog is sometimes too tall. This is now fixed.

Cloudera Bug: OPSAPS-33457

When adding two Key Trustee KMS roles during the initial setup wizard, sometimes these roles were assigned to different groups. The required configuration was set for some but not all of these groups, causing errors. This is now fixed.

Cloudera Bug: OPSAPS-33946

When you print pages from Cloudera Manager, the printout no longer displays link URLs.

Cloudera Bug: OPSAPS-33542

The Active Directory account properties objectClasses and accountExpires are now configurable from the Kerberos Configuration UI page.

Cloudera Bug: OPSAPS-26419

Support bundles can now be collected for a certain time range. Users are also able to get an estimate of the bundle size before collecting the diagnostic data. Only role logs collected as a part of the support bundle are supported by this item in Cloudera Manager 5.8. This item is not available for scheduled support bundles.

Cloudera Bug: OPSAPS-23557

The Spark CSD was modified to avoid conflicts with other CSDs that depend on it, and causes the Spark service to show up as stale on upgrade to Cloudera Manager 5.7.1 and higher.

Cloudera Bug: OPSAPS-33511

On RHEL 7 class systems, certain configuration actions intended to be executed only once during enablement of HDFS HA might be re-executed when you request a system shutdown or reboot. This can result in data loss. This issue is fixed in Cloudera Manager 5.8, but a hard restart is required on RHEL 7-class systems (including Oracle and CentOS variants) for the fix to take effect. This can be performed after upgrade in a scheduled, rolling manner.

Cloudera Bug: OPSAPS-34171

Hue now has built-in support for PostgreSQL by taking advantage of the system library python-psycopg2. In addition to this library, Hue also includes the system libraries listed in the following table.

Cloudera Bug: OPSAPS-12507

Fixed an issue where the load on the Cloudera Manager database increases significantly on clusters with 100-200 nodes or more and when there are host-level configuration overrides. This has been resolved by using a smaller default value for the default_batch_fetch_size property in the hibernate configuration.

Fixed in: Cloudera Manager 5.10.0, 5.9.2, 5.8.4, 5.7.6

Cloudera Bug: OPSAPS-37985

Hive Replication now replicates the Serde Properties and also copies the corresponding HDFS file.

Cloudera Bug: OPSAPS-34354

Using special characters such as the dollar sign ($) for passwords and other user-supplied values with CSD-based services (those added to Cloudera Manager with custom service descriptors) raised exceptions. This has been resolved.

Cloudera Bug: OPSAPS-37542

Fixes a bug where some Hadoop services did not recognize the Impala SSL configuration, which caused Hive replications to fail when SSL is enabled. To enable SSL, see: Configuring TLS/SSL for HDFS, YARN and MapReduce.

This support also ensures that connection to Impala is successful when SSL is enabled even if Kerberos is not enabled.

Fixed in: Cloudera Manager 5.10.1, 5.9.2, 5.8.4

Cloudera Bug: OPSAPS-38700

Fixed an issue where a race condition can happen when getting the log links for unhealthy roles and then causes a null pointer exception for the Cloudera Manager homepage.

Cloudera Bug: OPSAPS-32804

Fixed an issue where the Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled for Navigator Metadata Server.

Fixed in 5.11, 5.10.1, ,5.9.2, 5.7.6

Cloudera Bug: OPSAPS-38865

Fixed a bug where OutOfMemory errors in the Catalog Server might lead to killing multiple Java processes, including other roles on the same host.

Cloudera Bug: OPSAPS-33991

With this fix, the preventative steps in TSB-181 are no longer required.

Cloudera Bug: OPSAPS-35294

When Cloudera Manager manages multiple clusters, there is no per user tracking for historical applications and queries across clusters. Instead, Historical Applications by User and Historical Queries by User show applications and queries per user and pool. (A pool is associated with a specific cluster.)

Cloudera Bug: OPSAPS-34986

Host inspector no longer warns that kernel version "2.6.32-504.16.2" as "non-recommended."

Cloudera Bug: OPSAPS-35170

When Impala uses SSL, Cloudera supports TLS Connection to Catalog Server. You can enable replication for any Impala UDFs/Metadata (in Hive Replication).

Cloudera Bug: OPSAPS-34801

Fixes heartbeat failure with a host that has a mount point backed by cloud storage such as AWS.

Cloudera Bug: OPSAPS-36145

After an "Install Oozie Share Lib" action, the Oozie service is informed that that there is a new shared lib installed. This eliminates the need for a separate manual restart.

Cloudera Bug: OPSAPS-26825

HS2 supports LDAP and Kerberos authentication on the same instance for CDH 5.7.0 or higher. Previously, this was considered an error.

Cloudera Bug: OPSAPS-34310

Fixed a bug where OutOfMemory errors in the Catalog Server could lead to killing multiple java processes, including other roles on the same host.

Cloudera Bug: OPSAPS-33991

Hue service can now start with Isilon if Kerberos is enabled.

Cloudera Bug: OPSAPS-27441

The Replications page provides enhanced search functionality to filter schedules by any specified text. Searches occur within any of these schedule fields: HDFS paths, database names and table names.

Cloudera Bug: OPSAPS-33171

With this change, properties of entities (database, table, partition, index) are not updated by default. You can choose to update properties by setting REPLICATE_PARAMETERS=true in Hive Replication Environment Advanced Configuration Snippet (Safety Valve).

Cloudera Bug: OPSAPS-33954

The static web directory in Hue is no longer indexed and browsable when the Hue Load Balancer is used.

In lower releases, there was an XSS vulnerability on the Kerberos page. This is now fixed.

Cloudera Bug: OPSAPS-33883

In lower releases, there was an XSS vulnerability on the Add Hosts page. This is now fixed.

Cloudera Bug: OPSAPS-33905

In lower releases, there was an XSS vulnerability on the Host Templates page. This is now fixed.

Cloudera Bug: OPSAPS-33882

On RHEL 7 class systems, certain configuration actions intended to be executed only once during enablement of HDFS HA might be re-executed when you request a system shutdown or reboot. This can result in data loss. This issue is fixed in Cloudera Manager 5.7.2, but a hard restart is required on RHEL 7-class systems (including Oracle and CentOS variants) for the fix to take effect. This can be performed after upgrade in a scheduled, rolling manner.

Cloudera Bug: OPSAPS-34171

HBase Secure Bulkload is now enabled for all CDH5.5 and higher clusters, regardless of whether Kerberos is enabled. Also fixed related issue where clusters with authentication (kerberos) but not authorization failed in Hbase-related MapReduce jobs.

Cloudera Bug: OPSAPS-33657

Adding a new service in Cloudera Manager no longer changes the YARN setting mapreduce.job.reduces.

Cloudera Bug: OPSAPS-34151

Running a Hive replication schedule in BDR no longer displays "(Dry Run)" in the status.

Replication schedules page load performance is improved.

Cloudera Bug: OPSAPS-33125

When selecting a host on which to run the HDFS Snapshot command, Cloudera Manager now excludes unavailable hosts, such as hosts in maintenance mode or decommissioned hosts.

Cloudera Bug: OPSAPS-33144

Migrating Cloudera Manager using deployment.json no longer fails if replication schedules are configured.

Cloudera Bug: OPSAPS-33927

If a file excluded from replication by an exclusion filter is renamed, it is now replicated properly.

Cloudera Bug: OPSAPS-34066

The Spark standalone service now works without an HDFS service. This requires Spark services to show up as stale and require a restart after upgrade to Cloudera Manager 5.7.1 and higher.

Cloudera Bug: OPSAPS-33509

Kafka would not start when Kerberos was enabled and the security.inter.broker.protocol default was not changed. This occurred because Kafka would try to use the same port for SASL_PLAINTEXT and PLAINTEXT. By default, Kafka now infers the protocol based on the security settings. This issue affected Cloudera Manager 5.5.2 and higher with Kafka 2.0.0 and higher. Upgrading to Cloudera Manager 5.7.1 and higher upgrades currently configured values to INFERRED unless SSL / TLS is enabled and the values are currently either PLAINTEXT or SASL_PLAINTEXT. This does not cause any change in behavior.

Cloudera Bug: OPSAPS-31744

The default location for the HTTPFS TLS / SSL keystore was /var/run/hadoop-httpfs/.keystore, which could be deleted upon machine reboot. Newly created clusters now have an empty default. When upgrading to Cloudera Manager 5.7.1 or higher, the old value is maintained. There should be no disruption on upgrade, but Cloudera Manager presents a warning that the keystore is in a dangerous location. To fix this problem, move the files to a safe path on the new host, then update the configuration in Cloudera Manager to point to the new path.

Cloudera Bug: OPSAPS-27976

The Spark CSD was modified to avoid conflicts with other CSDs that depend on it, and causes the Spark service to show up as stale on upgrade to Cloudera Manager 5.7.1 and higher.

Cloudera Bug: OPSAPS-33511

Lower versions of Cloudera Manager HDFS usage reports do not include Inode references. As a result, usage reports underreported HDFS directory sizes and data used by users and groups in certain circumstances where HDFS snapshots were used.

Cloudera Bug: OPSAPS-33094

Kafka MirrorMaker would not start when Kafka is installed using packages. This occurred because KAFKA_HOME was not set to the correct default when starting MirrorMaker. This issue affected Cloudera Manager 5.4.0 and higher with Kafka 1.4.0 and higher.

Cloudera Bug: OPSAPS-33293

• If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you used to notice an error screen while logging out, then this upgrade will fix that issue.
• If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you did not notice any error screen while logging out, then you will most likely see an error screen while logging out after this upgrade. In order to fix that, you can follow either of these steps:

  1. Update the metadata file in your IdP with the new file from <Cloudera Manager Server>/saml/metadata
  2. Change SAML Entity Alias under Administration > Setting "clouderaManager" to " and restart Cloudera Manager.

Cloudera Bug: OPSAPS-33088

In an existing HDFS deployment with high availability, when you try to add or delete a nameservice and attempt to view the progress of the child commands, a stack trace is triggered if some of the child commands have not yet run. This fix eliminates the stack trace and informs you that the child commands have not yet been run.

Cloudera Bug: OPSAPS-33383

SSL configuration for the HiveServer2 Web UI is now used regardless of whether Kerberos is in use.

Cloudera Bug: OPSAPS-33255

Previously, the Clusters menu expanded the first cluster by default, and as you expand or collapse the menu, Cloudera Manager remembers that cluster for the session. However, when you go to services, roles, or hosts of another cluster, Cloudera Manager does not remember the other cluster and shows the previously expanded cluster instead.

In release 5.7.1 and higher, Cloudera Manager remembers the last cluster viewed by a user and expands that cluster in the Clusters menu by default.

Cloudera Bug: OPSAPS-32850

If the configuration property Impala Daemon Memory Limit was not set, the Impala Admission Control page threw a null pointer exception.

Cloudera Bug: OPSAPS-33023

In previous Cloudera Manager releases, when one of a pair of highly available NameNodes was down, it was possible for rolling restart or rolling upgrade commands to fail with an error message incorrectly describing the state of the NameNode as "Busy." The error message now correctly identifies the state of the NameNode (typically "Stopped" in this situation).

Cloudera Bug: OPSAPS-33035

The Expand range to fill all values option in Chart Builder now works for all charts.

Cloudera Bug: OPSAPS-33277

Kafka would not start when Kerberos is enabled and the default value of security.inter.broker.protocol was not changed. This occurred because Kafka tried to use the same port for SASL_PLAINTEXT and PLAINTEXT. By default, Cloudera Manager now infers the protocol based on the security settings.

This issue affected Cloudera Manager 5.5.2 and higher with Kafka 2.0.0 and higher.

Upgrading to Cloudera Manager 5.7.1 or higher upgrades currently configured values to INFERRED unless SSL/TLS is enabled and the values are currently either PLAINTEXT or SASL_PLAINTEXT. This does not cause any change in behavior.

Cloudera Bug: OPSAPS-31744

Oozie JVM metrics are now available and display on the role page. They can also be accessed through Chart Builder using the oozie_memory_heap_used and oozie_memory_total_max metrics.

Cloudera Bug: OPSAPS-33006

The Spark CSD was modified to avoid conflicts with other CSDs that depend on it. This change causes the Spark service to require a restart when upgrading to Cloudera Manager 5.7.1.

Cloudera Bug: OPSAPS-33511

Certain poorly formed Advanced Configuration Snippets could cause a Null Pointer Exception when uploading diagnostic bundles and setting up a Cloudera Manager peer.

Cloudera Bug: OPSAPS-33378

On Isilon systems, the owner that the file is being changed to must be present on the system. In general cases, the user is not present, so this command fails with an error message suggesting that the user is not part of the supergroup. This fix addresses the issue by not failing the command.

Cloudera Bug: OPSAPS-33145

Cloudera Bug: OPSAPS-33157

The default location for the HTTPFS TLS / SSL keystore was /var/run/hadoop-httpfs/.keystore, which could be deleted when the host reboots. Newly created clusters now have an empty default instead of one that could be deleted. When upgrading to Cloudera Manager 5.7.1 or higher, the old value is maintained, so there is no disruption on upgrade. However, Cloudera Manager warns that the path is in a dangerous location. To fix this problem, move the files to a safe path on that host, and then update the configuration in Cloudera Manager to point to the new path.

Cloudera Bug: OPSAPS-27976

Collecting a diagnostic bundle for a Hive replication schedule caused a Java stack trace to be shown on the page. This fix shows an error message instead of throwing a Java stack trace.

Cloudera Bug: OPSAPS-33438

Fixes TSB-144.

Running the restart or stop service commands failed to stop the Agent.

Cloudera Bug: OPSAPS-33225

Occasionally, some users encountered the message Error creating bean with name 'newServiceHandlerRegistry' in the Cloudera Manager Admin Console. This issue has been resolved.

Cloudera Bug: OPSAPS-33324

The JVM heap size of the Impala catalog server can be configured now using the Java Heap Size of Catalog Server in Bytes property. The property defaults to 4 GB, and like all memory parameters may require tuning.

Cloudera Bug: OPSAPS-26483

An authenticated user could request and receive documents that included passwords they were permitted to modify. This information was sent as plain text. Passwords are no longer included in request responses.

Cloudera Bug: OPSAPS-30757

When stopping the Solr service, Cloudera Manager would forcibly stop the service after a period of time. This could result in Solr cores not coming up cleanly. Cloudera Manager now waits for all operations to complete on the Solr server before exiting.

Cloudera Bug: OPSAPS-30903

As part of enabling Kerberos, a role is created. Attempts to re-enable Kerberos failed because the role already existed from when Kerberos was enabled before. When Kerberos is enabled, Cloudera Manager reuses any required roles if they already exist.

Cloudera Bug: OPSAPS-30703

CDH service processes and third-party (CSD) processes used an incorrect HOME variable. These process now now run with the HOME environment variable set to the correct home directory based on the process user.

Cloudera Bug: OPSAPS-30610

After making Kerberos configuration changes through Administration > Settings > Kerberos, and Manage krb5.conf is enabled, the configuration issue 'Cluster has stale Kerberos configuration' might have displayed and might not have disappeared after running Cluster > cluster_name > Deploy Kerberos Client Configuration. The deploying Kerberos client configuration action now waits for pending staleness checks before identifying stale hosts on which to apply Kerberos configuration.

Workaround: Make a different, non-Kerberos edit to a configuration, and save that change. Revert that change immediately afterward.

Cloudera Bug: OPSAPS-30371

Time range settings were incorrect. They are now set correctly on report pages.

Cloudera Bug: OPSAPS-30016

Automatic configuration for Hive on Spark performance tuning parameters did not run when adding a Hive service to an existing cluster. In the past, these tuning parameters ran when adding a cluster that contained Hive, YARN, and Spark on YARN. The rules now run as long as Hive depends on YARN in both the add service and add cluster wizards.

Cloudera Bug: OPSAPS-25460

Setting empty values for the LDAP Base DN and LDAP Domain for Impala resulted in errors. These settings are now handled without errors.

Cloudera Bug: OPSAPS-29546

Restart and rolling restart commands did not always wait until all deleted roles were identified. As a result, services that had not yet been identified as requiring a restart were not restarted. Restart and rolling restart commands now wait for staleness checks to complete, if the user requests that only stale services be restarted. This avoids a race between staleness computation checking and how services are determined to be stale and thus restarted.

Cloudera Bug: OPSAPS-29190

Cloudera Bug: OPSAPS-29759

The error "There is already a pending command on this entity" was shown if a command was in process for a service and an attempt is made to run the "Deploy client configuration" command. This error is no longer shown.

Cloudera Bug: OPSAPS-31461

Gathering progress information on a variety of tasks could result in null pointer exceptions. For example, this could occur when decommissioning a host. Progress information is now gathered as expected.

Cloudera Bug: OPSAPS-32347

Some windows could be resized so buttons were not visible. For example, this could happen with the Create Replication dialog box. The user interface now handles resizing as expected.

Cloudera Bug: OPSAPS-32060

The configuration information for using the AES/CTR/NoPadding cipher suite for HDFS data transfers was incomplete. As a result, traffic was encrypted with the much slower 3DES algorithm. The correct configuration is now included with the HDFS client.

Cloudera Bug: OPSAPS-31607

Because of Tomcat restrictions, Solr keystore passwords were sent as clear text on the machines running the service. They are now redacted.

Cloudera Bug: CDH-33626.

Removing a host from a cluster automatically removed all Kerberos client configuration from any other hosts still in the cluster. Now, when one host is removed from a cluster, any Kerberos client configuration on other hosts is unaffected.

Cloudera Bug: OPSAPS-29796

During the Hive replication import phase, schema and location information was not consistently populated. This information is now populated as expected.

Cloudera Bug: OPSAPS-31332

After upgrading a parcel, restart or rolling restart steps automatically attempted to deploy the client configuration, even if that was not supported by the cluster configuration. Now, client configurations are deployed only if the cluster configuration supports this action.

Cloudera Bug: OPSAPS-31483

Some pages, such as the All Recent Commands page, may take over 30 seconds to load. This process has been optimized, reducing load times.

Cloudera Bug: OPSAPS-26772

When the Hue service was added to a Kerberos-enabled cluster, a single corresponding kt_renewer was not created. The process of adding the Hue service now includes checking if a keytab renewer is required, and creating one if it is.

Cloudera Bug: OPSAPS-31795

It was possible to configure the YARN NodeManager with an amount of available memory less than the amount of memory available to the YARN container. In such a case, a job might never find a NodeManager that meets the memory requirements. The system now ensures that at least one YARN container is configured with an equal or greater amount of memory than the YARN NodeManager value.

Cloudera Bug: OPSAPS-22584

Clients using the version 10 replication schedule API did not work as expected with instances of Cloudera Manager using version 11 of the API. This meant that clients from Cloudera Manager 5.4.0 and lower did not work as expected with servers running Cloudera Manager 5.5.0 and higher. Clients and servers using these different API versions now function as expected.

Cloudera Bug: OPSAPS-32504

In previous releases, Hive replication import phase did not consistently fill in scheme and location information. This information is now filled in as expected.

Cloudera Bug: OPSAPS-31522

Lower versions of Cloudera Manager HDFS usage reports do not include Inode references. As a result, usage reports underreported HDFS directory sizes and data used by users and groups in certain circumstances where HDFS snapshots were used.

Cloudera Bug: OPSAPS-33094

Kafka MirrorMaker would not start when Kafka is installed using packages. This occurred because KAFKA_HOME was not set to the correct default when starting MirrorMaker. This issue affected Cloudera Manager 5.4.0 and higher with Kafka 1.4.0 and higher.

Cloudera Bug: OPSAPS-33293

When the Hue service was added to a Kerberos-enabled cluster, a single corresponding kt_renewer was not created. The process of adding the Hue service now includes checking if a keytab renewer is required, and creating one if it is.

Cloudera Bug: OPSAPS-31795

• If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you used to notice an error screen while logging out, then this upgrade will fix that issue.
• If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you did not notice any error screen while logging out, then you will most likely see an error screen while logging out after this upgrade. In order to fix that, you can follow either of these steps:

  1. Update the metadata file in your IdP with the new file from <Cloudera Manager Server>/saml/metadata
  2. Change SAML Entity Alias under Administration > Setting "clouderaManager" to " and restart Cloudera Manager.

Cloudera Bug: OPSAPS-33088

Oozie JVM metrics are now available and display on the role page. They can also be accessed through Chart Builder using the oozie_memory_heap_used and oozie_memory_total_max metrics.

Cloudera Bug: OPSAPS-33006

CDH and GPL Extras parcel versions must match exactly. When upgrading CDH, by default Cloudera Manager validates the dependency between the new CDH parcel and existing GPL Extras parcel. Since the dependency is not satisfied, the check returns an error and the upgrade fails.

Cloudera Bug: OPSAPS-26436

HBase Secure Bulkload is now enabled for all CDH5.5 and higher clusters, regardless of whether Kerberos is enabled. Also fixed a related issue where clusters with authentication (Kerberos) but not authorization failed in HBase-related MapReduce jobs.

Cloudera Bug: OPSAPS-33657

In the Replications page, the table is now sorted by ID as a default.

Cloudera Bug: OPSAPS-33212

Fixes an issue where running Hive Replication shows "Dry Run" in status message.

Cloudera Bug: OPSAPS-33206

When selecting a role to run HDFS Snapshot command, Cloudera Manager now selects a non-decommissioned host in Active status. Also, hosts in maintenance mode have a lower priority than the ones in active state.

Cloudera Bug: OPSAPS-33144

When enabling HDFS-HA, if the NameNode directories are empty, Cloudera Manager reports this as an error. In lower versions, it returned a message saying the failure is expected. Cloudera Manager now shows the correct message when performing HA.

Cloudera Bug: OPSAPS-30777

When you upgrade to version 5.5.6 of Cloudera Manager, the client configuration for all services is marked stale. From the Cluster menu, select Deploy Client Configuration to redeploy the client configuration.

Cloudera Bug: OPSAPS-36234

In some cases, provisioning of a cluster may fail at the start of the process. This does not happen in all cases and is mainly noticed on RHEL 6 and especially when some hosts are reporting bad health.

Releases affected: 5.5.0-5.5.3, 5.6.0-5.6.1, 5.7.0

Releases containing the fix: 5.5.4, 5.7.1

For releases containing the fix, parcel activation and first run command now completes as expected, even when some hosts report bad health.

This issue is fixed in Cloudera Manager 5.5.4 and 5.7.1 and higher.

Cloudera bug: OPSAPS-33564

In previous releases, Hive replication import phase did not consistently fill in scheme and location information. This information is now filled in as expected.

Cloudera Bug: OPSAPS-31522

Kafka MirrorMaker would not start when Kafka is installed using packages. This occurred because KAFKA_HOME was not set to the correct default when starting MirrorMaker. This issue affected Cloudera Manager 5.4.0 and higher with Kafka 1.4.0 and higher.

Cloudera Bug: OPSAPS-33293

Lower versions of Cloudera Manager HDFS usage reports do not include Inode references. As a result, usage reports underreported HDFS directory sizes and data used by users and groups in certain circumstances where HDFS snapshots were used.

Cloudera Bug: OPSAPS-33094

When Sentry Sync is enabled, new Hive tables failed to replicate. Replication now occurs as expected.

Cloudera Bug: OPSAPS-33065

When the Hue service was added to a Kerberos-enabled cluster, a single corresponding kt_renewer was not created. The process of adding the Hue service now includes checking if a keytab renewer is required, and creating one if it is.

Cloudera Bug: OPSAPS-31795

• If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you used to notice an error screen while logging out, then this upgrade will fix that issue.
• If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you did not notice any error screen while logging out, then you will most likely see an error screen while logging out after this upgrade. In order to fix that, you can follow either of these steps:

  1. Update the metadata file in your IdP with the new file from <Cloudera Manager Server>/saml/metadata
  2. Change SAML Entity Alias under Administration > Setting "clouderaManager" to " and restart Cloudera Manager.

Cloudera Bug: OPSAPS-33088

In previous Cloudera Manager releases, when one of a pair of highly available NameNodes was down, it was possible for rolling restart or rolling upgrade commands to fail with an error message incorrectly describing the state of the NameNode as "Busy." The error message now correctly identifies the state of the NameNode (typically "Stopped" in this situation).

Cloudera Bug: OPSAPS-33035

Oozie JVM metrics are now available and display on the role page. They can also be accessed through Chart Builder using the oozie_memory_heap_used and oozie_memory_total_max metrics.

Cloudera Bug: OPSAPS-33006

When upgrading to Cloudera Manager 5.5.2, customers who have non-read-only roles configured through LDAP, and have not explicitly set Cloudera Manager local roles, may lose their Cloudera Manager privileges set by LDAP.

Releases affected: Cloudera Manager 5.5.2

Severity: High

Because of Tomcat restrictions, the Oozie and HttpFS keystore passwords were sent as clear text on the machines running the services. They are now hidden.

Cloudera Bug: OPSAPS-25522

An attacker could set a malformed string in the Parcel Remote URLs list in the database and trigger the attack when a user accesses the Administration Settings page. This attack is now prevented.

Cloudera Bug: OPSAPS-30590

In Cloudera Manager 5.5.0, running a Flume start/stop service command would succeed, but display an empty popup. This is now fixed.

Cloudera Bug: OPSAPS-31075

In Cloudera Manager 5.5, certain commands did not show links to stderr or stdout in the Cloudera Manager UI even if they were executed recently. These could still be found in /var/run/cloudera-scm-agent/process/ on that host. In Cloudera Manager 5.5.2 stderr and stdout should appear as they did before.

Note that links to stderr and stdout for commands may disappear if another command is run on that role. This is expected. The logs can still be found in /var/run/cloudera-scm-agent/process/ on that host.

Cloudera Bug: OPSAPS-30671

Multiple updates to the Hive NameNode location could cause Hive Metastore database corruption. Issuing the same command multiple times no longer produces problems.

Cloudera Bug: OPSAPS-30155

Scheduled diagnostic bundles did not include recent role logs. Diagnostic bundles collected manually (not scheduled) worked as expected. Now, scheduled diagnostic bundles include the latest NameNode logs.

Cloudera Bug: OPSAPS-30787

Large Kafka clusters would not start when Cloudera Manager-generated broker IDs exceeded the value set by reserved.broker.max.id. The default value of broker.id.generation.enable has now been set to false to disable the reserved.broker.max.id configuration property and avoid collisions.

Cloudera Bug: OPSAPS-31128

Cloudera Manager does not propagate HBase coprocessors to the gateway nodes. As a result, tools that depend on the HBase security subsystem, such as the loadIncrementalHFiles tool, do not use security features, even in secure environments.

Cloudera Bug: OPSAPS-28196

<property>
  <name>hbase.coprocessor.region.classes</name>
  <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint</value>
</property> 

The HDFS nameservices API returned incorrect active/standby status information for HA roles. API calls made about roles that were active might return standby status and roles that were in standby status might return active status. Information about host statuses is now accurate.

Cloudera Bug: OPSAPS-29337

An issue with HiveServer2 missing its principal and keytab when Hive is load-balanced has been fixed.

Cloudera Bug: OPSAPS-29881

Cloudera Manager now displays a more descriptive error message when it skips the "Start" command because all roles are started or decommissioned or on a decommissioned host.

Cloudera Bug: OPSAPS-25549

Issue fixed with loading the replication page when a previous replication command fails without launching a MapReduce job.

Cloudera Bug: OPSAPS-28789

Cloudera Bug: OPSAPS-31181

Fixes an issue that led to YARN jobs failing after migration from unsecure to secure mode.

Cloudera Bug: OPSAPS-28378

The REST API for retrieving data from a live Spark UI or from the Spark History Server has been fixed.

Cloudera Bug: OPSAPS-30919

Before this fix, the only way to run the DataNode on unprivileged ports (port number > 1024) in a Kerberized cluster with DataNode Data Transfer Protection enabled, was to use single-user mode. Now this configuration works for both regular and single-user mode installs.

Both Hadoop SSL and DataNode Data Transfer Protection are still required for unprivileged DataNode ports to work in a Kerberized cluster. This configuration is supported only in CDH 5.2 and higher.

Cloudera Bug: OPSAPS-30819

All configurations other than the three listed result in Cloudera Manager displaying a validation error.

Cloudera Bug: OPSAPS-31266

Passwords in environment variables for CSDs are now redacted.

Cloudera Bug: OPSAPS-29915

The Apache Commons Collections library has been upgraded to 3.2.2 to fix a critical security vulnerability.

Cloudera Bug: OPSAPS-30428

With the addition of the JVM parameter, \-Dcom.cloudera.api.redaction=true, sensitive configuration values are redacted from the API.

Cloudera Bug: OPSAPS-26677

When API redaction is turned on using the JVM argument -Dcom.cloudera.api.redaction=true, it also redacts the user's pwHash and pwSalt values. Passwords for Cloudera Manager Peers are also redacted.

Cloudera Bug: OPSAPS-31194

Oozie's Java keystore and truststore passwords are no longer sent in clear text on the command line.

Cloudera Bug: OPSAPS-25523

Cloudera Bug: OPSAPS-29750

Java detection in the "Components" view for a host was fixed to account for Java versions installed using symlinks in /usr/java (such as /usr/java/default). A similar fix was made to the host inspector's Java detection logic.

Cloudera Bug: OPSAPS-31105

If the Host Monitor is down, the service details page will still be able to present non-host related health status.

Cloudera Bug: OPSAPS-30337

Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.

In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.

The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.

Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.

Users affected: All

Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.

Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.

Setting the HBase WAL provider to the default using Cloudera manager erroneously sets the value of hbase.wal.provider to default, when it should be set to defaultProvider. This causes the RegionServer process to fail to start.

Cloudera Bug: OPSAPS-29598

<property>
  <name>hbase.wal.provider</name>
  <value>defaultProvider</value>
</property> 

The file path format used in sequence file `ing was incorrect. In replications involving a large number of files and when the Delete Policy for the replication is set to Delete to trash or Delete Permanently, distcp uses the local file system to save the intermediate result of sequence file sorting. An incorrect path format causes access permission failure.

Cloudera Bug: OPSAPS-28859

Hive replication throws an out-of-memory exception when exporting a table with a large number of partitions.

Cloudera Bug: OPSAPS-29598

When configuring an HBase WAL provider with the "HBase Default" option, Cloudera Manager emits an incorrect value into hbase-site.xml and HBase reports an error.

Cloudera Bug: OPSAPS-29598

When a replication is attempted between secure and insecure clusters, the replication reports an error and fails silently.

Cloudera Bug: OPSAPS-28380

A dialog box that shows a Java exception displays in the Replication Schedules page after a failed replication and the page is inaccessible.

Cloudera Bug: OPSAPS-28465

In previous versions, this resulted in problems during replication because '/' was treated as an URL path.

Cloudera Bug: OPSAPS-26138

Replications fail when converting a snapshot path to a regular path when the grandparent of the source directory is snapshottable.

Cloudera Bug: OPSAPS-27232

Snapshots that take longer than 30 minutes failed because the Kerberos tickets for the snapshots expired too soon . The renewal and lifetime limits have been replaced with the system default lifetime and renewal limits, instead of 30 minutes.

Cloudera Bug: OPSAPS-28189

The schedule configuration is not validated when it is created, which causes errors during replication.

Cloudera Bug: OPSAPS-11047

The replication ID has been added to the schedule creation, update, and deletion audit events.

Cloudera Bug: OPSAPS-11534

HDFS replication fails with an OutOfMemory exception (in stderr.log) when an HDFS replication job replicates a large number of files.

Cloudera Bug: OPSAPS-28858

File permissions of the database directory that maps to a Hive database are not preserved.

Cloudera Bug: OPSAPS-24742

An IllegalStateException is reported in the History and Rollback page after changing host configuration.

Cloudera Bug: OPSAPS-28795

To conform to security best practices, the impala user should not be in the hdfs group.

Cloudera Bug: OPSAPS-28129

DataNode refresh failed on Kerberized clusters.

Cloudera Bug: OPSAPS-27068

A topology map is created for the services HDFS, YARN, and MapReduce. In releases earlier than 5.5.0, hosts with only gateway roles for these services were also added to the topology map. This might erroneously mark many configurations as stale, requiring restarts or refreshes to resolve the staleness.

Cloudera Bug: OPSAPS-24109

Previously, attempting to set the listening_hostname property in the Agent config.ini file (which is not normally necessary) changed the Agent's host ID to use this hostname, instead of the normal value.

Cloudera Bug: OPSAPS-27991

The component list for a host is not affected by a custom JAVA_HOME setting.

Cloudera Bug: OPSAPS-19290

A number of fixes have been made to improve Service Monitor and Host Monitor performance, particularly problems manifesting as large, regular garbage-collection pauses, on large, busy clusters.

Cloudera Bug: OPSAPS-26703

Client configuration deployment fails to locate Java in the custom JAVA_HOME environment variable, if that is specified via host configuration.

Cloudera Bug: OPSAPS-27048

The Job History Server fails to delete old logs from HDFS on secure clusters, with the error "Failed to specify server's Kerberos principal name."

Cloudera Bug: OPSAPS-30157

The DataNode process is incorrectly monitored on Kerberized clusters.

Cloudera Bug: OPSAPS-28676

On Kerberized clusters, Cloudera Manager might periodically report monitoring failures due to authentication errors when attempting to communicate with various role web servers to collect metrics. This is due to synchronization issues between the Agent's calls to kinit and attempts to perform Kerberos authentication with the role web servers. This has been fixed by adding logic to retry requests for metrics in the Agent a number of times on authentication failures. These retries will be logged but should not result in health failures and alerts.

Cloudera Bug: OPSAPS-28469

Rebooting a host can causes the client configurations for gateway roles on that host to be marked as stale even though they are up to date.

Cloudera Bug: OPSAPS-28568

Rolling restart inherits custom HBase RegionServer JVM properties and can fail when those properties are inappropriate for non-daemon JVMs.

Cloudera Bug: OPSAPS-28353

JAVA_HOME is set to Java 1.6 if installed, even if version 1.8 is also installed.

Cloudera Bug: OPSAPS-28888

Previously a missing parcel was logged only in the Agent log. The Cloudera Manager Admin Console now indicates that a required parcel is missing when starting a role or deploying client configurations.

Cloudera Bug: OPSAPS-25589

The deploy client configuration timeout value was set to according to the number of hosts. This caused a problem when there are large number of hosts. The tasks to deploy client configurations are run concurrently so there was no need to wait that long. The timeout value was changed to a fixed value.

Cloudera Bug: OPSAPS-29464

HBase IPC metrics were not collected on CDH 5.4 and higher HBase due to a metric name change.

Cloudera Bug: OPSAPS-28171

An Oracle Enterprise Linux 6.x update to its python-libs unexpectedly changed the output of the Agent's operating system detection logic, which caused problems with parcel distribution and other issues.

Cloudera Bug: OPSAPS-28193

The ZooKeeper jute.maxbuffer property was emitted into zoo.cfg instead of in the JVM arguments. It is now passed to the JVM through the process environment variable ZOOKEEPER_SERVER_OPTS and takes effect correctly.

Cloudera Bug: OPSAPS-28244

-Xms is set equal to -Xmx for all Hive clients which causes the Java runtime to reserve -Xms memory even if the client does not need it. This particularly affects machines with low resources. The -Xms setting has been removed so that the Java runtime does not assign -Xmx memory at the start. Instead, it starts with a much lower Java heap and increases it if needed.

Cloudera Bug: OPSAPS-28972

The Kafka service was initially configured with 0 memory because the autoconfiguration rules did not respect specified units. This is now correctly set to a value between 50 and 1024 MiB depending on available memory on the host. This issue affected any third-party CSD-based services using memory parameters with units other than "bytes".

Cloudera Bug: OPSAPS-27869

Topics with a period (".") in the name would not show metrics in Cloudera Manager.

Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions: (1) Modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) Modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data-handling policies.

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

When a Flume configuration file is large, calling its Kerberos credentials with regex can cause the Cloudera Management Service to time out and fail. In addition, the Cloudera Manager Server uses 100% of the CPU and the UI hangs.

Cloudera Bug: OPSAPS-29685

Charts built on queries in the form <select metric> for service or role metrics might not filter entities properly and might report hitting the stream limit.

Cloudera Bug: OPSAPS-28716

In previous releases, Hive replication import phase did not consistently fill in scheme and location information. This information is now filled in as expected.

Cloudera Bug: OPSAPS-31522

By default, hive.compute.query.using.stats was enabled. This produced incorrect results for some queries that used stats only. This setting is now disabled by default.

Cloudera Bug: OPSAPS-32332

After Kerberos security is enabled on a cluster or Always Use Container Executor is selected, YARN jobs failed. This occurred because the contents of any previously existing YARN User Cache directory could not be overridden after security was enabled. YARN jobs now complete as expected after a change in Kerberos security or usage of Container Executor.

Cloudera Bug: OPSAPS-32050

Diagnostic bundles collected manually included all expected logs, but bundles collected on a schedule did not include role logs. Scheduled diagnostic bundles now include all expected logs.

Cloudera Bug: OPSAPS-30787

Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.

In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.

The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.

Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.

Users affected: All

Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.

Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.

An attacker could set a malformed string in parameters that consist of a list of strings and trigger the attack when a user accessed the corresponding configuration page in classic layout mode. This attack is now prevented.

Cloudera Bug: OPSAPS-30590

An attacker could set a malformed host template name in the backend database and trigger the attack when a user applies the host template. This attack is now prevented.

Cloudera Bug: OPSAPS-30443

Snapshot policies with names containing special characters such as #, $, ?, or % were not handled as expected. These snapshot policies were not consistently found because the special characters in their names were parsed incorrectly. Snapshot policies with names containing special characters are now handled as expected.

Cloudera Bug: OPSAPS-30426

When the ZooKeeper root directory is changed, the corresponding value in ZK_QUORUM that is passed to Kafka MirrorMaker processes is not updated. In that case, MirrorMaker fails to find messages. Changes to ZooKeeper root are now propagated properly, resulting in MirrorMaker finding messages.

Cloudera Bug: OPSAPS-30197

Multiple updates to the Hive NameNode location could cause Hive metastore database corruption. Issuing the same command multiple times no longer produces problems.

Cloudera Bug: OPSAPS-30155

The Cloudera Manager Service Monitor and Cloudera Manager Host Monitor wrote aggregate timeseries data in a way that resulted in significant garbage-collection workloads. Writes are now split based on metric threshold counts, resulting in lower garbage-collection loads.

Cloudera Bug: OPSAPS-30058

Kafka MirrorMaker provided no defaults for Destination Broker List, Topic Whitelist, and Topic Blacklist, and no way to set these values in the wizard. These values can now be set in the wizard when adding a new instance.

Cloudera Bug: OPSAPS-29415

BDR replication in dry-run mode should show the number of files that would be copied and the number of bytes those files would comprise if the same job were executed without the dry-run option. Dry-run mode showed the number of replicable files accessed up to a maximum of 1024 files and showed the total number of bytes those files comprise, up to 512 bytes per file.

The results of dry-runs now show the actual number of source files and their composite bytes that would be covered in the replication schedule. These categories are labeled replicable files and replicable bytes.

Cloudera Bug: OPSAPS-30387

JAVA_HOME is set to Java 1.6 if installed even if 1.8 is also installed.

Cloudera Bug: OPSAPS-28888

HDFS replication fails with an OutOfMemory exception (in stderr.log) when an HDFS replication job replicates a large number of files.

Cloudera Bug: OPSAPS-28858

When a Flume configuration file is large, calling its Kerberos credentials with regex can cause the Cloudera Management Service to timeout and fail. In addition, the Cloudera Manager Server uses too much CPU (100%) and the UI hangs.

Cloudera Bug: OPSAPS-29685

Rebooting a host can cause the client configurations for gateway roles on that host to be marked as stale even though they are actually up to date.

Cloudera Bug: OPSAPS-28568

Fixes the operating system detection logic on updated Oracle Enterprise Linux 6 systems. An Oracle update to its python-libs logic unexpectedly changed the output of the Agent's operating system detection logic, which caused problems with parcel distribution and other issues.

Cloudera Bug: OPSAPS-28193

The ZooKeeper jute.maxbuffer property is emitted into zoo.cfg instead of in the JVM arguments. It is now passed to the JVM through the process environment variable ZOOKEEPER_SERVER_OPTS and takes effect correctly.

Cloudera Bug: OPSAPS-28244

Using the "create a user" API call, a user who normally could not create users is able to create a read-only user account. The API call now respects the permissions.

Cloudera Bug: OPSAPS-27539

Beginning with Cloudera Manager 5.4.6, the Spark Authentication configuration property is correctly propagated to client configurations.

Cloudera Bug: OPSAPS-27912

Attempting to set the listening_hostname property in the Agent's config.ini file (which is not normally necessary) changes the Agent's host ID to use this hostname, instead of the normal value. The host ID is now left unchanged, as expected.

Cloudera Bug: OPSAPS-27991

On Kerberized clusters, Cloudera Manager monitors the wrong process as the DataNode. That has been fixed. For customers using Kerberized HDFS, Cloudera Manager reports incorrect statistics in some areas (memory, file descriptor, CPU usage, I/O, and networking, but not HDFS statistics). There is a small impact to health monitoring because of this issue. For customers using the stacks collection feature on a Kerberized DataNode and where jstack collection was enabled, this issue kills the parent jsvc process of the DataNode and leaves the DataNode up, but causes Cloudera Manager to report the process as dead.

Cloudera Bug: OPSAPS-28677

Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

In Impala queries, if you select Cancel for any query, you see a small "internal error" at the top of the query list. This occurs because an attempt to connect via TLS/SSL is performed even though Impala does not have TLS/SSL enabled.

Cloudera Bug: OPSAPS-27146;

Cloudera Manager incorrectly warns that Cloudera Management Service daemons will use HTTPS for communication with either Cloudera Manager or CDH services, even if no Cloudera Management Service truststore is in use.

Cloudera Bug: OPSAPS-27473;

Cloudera Manager now correctly aggregates Work attributes such as YARN applications or Impala query duration.

Cloudera Bug: OPSAPS-26493

Cloudera Manager now creates the correct configuration required to create a collection.

Cloudera Bug: OPSAPS-22975

When performing a rolling upgrade from a version of CDH lower than 5.4 to CDH 5.4, and the HDFS rolling upgrade is finalized, Cloudera Manager incorrectly reports the status as not finalized. This is an error in reporting only and does not affect HDFS functionality.

Cloudera Bug: OPSAPS-27379

Validation errors and warnings were only visible when accessing the individual instance-level configuration pages. This has been fixed.

Cloudera Bug: OPSAPS-27066

You can now start the Add Role Instances wizard by searching for "<service name> Add Role" in the Cloudera Manager Admin Console search box.

Cloudera Bug: OPSAPS-27604

In previous versions, this resulted in problems during replication because '/' was treated as an URL path.

Cloudera Bug: OPSAPS-26138

The properties were added and are now being written to the hbase-site.xcml file.

Cloudera Bug: OPSAPS-27139

The Solr custom Kerberos principal is now initialized properly during Solr server startup.

Cloudera Bug: OPSAPS-27320

Spark Standalone does not work in clusters with Kerberos authentication. Spark on YARN supports Kerberos and is recommended over Spark Standalone. Either disable Kerberos or remove Spark Standalone before upgrading.

Cloudera Bug: OPSAPS-26151

The Reports link in HA mode would result in a 404 error.

Cloudera Bug: OPSAPS-27089

Deploying client configuration would sometimes fail because Cloudera Manager could not locate JAVA_HOME. This is not a valid failure because deploying client configuration does not require Java.

Cloudera Bug: OPSAPS-27650

Previously, core-site.xml was only added to Sentry's configuration folder, but not the classpath.

Cloudera Bug: OPSAPS-26617

Performance improvements that require less memory were made for the creation of bundles.

Cloudera Bug: OPSAPS-27405

You can now use the NameNode Block State Change Logging Threshold property to suppress INFO-level block state change log messages from the NameNode.

Cloudera Bug: OPSAPS-26437

The way the health of the host's NTP daemon is determined was changed recently, which caused some cases where the related health test (host clock offset) failed without a warning. Information on this change was added to Cloudera Manager.

Cloudera Bug: OPSAPS-27278

The THP algorithm was broken in certain variants of RHEL 6.2 and above. Cloudera Manager now displays a warning if THP is enabled for all RHEL 6 and above.

Cloudera Bug: OPSAPS-27035

If the byte_limit (max-size) specified by Cloudera Manager during log retrieval was smaller than the last log4j event to be collected, the Agent skipped the complete event and return nothing. This behavior was modified so pick the first N bytes (N = max-size) are picked from the log4j event and return a partial log4j event.

Cloudera Bug: OPSAPS-26406

Cloudera Manager Agents no longer enter an infinite loop during log retrieval.

Cloudera Bug: OPSAPS-26404

The default timeout for displaying log entries (../logs/search and ../logs/context) has been increased to 60 seconds.

Cloudera Bug: OPSAPS-27358

A cross-site scripting vulnerability was discovered and fixed in Cloudera Manager.

Cloudera Bug: OPSAPS-27496

The ZooKeeper session timeout property yarn.resourcemanager.zk-timeout-ms was added, and its default value is 1 minute.

Cloudera Bug: OPSAPS-20852

Cloudera Manager would previously display a validation error when the value was greater than 60 days.

Cloudera Bug: OPSAPS-27182

This fix added a warning about removing HDFS symlinks when upgrading from CDH 4 to CDH 5.

Cloudera Bug: OPSAPS-26665

The DataNodeRefreshCommand now sets SCM_KERBEROS_PRINCIPAL in the environment of the command process, which causes hdfs.sh to do a kinit. Before this change, a manual kinit was required.

Cloudera Bug: OPSAPS-27068

Any new path prefixes added in the NameNode configuration are not correctly enforced by Sentry. The ACLs are initially set correctly, however they would be reset to the old default after some time interval.

Cloudera Bug: OPSAPS-26141

<property>
<name>sentry.hdfs.integration.path.prefixes</name>
<value>/user/hive/warehouse, ADDITIONAL_DATA_PATHS</value>
</property>

The health tests Details page threw a NullPointerException because it was referring to a deprecated metric name.

Cloudera Bug: OPSAPS-27065

Without this check, Service Monitor would fail due to too many ZooKeeper connection messages leaking into the Service Monitor log. This resulted in resource and allocation pressures on the Service Monitor.

Cloudera Bug: OPSAPS-27318

Retaining too many unnecessary references to HTable was using up too much memory, especially when working with a large number of tables.

Cloudera Bug: OPSAPS-27319

Cloudera Manager was using the wrong authentication package and picking up the wrong configuration properties for Sqoop 2 authentication with Kerberos.

Cloudera Bug: OPSAPS-27297

The Solr server would not start due to insufficient space for the shared memory file.

Cloudera Bug: OPSAPS-27158

Enabling the HBase canary on a secure cluster would fail. The new properties now let Cloudera Manager specify the canary's Kerberos principal and keytab in the hbase-site.xml deployed at the RegionServers.

Cloudera Bug: OPSAPS-26468

For Impala queries that returned very few rows, Cloudera Manager could fail to report information such as HDFS I/O metrics on the Impala Query Monitoring and Query Detail pages. The discrepancy was typically relatively small because those queries often did very little work.

Cloudera Bug: OPSAPS-26531, OPSAPS-26533

Fixed a performance issue where HDFS configuration pages responded slowly.

Cloudera Bug: OPSAPS-27171

The word “Concerning” was misspelled in many metrics reference pages.

Cloudera Bug: OPSAPS-26957

The log4j appender changed from RollingFileAppender to RollingFileWithoutDeleteAppender.

Cloudera Bug: OPSAPS-26978

The parameters are available in the Cloudera Manager Admin Console, but the configurations are not emitted in the core-site.xml file.

Cloudera bug: OPSAPS-26816

The Solr gateway role does not have a log4j.properties file.

Cloudera bug: OPSAPS-26858

This resulted in NPE being reported in Cloudera Manager logs when accessing active and recent command operations.

Cloudera bug: OPSAPS-26864

When moused over, the icons change to a hand indicating that they are active. However, users in the read-only role cannot act on changed configurations.

Cloudera bug: OPSAPS-26897

Observed when setting the Maximum Number of Attempts for MapReduce Jobs and then setting ApplicationMaster Maximum Attempts, which also sets yarn.resourcemanager.am.max-retries.

Cloudera bug: OPSAPS-26936

Instead of cached bytes it reported the value of short circuit bytes.

Cloudera bug: OPSAPS-26938

A variety of possible cross-site scripting vulnerabilities have been fixed.

Cloudera bugs: OPSAPS-26765, OPSAPS-26798, OPSAPS-26835, OPSAPS-26836, OPSAPS-26878, OPSAPS-26880, OPSAPS-25959

On pages where multiple rows display, the drop-down menu where users select the number of rows to display on a page now appears at the bottom of all lists.

Cloudera bug: OPSAPS-26956

The Max Shuffle Connections property now allows a value of 0, which indicates no limit on the number of connections.

Cloudera bug: OPSAPS-26953

A bug was fixed that prevented upgrades from CDH 4.7.1 to CDH 5.4.3.

Cloudera bug: OPSAPS-27119

On the Parcels page, the first cluster in the list is now automatically selected by default.

Cloudera bug: OPSAPS-27045

All password input fields in Cloudera Manager do not allow auto complete.

Cloudera bug: OPSAPS-26927

It is no longer possible to delete the values of the Path to TLS Keystore File and Keystore Password properties and save them while the Use TLS Encryption for Admin Console property is enabled.

Cloudera bug: OPSAPS-26888

Some host configuration properties no longer incorrectly state that an Agent restart is required.

Cloudera bug: OPSAPS-26808

If there is a failure validating the NameNode or JournalNode data directories while migrating roles, Cloudera Manager now displays detailed error information, including error codes.

Cloudera bug: OPSAPS-26803

To prevent timeouts due to slow disks or networks, a new Oozie property, Oozie Upload ShareLib Command Timeout, has been added to set the timeout.

Cloudera bug: OPSAPS-26782

To access these pages in Cloudera Manager, select Cluster > Cluster Name > Configuration.

Cloudera bug: OPSAPS-26730

The names of some Health Tests have changed to use consistent capitalization.

Cloudera bug: OPSAPS-26690

Impala queries that report per-node peak memory were incorrect when the value is zero.

Cloudera bug: OPSAPS-26721

The description of the Enable Hive on Spark property has been updated to remind the user that the Enable Spark on YARN property must also be selected.

Cloudera bug: OPSAPS-26560

Setting a value for the Flume Role Triggers property no longer causes validation warnings.

Cloudera bug: OPSAPS-26743

Restarts of the Service Monitor no longer leave extraneous copies of files that unnecessarily take up disk space.

Cloudera bug: OPSAPS-26660

Cloudera bug: OPSAPS-26657

Cloudera Manager no longer displays HTTP 503 errors during distribution of the CDH parcel to a large cluster.

Cloudera bug: OPSAPS-26627

Diagnostic bundles sometimes reported SELinux as disabled when it was enabled. The bundle now reports the correct status.

Cloudera bug: OPSAPS-26608

On the Cloudera Manager page that displays Hue configuration issues, the links now take the user to the correct page where the user can correct the configuration.

Cloudera bug: OPSAPS-26600

The month and date have been added before the time value in logs displayed in Cloudera Manager.

Cloudera bug: OPSAPS-26599

When you disable the Hive Metastore health test by deselecting the Hive Metastore Canary Health property, the Hive Canary is now also disabled.

Cloudera bug: OPSAPS-26588

If TLS 1.0 is disabled, the Agent now tries to negotiate the connection using TLS 1.1 or TLS 1.2.

Cloudera bug: OPSAPS-26584

The details page now displays more quickly when a user clicks on the Stale Configuration icon.

Cloudera bug: OPSAPS-26537

When you access the replication page in Cloudera Manager, the page responds slowly due to a large number of replication history records. The number of displayed historical records has been changed from 100 to 20.

Cloudera Bug: OPSAPS-26529;

Searching the Cloudera Manager Server logs now works as expected.

Cloudera bug: OPSAPS-26470

If the TLS configuration has errors, Cloudera Manager now falls back to non-TLS operation when restarting.

Cloudera bug: OPSAPS-27104

New headers have been added to Cloudera Manager HTTP response headers to protect against vulnerabilities.

Cloudera bug: OPSAPS-25847

The Enable Explain Logging (hive.log.explain.output) property was removed in an earlier release and is now included in the configurations.

Cloudera bug: OPSAPS-25857

A 150 second timeout was removed from the Update Hive Metastore NameNodes command to prevent timeouts on deployments that use Hive extensively.

Cloudera bug: OPSAPS-26056

Cloudera Manager now correctly detects the Kafka version for parcel installation.

Cloudera bug: OPSAPS-26071

In a condition where an Agent restart was required due to a Hive configuration change and a subsequent disk failure, the Agent now restarts as expected.

Cloudera bug: OPSAPS-26172

Some Cloudera Manager error messages referred to Cloudera Manager as “CM”. These messages now use the full name “Cloudera Manager”.

Cloudera bug: OPSAPS-26191

Retrieval of Oozie metrics sometimes fails due to timeout issues which are now resolved.

Cloudera bug: OPSAPS-26242

When a NameNode role migration fails due to the destination role data directories being non-empty or having incorrect permissions, you no longer need to complete the migration manually. An error message displays and you can now correct the problem and re-run the command.

Cloudera bug: OPSAPS-26265

Several configuration properties for HBase have been renamed from AWS S3 to Amazon S3, in order to use the correct product name.

Cloudera bug: OPSAPS-23343

The NodeManager Recovery Directory now displays on the NodeManager host resources page.

Cloudera bug: OPSAPS-23916

The Host Inspector page now displays a link to a page that displays detailed results.

Cloudera bug: OPSAPS-24642

The Cloudera Manager Agent initialization script now checks correctly for running processes.

Cloudera bug: OPSAPS-24941

The default value for the Hue cherrypy_server_threads property has been changed from 10 to 50.

Cloudera bug: OPSAPS-25030

The Express Installation Wizard Package installation page no longer allows the user to proceed without selecting a CDH version.

Cloudera bug: OPSAPS-25722

The Host Component page now displays the package version for the KMS Trustee Key Provider.

Cloudera bug: OPSAPS-25692

The Installation Wizard hangs during a CDH package installation and the status displays as “Acquiring Installation Lock”. A bug was fixed where the Agent incorrectly failed to release a lock until the Agent is restarted.

Cloudera bug: OPSAPS-22894

NodeManager did not start because Cloudera Manager did not correctly validate memory and CPU settings against their minimum values.

Cloudera bug: OPSAPS-17157

Cloudera bug: OPSAPS-21743

Sqoop 2 appears to lose data when upgrading to CDH 5.4. This is due to Cloudera Manager erroneously configuring the Derby path with "repositoy" instead of "repository". The correct path name is now used.

Cloudera Bug: OPSAPS-26649.

When searching or retrieving large log files using the Agent, the Agent no longer consumes near 100% CPU until it is restarted. This can also happen then the collect host statistics command is issued.

Cloudera bug: OPSAPS-25854

Cloudera Manager 5.4.1 offers simplified TLS/SSL configuration for Solr. This process uses a solrctl command to configure the urlSchemeSolr cluster property. The solrctl command produces the same results as the Solr REST API call /solr/admin/collections?action=CLUSTERPROP&name=urlScheme&val=https. For example, the call might appear as: https://example.com:8983/solr/admin/collections?action=CLUSTERPROP&name=urlScheme&val=https

Cloudera Manager automatically executes this command during Solr service startup. If this command fails, the Solr service startup now reports an error.

Cloudera Bug: OPSAPS-26563

For example, when you access the Automatically Downloaded Parcels property on the following page: Home > Administration > Settings and remove the default CDH value, the following error message displays: "Could not find config to delete with template name: parcel_autodownload_products". This error has been fixed.

Cloudera bug: OPSAPS-26591

Replication used for backup and disaster recovery does not correctly set the MapReduce Java options, and you cannot configure them. In release 5.4.1, Cloudera Manager uses the MapReduce gateway configuration to determine the Java options for replication jobs. Replication job settings cannot be configured independently of MapReduce gateway configuration. See Backup and disaster recovery replication does not set MapReduce Java options.

In CDH 5.4.0, Oozie added a new HA plugin that allows all of the Oozie servers to synchronize their Job ID assignments and prevent collisions. Cloudera Manager 5.4.0 did not configure this new plugin; Cloudera Manager 5.4.1 now does so.

Cloudera Bug: OPSAPS-25778

The hbase_bytes_read_per_second and hdfs_bytes_read_per_second Impala query properties have been renamed to hbase_scanner_average_bytes_read_per_second and hdfs_scanner_average_bytes_read_per_second to more accurately reflect that these properties return the average throughput of the query's HBase and HDFS scanner threads, respectively. The previous names and descriptions indicated that these properties were the query's total HBase and HDFS throughput, which was not accurate.

Cloudera Bug: OPSAPS-26140

In a secure cluster, if you use a wildcard for the NameNode's RPC or HTTP bind address, the NameNode fails to start. For example, dfs.namenode.http-address must be a real, routable address and port, not 0.0.0.0.port. In Cloudera Manager, the "Bind NameNode to Wildcard Address" property must not be enabled. This should affect you only if you are running a secure cluster and your NameNode needs to bind to multiple local addresses.

Cloudera Bug: CDH-9991, OPSAPS-14577

Bug: HDFS-4448

Workaround: Disable the "Bind NameNode to Wildcard Address" property found on the Configuration tab for the NameNode role group.

The Express and Add Service wizards now allow users to define multiple Hue service roles. If Kerberos is enabled, a co-located KT Renewer role is automatically added for each Hue server row.

Cloudera Bug: OPSAPS-21639

When you add a second Hue role to a cluster, the error message "Failed parameter validation" displays.

Cloudera Bug: OPSAPS-25336

Various cross-site scripting vulnerabilities were fixed.

Cloudera Bug: OPSAPS-25809

Cloudera Manager 5.4.1 fixes an issue in which saving an empty configuration value causes the value to be replaced by the default value. The empty value is now saved instead of the default value.

Cloudera Bug: OPSAPS-26340

2015-03-30 17:15:45,077 WARN ActionablesProvider-0:com.cloudera.cmf.service.ServiceModelValidatorImpl:
Parameter validation failed java.lang.IllegalArgumentException: There is more than one role with roletype: HUE_SERVER [...] {

Cloudera Bug: OPSAPS-25336

When a command is unavailable, the error messages are now more descriptive.

Cloudera Bug: OPSAPS-26384

If the Agent fails to deploy a new client configuration, the client log file is no longer deleted by the agent. The Agent saves the log file and appends new log entries to the saved log file.

Cloudera Bug: OPSAPS-26148

Before using the Migrate Roles wizard to migrate HDFS roles, you must ensure that the following HDFS roles are running as described:

• A majority of the JournalNodes in the JournalNode quorum must be running. With a quorum size of three JournalNodes, for example, at least two JournalNodes must be running. The JournalNode on the source host need not be running, as long as a majority of all JournalNodes are running.
• When migrating a NameNode and co-located Failover Controller, the other Failover Controller (that is, the one that is not on the source host) must be running. This is true whether or not a co-located JournalNode is being migrated as well, in addition to the NameNode and Failover Controller.
• When migrating a JournalNode by itself, at least one NameNode / Failover Controller co-located pair must be running.

Cloudera Bug: OPSAPS-25870, OPSAPS-25878

Migration of HDFS NameNode, JournalNode, and Failover Controller roles through the Migrate Roles wizard is only supported when HDFS automatic failover is enabled. Otherwise, it causes a state in which both NameNodes are in standby mode.

Cloudera Bug: OPSAPS-25806, OPSAPS-25822

Cloudera Bug: OPSAPS-25945

Workaround: None.

In single user mode, all services are using the same user to proxy other users in an unsecure cluster, which is the user that is running all the CDH processes on the cluster. To restrict that user so that it can proxy other users from only certain hosts and only certain groups, configure the YARN Proxy User Hosts and YARN Proxy User Groups properties in the HDFS service. The setting here supersedes all other proxy user configurations in single user mode.

Cloudera Bug: OPSAPS-25518

Clicking the icon with an "i" in a blue circle next to a parcel shows the release notes.

Cloudera Bug: OPSAPS-25481

When enabling TLS/SSL for Impala web servers (webserver_certificate_file), Cloudera Manager does not emit use_ssl in the cloudera-monitor.properties file for the Catalog Server. Other services (Impala Daemon and StateStore) are configured correctly. This causes monitoring to fail for the Catalog Server even though it is working as expected.

Cloudera Bug: OPSAPS-25469

To improve performance, the default value for the hive.exec.reducers.bytes.per.reducer property has been changed from 1 GB to 64 MB. If this value has been customized, the customized value is retained during an upgrade. If the old default of 1 GB was not changed, the value will be updated to 64MB during an upgrade.

Cloudera Bug: OPSAPS-24883

In previous releases, Hive replication import phase did not consistently fill in scheme and location information. This information is now filled in as expected.

Cloudera Bug: OPSAPS-31522

After Kerberos security is enabled on a cluster or Always Use Container Executor is selected, YARN jobs failed. This occurred because the contents of any previously existing YARN User Cache directory could not be overridden after security was enabled. YARN jobs now complete as expected after a change in Kerberos security or usage of Container Executor.

Cloudera Bug: OPSAPS-32050

Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.

In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.

The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.

Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.

Users affected: All

Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.

Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.

The Cloudera Manager Service Monitor and Cloudera Manager Host Monitor wrote aggregate timeseries data in a way that resulted in significant garbage-collection workloads. Writes are now split based on metric threshold counts, resulting in lower garbage-collection loads.

Cloudera Bug: OPSAPS-30058

BDR replication in dry-run mode should show the number of files that would be copied and the number of bytes those files would comprise if the same job were executed without the dry-run option. Dry-run mode showed the number of replicable files accessed up to a maximum of 1024 files and showed the total number of bytes those files comprise, up to 512 bytes per file.

The results of dry-runs now show the actual number of source files and their composite bytes that would be covered in the replication schedule. These categories are labeled replicable files and replicable bytes.

Cloudera Bug: OPSAPS-30387

Multiple updates to the Hive NameNode location could cause Hive metastore database corruption. Issuing the same command multiple times no longer produces problems.

Cloudera Bug: OPSAPS-30155

Rolling Restart inherits custom HBase RegionServer JVM properties and can fail when those properties are inappropriate for non-daemon JVMs.

Cloudera Bug: OPSAPS-28353

When ConfigContext is initialized to both cluster and host, it defaults to cluster. If the context is a host, this can cause the ConfigTableUtil class to throw an IllegalStateException.

Cloudera Bug: OPSAPS-28795

Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.

Severity: High

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

Instead of cached bytes, it reported the value of short-circuit bytes.

Cloudera Bug: OPSAPS-26938

In Impala queries, if you select Cancel for any query, you get a small "internal error" at the top of the query list. This is because an attempt to connect via TLS/SSL is done even though Impala does not have TLS/SSL enabled.

Cloudera Bug: OPSAPS-27146

Cloudera Manager incorrectly warns that Cloudera Management Service daemons will use HTTPS for communication with either Cloudera Manager or CDH services even if no Cloudera Management Service truststore is in use.

Cloudera Bug: OPSAPS-27473

When you access the replication page in Cloudera Manager, the page responds slowly due to a large number of replication history records. The number of displayed historical records has been changed from 100 to 20.

Cloudera Bug: OPSAPS-26529

When a cluster has been configured to enable Kerberos by clicking the Manage krb5.conf through Cloudera Manager button, Cloudera Manager writes out a krb5.conf file. If a user subsequently disables this feature by disabling the Manage krb5.conf through Cloudera Manager option and then restarting Cloudera Manager and the Agent, Cloudera Manager overwrites the existing krb5.conf file.

Cloudera Bug: OPSAPS-25282

An internal call to a servlet with a malformed logger name created information that could be used in a cross-site scripting attack.

Cloudera Bug: OPSAPS-26487

The graph Total Containers Running Across NodeManagers, which displays on the YARN status page, displayed incorrect high values.

Cloudera Bug: OPSAPS-26247

Saving an empty configuration value causes the value to be replaced by the default value. The empty value is now saved instead of the default value.

Cloudera Bug: OPSAPS-26340

Cloudera Bug: OPSAPS-26178

To address a vulnerability identified by CVE-2014-0107, Xalan has been updated to version 2.7.2.

Cloudera Bug: OPSAPS-26408

When you set threshold values in various properties, you could not select Specify and then enter -1 to indicate "Any" or -2 to indicate "Never". You can now enter -1 or -2.

Cloudera Bug: OPSAPS-26066

Cloudera Bug: OPSAPS-26158

The default value of the hive.metastore.client.socket.timeout property has changed to 60 seconds.

Cloudera Bug: OPSAPS-25270

The property hadoop.ssl.enabled is deprecated. Cloudera Manager has been updated to use either dfs.http.policy or yarn.http.policy properties instead.

Cloudera Bug: OPSAPS-24985

Cloudera Manager no longer requires you to restart your cluster after changing the Service Monitor Client Config Overrides property for a service.

Cloudera Bug: OPSAPS-25272

After updating to a new release, Cloudera Manager replaces the specified cluster name with cluster. Cloudera Manager now uses the correct cluster name.

Cloudera Bug: OPSAPS-25279

A client configuration row in the database DDL did not set host_id, causing upgrade problems. Cloudera Manager now catches this condition before upgrading.

Cloudera Bug: OPSAPS-25321

The property hive.log.explain.output is known to create instability of Cloudera Manager Agents in some specific circumstances, especially when the hive queries generate extremely large EXPLAIN outputs. Therefore, the property has been hidden from the Cloudera Manager configuration screens. You can still configure the property through the use of advanced configuration snippets.

Cloudera Bug: OPSAPS-25852

In Cloudera Manager 5.x, starting new ZooKeeper Servers shortly after adding them can cause ZooKeeper data loss when the number of new servers exceeds the number of old servers.

Cloudera Bug: OPSAPS-25966

Spark and Spark standalone services fail to start if you upgrade to CDH 5.2.x parcels from an older CDH package.

Workaround: After upgrading rest of the services, uninstall the old CDH packages, and then start the Spark service.

Cloudera Bug: OPSAPS-24005

Following a 4.x -> 5.3 upgrade, you must deploy client configuration across the entire cluster before deleting any gateway roles, any services, or any hosts. Otherwise the existing 4.x client configurations may be left registered and orphaned on the hosts where they were deployed, requiring you to manually intervene to delete them.

Cloudera Bug: OPSAPS-24279

Oozie health will go bad if high availability is enabled in a kerberized cluster with Cloudera Manager 5.0 and CDH 5.0 and Cloudera Manager and CDH are then upgraded to 5.1 or higher.

Cloudera Bug: OPSAPS-23872

Workaround: Disable Oozie HA and then re-enable HA again.

Cloudera Bug: OPSAPS-25945

Workaround: None.

The Review Changes page hangs due to the inability to handle the "File missing" scenario.

Cloudera Bug: OPSAPS-24872

A fix has been made to how Kerberos credential caching is handled by management services, resulting in a reduction in the number of Kerberos Ticket Granting Ticket (TGT) requests from the cluster to a KDC. This would have been noticed as "Bad Token" messages being seen in high volume in KDC logging and unnecessarily causing re-authentication by management services.

Cloudera Bug: OPSAPS-24800

Cloudera Manager is unable to run Accumulo when hostname command does not return FQDN of hosts.

Cloudera Bug: OPSAPS-24792

For CDH 5.3 and higher, Cloudera Manager will configure HiveServer2 to use the HDFS cache even when impersonation is on. For earlier CDH, there were bugs with the cache when impersonation was in use, so it is still disabled.

Cloudera Bug: OPSAPS-24751

If there are hosts in the cluster where the Cloudera Manager agent heartbeat is not working, then deploying client configurations does not work. Starting with Cloudera Manager 5.3.2, such hosts are ignored while deploying client configurations. When the issues with the host are fixed, Cloudera Manager will show those hosts as having stale client configurations, at which point you can redeploy them.

Cloudera Bug: OPSAPS-24748

The Cloudera Manager Health Test to monitor free space available for the Cloudera Manager Agent's process directory monitors space on the wrong filesystem. It should monitor the tmpfs that the Cloudera Manager Agent creates, but instead monitors the Cloudera Manager Agent working directory.

Cloudera Bug: OPSAPS-24733

Stopped ZooKeeper servers cannot be started from the Service or Instance page, but only from the Role page of the server using the start action for the role.

Cloudera Bug: OPSAPS-24725

Starting in Cloudera Manager 5.3, some or all Flume component data was missing from the Flume Metrics Details page.

Cloudera Bug: OPSAPS-24525

The help icon (question mark) on the Chart Builder page returns a 404 error.

Cloudera Bug: OPSAPS-24424

Running the wizard to import MapReduce configurations to YARN will now populate yarn.nodemanager.resource.cpu-vcores and yarn.nodemanager.resource.memory-mb correctly based on equivalent MapReduce configuration.

Cloudera Bug: OPSAPS-21540; KI added Cloudera Manager5.1.0

Following a 4.x -> 5.3 upgrade, you must deploy client configuration across the entire cluster before deleting any gateway roles, any services, or any hosts. Otherwise the existing 4.x client configurations may be left registered and orphaned on the hosts where they were deployed, requiring you to manually intervene to delete them.

Cloudera Bug: OPSAPS-24279

Following a 4.x -> 5.3 upgrade, you must deploy client configuration across the entire cluster before deleting any gateway roles, any services, or any hosts. Otherwise the existing 4.x client configurations may be left registered and orphaned on the hosts where they were deployed, requiring you to manually intervene to delete them.

Cloudera Bug: OPSAPS-24279

Oozie health will go bad if high availability is enabled in a kerberized cluster with Cloudera Manager 5.0 and CDH 5.0 and Cloudera Manager and CDH are then upgraded to 5.1 or higher.

Cloudera Bug: OPSAPS-2387

Workaround: Disable Oozie HA and then re-enable HA again.

When configuring a gateway role on a host that already contains a role of the same type—for example, an HDFS gateway on a DataNode—the deploy client configuration command no longer fails after 60 seconds.

Cloudera Bug: OPSAPS-24426

Cloudera Bug: OPSAPS-24489

Cloudera Bug: OPSAPS-24377

When EMC Isilon storage is used, there is no DataNode, so you cannot set mapred_submit_replication to a number smaller than or equal to the number of DataNodes in the network. Cloudera Manager now does the following when setting mapred_submit_replication:

• If using HDFS, sets to a minimum of 1 and issues a warning when greater than the number of DataNodes
• If using Isilon, sets to 1 and does not check against the number of DataNodes

Cloudera Bug: OPSAPS-24391

Cloudera Bug: OPSAPS-24416

Cloudera Bug: OPSAPS-24074

Cloudera Bug: OPSAPS-21329

Cloudera Manager 5.3.0 supports any CDH release less than or equal to 5.3, even if the release did not exist when Cloudera Manager 5.3.0 was released. For packages, you cannot currently use the upgrade wizard to upgrade to such a release. This release adds a custom CDH field for the package case, where you can type in a version that did not exist at the time of the Cloudera Manager release.

Cloudera Bug: OPSAPS-24355

The EnableLlamaRMCommand sets the value of the impalad memory limit to equal the NM container memory value. But the latter is in MB, and the former is in bytes. Previously, the command did not perform the conversion; this has been fixed.

In the Application view, selecting Application Master for a MRv2 job previously resulted in no action.

The Cloudera Manager Server log previously showed several foreign key constraint exceptions that were associated with deleted services. This has been fixed.

The HiveServer2 keystore password and LDAP group mapping passwords were emitted into the client configuration files. This exposed the passwords in plain text in a world-readable file. This has been fixed.

Cloudera Bug: OPSAPS-24442, OPSAPS-24469

Cloudera Bug: OPSAPS-24080

Cloudera Bug: OPSAPS-24420

If source and destination clusters are in the same Kerberos realm, Cloudera Manager assumed that superuser of the destination is also the superuser on the source cluster. However, HDFS can be configured so that this is not the case.

Cloudera Bug: OPSAPS-24417

Setting the default umask in the HDFS configuration section to 002 in the new configuration layout displays an error:"Could not parse: Default Umask : Could not parse parameter 'dfs_umaskmode'. Was expecting an octal value with a leading 0. Input: 2", preventing the change from being submitted.

Cloudera Bug: OPSAPS-24340

Workaround: Submit the change using the classic configuration layout.

Spark and Spark standalone services fail to start if you upgrade to CDH 5.2.x parcels from an older CDH package.

Workaround: After upgrading rest of the services, uninstall the old CDH packages, and then start the Spark service.

Cloudera Bug: OPSAPS-24005

Setting the default umask in the HDFS configuration section to 002 in the new configuration layout displays an error:"Could not parse: Default Umask : Could not parse parameter 'dfs_umaskmode'. Was expecting an octal value with a leading 0. Input: 2", preventing the change from being submitted.

Workaround: Submit the change using the classic configuration layout.

Cloudera Bug: OPSAPS-24340

The Enable Integrated Resource Management command for Impala (available from the Actions pull-down menu on the Impala service page) sets the Impala Daemon Memory Limit to an unusably small value. This can cause Impala queries to fail.

Workaround 1: Upgrade to Cloudera Manager 5.3.

Cloudera Bug: OPSAPS-24255

Rolling restart and upgrade of Oozie fails if there is only a single Oozie server. Cloudera Manager will show the error message "There is already a pending command on this role."

Workaround: If you have a single Oozie server, do a normal restart.

Cloudera Bug: OPSAPS-23954

In Cloudera Manager 5.3, it is now possible to restart a crashed process with the Start command and not just the Restart command.

Cloudera Bug: OPSAPS-23567

In Cloudera Manager 5.3, an explicit dependency has been added from the Agent package to the Daemons package so that upgrading Cloudera Manager 5.2.0 or later to Cloudera Manager 5.3 causes the agent to be upgraded as well. Previously, the Cloudera Manager installer always installed both packages, but this is now enforced at the package dependency level as well.

Cloudera Bug: OPSAPS-24079

Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.

In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.

The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.

Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.

Users affected: All

Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.

Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.

Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.

Severity: High

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

This issue can occur when Cloudera Navigator auditing is turned on. The auditing code reads audit logs and sends them to the Audit Server. It acquires a lock to protect the list of roles being audited. The same list is also modified by the Cloudera Manager Agent's main thread when a role is started or stopped. If the Audit thread takes too much time to send audits to the Audit Server (which can happen if there is backlog of audit logs), it starves the main Agent thread. This causes the main Agent thread to not send heartbeats and to not respond to commands from the Cloudera Manager Server.

Cloudera Bug: TSB-60

The NameNode would not restart due to a blocked thread that was processing audit events.

Cloudera Bug: OPSAPS-26129

Instead of cached bytes, it reported the value of short-circuit bytes.

Cloudera Bug: OPSAPS-26938

Cloudera Bug: OPSAPS-26178

The version of Xalan used in Cloudera Manager has been upgraded to version 2.7.2 to address a possible vulnerability.

Cloudera Bug: CDH-27059

After upgrading CDH, the display name of the cluster no longer changes to “cluster”.

Cloudera Bug: OPSAPS-25279

Cloudera Manager was monitoring the disk space thresholds using the /var/run/cloudera-scm-agent directory. Cloudera Manager now monitors the correct directory: /var/run/cloudera-scm-agent/process.

Cloudera Bug: OPSAPS-24529

The default value in the Hive Service Monitor Client Config Overrides property for the hive.metastore.client.socket.timeout property is now 60.

Cloudera Bug: OPSAPS-24346

Changes made to client configuration overrides did not take effect until the service was restarted.

Cloudera Bug: OPSAPS-25194

In Cloudera Manager 5, starting new ZooKeeper Servers shortly after adding them can cause ZooKeeper data loss when the number of new servers exceeds the number of old servers.

Cloudera Bug: OPSAPS-25966

Permissions on YARN Keytab files for NodeManager were set incorrectly to allow read access to any user.

Cloudera Bug: OPSAPS-25390, TSB-48

The EnableLlamaRMCommand sets the value of the impalad memory limit to equal the NM container memory value. But the latter is in MB, and the former is in bytes. Previously, the command did not perform the conversion; this has been fixed.

The HiveServer2 keystore password and LDAP group mapping passwords were emitted into the client configuration files. This exposed the passwords in plain text in a world-readable file. This has been fixed.

Cloudera Bug: OPSAPS-24442, OPSAPS-24469

In the Application view, selecting Application Master for a MRv2 job previously resulted in no action.

The Cloudera Manager Server log previously showed several foreign key constraint exceptions that were associated with deleted services. This has been fixed.

The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack takes advantage of a cryptographic flaw in the obsolete TLS/SSLv3 protocol, after first forcing the use of that protocol. The only solution is to disable TLS/SSLv3 entirely. This requires changes across a wide variety of components of CDH and Cloudera Manager in 5.2.0 and all earlier versions. Cloudera Manager 5.2.1 provides these changes for Cloudera Manager 5.2.0 deployments. All Cloudera Manager 5.2.0 users should upgrade to 5.2.1 as soon as possible. For more information, see the Cloudera Security Bulletin.

In Cloudera Manager 5.2.0 only, it was not possible to use the log4j advanced configuration snippet to override the default audit logging configuration when Navigator was not being used.

Cloudera Bug: OPSAPS-23864

A number of NameNode and DataNode charts show no data and a number of NameNode and DataNode health checks show unknown results. Metric collection for CDH 5.1 roles is unaffected.

Cloudera Bug: OPSAPS-23363

Workaround: None.

HTTP queries against the Reports Manager and Event Server Thrift server would earlier cause it to crash with out-of-memory exception.

Cloudera Bug: OPSAPS-23160

Cloudera Bug: OPSAPS-23680

This issue was observed in TLS/SSL-enabled clusters running CentOS 6.4 and 6.5, where the Cloudera Manager Agent failed when trying to communicate with CDH services. You can see the bug report here.

Cloudera Bug: OPSAPS-23324

Workaround: Upgrade to openssl-1.0.1e-16.el6_5.7.x86_64.

In the past, if you created a service, deployed its client configurations, and then deleted that service, the client configurations lived in the alternative database, with a possibly high priority, until cleaned up manually. Now, for a given "alternatives path" (for example /etc/hadoop/conf) if there exist both "live" client configurations (ones that would be pushed out with deploy client configurations for active services) and ones that have been "orphaned" client configurations (the service they correspond to has been deleted), the orphaned ones will be removed from the alternatives database. In other words, to trigger cleanup of client configurations associated with a deleted service you must create a service to replace it.

Cloudera Bug: OPSAPS-13336

The issue arises because yarn.resourcemanager.am.max-retries was replaced with yarn.resourcemanager.am.max-attempts.

Cloudera Bug: OPSAPS-21797

The Spark History Server does not start when managed by a Cloudera Manager 5.1 instance when Kerberos authentication is enabled.

Cloudera Bug: CDH-19867

Hive replication will fail when the source Cloudera Manager instance has TLS enabled, even though the required certificates have been added to the target Cloudera Manager's trust store.

Cloudera Bug: OPSAPS-22159

Workaround: Add the required Certificate Authority or self-signed certificates to the default Java trust store, which is typically a copy of the cacerts file named jssecacerts in the $JAVA_HOME/jre/lib/security/ path of your installed JDK. Use keytool to import your private CA certificates into the jssecacert file.

The Spark Upload Jar command fails in a secure cluster.

Cloudera Bug: OPSAPS-19856

Workaround: To run Spark on YARN, manually upload the Spark assembly jar to HDFS /user/spark/share/lib. The Spark assembly jar is located on the local filesystem, typically in /usr/lib/spark/assembly/lib or /opt/cloudera/parcels/CDH/lib/spark/assembly/lib.

Clients of the JobHistory server administrative interface, such as the mapred hsadmin tool, may fail to connect to the server when run on hosts other than the one where the JobHistory server is running.

Cloudera Bug: OPSAPS-20347

<property>
<name>mapreduce.history.admin.address</name>
<value>JOBHISTORY_SERVER_HOST:10033</value>
</property>

Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.

In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.

The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.

Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.

Users affected: All

Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.

Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.

Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.

Severity: High

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

This issue can occur when Cloudera Navigator auditing is turned on. The auditing code reads audit logs and sends them to the Audit Server. It acquires a lock to protect the list of roles being audited. The same list is also modified by the Cloudera Manager Agent's main thread when a role is started or stopped. If the Audit thread takes too much time to send audits to the Audit Server (which can happen if there is backlog of audit logs), it starves the main Agent thread. This causes the main Agent thread to not send heartbeats and to not respond to commands from the Cloudera Manager Server.

In Cloudera Manager 5, starting new ZooKeeper Servers shortly after adding them can cause ZooKeeper data loss when the number of new servers exceeds the number of old servers.

Cloudera Bug: OPSAPS-25966

Permissions on YARN Keytab files for NodeManager were set incorrectly to allow read access to any user.

Cloudera Bug: OPSAPS-25390, TSB-48

The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack takes advantage of a cryptographic flaw in the obsolete TLS/SSLv3 protocol, after first forcing the use of that protocol. The only solution is to disable TLS/SSLv3 entirely. This requires changes across a wide variety of components of CDH and Cloudera Manager. Cloudera Manager 5.1.4 provides these changes for Cloudera Manager 5.1.x deployments. All Cloudera Manager 5.1.x users should upgrade to 5.1.4 as soon as possible. For more information, see the Cloudera Security Bulletin.

Speed and heap usage have been improved when deleting hosts on clusters that have been running for a long time.

When there are multiple clusters, each cluster's topology files and validation for legal topology is limited to hosts in that cluster. Most commands will now fail up front if the cluster's topology is invalid.

For users of Oracle databases, the size of the statement cache has been reduced to help with memory consumption.

Memory usage of "cluster diagnostics collection" has been improved for large clusters.

Cloudera Bug: OPSAPS-21797

Jobs can hang on NodeManager decommission due to a race condition when continuous scheduling is enabled.

When upgrading from CDH 4 to CDH 5, if no parcel is active then the error message "Could not find a healthy host with CDH5 on it to create HiveServer2" displays. This can happen when transitioning from packages to parcels, or if you explicitly deactivate the CDH 4 parcel (which is not necessary) before upgrade.

Workaround: Wait 30 seconds and retry the upgrade.

Cloudera Bug: OPSAPS-21942

Cloudera Manager 5.1 installs Java 7u55 by default. However, the AWS installation wizard does not work with Java 7u55 due to a bug in the jClouds version packaged with Cloudera Manager.

Cloudera Bug: OPSAPS-21855

The issue arises because yarn.resourcemanager.am.max-retries was replaced with yarn.resourcemanager.am.max-attempts.

Cloudera Bug: OPSAPS-21797; KI added Cloudera Manager 5.1.0

Replications can be affected by other replications or commands running at the same time, causing replications to fail unexpectedly or even be silently skipped sometimes. When this occurs, a StaleObjectException is logged to the Cloudera Manager logs. This is known to occur even with as few as four replications starting at the same time.

Cloudera Bug: OPSAPS-21918

If you have manually installed Oracle's official JDK 7 or 8 rpm on a host (or hosts), and check the Install Java Unlimited Strength Encryption Policy Files checkbox in the Add Cluster or Add Host wizard when installing Cloudera Manager on that host (or hosts), or when upgrading Cloudera Manager to 5.1, Cloudera Manager installs JDK 6 policy files, which will prevent any Java programs from running against that JDK. Additionally, if this situation does apply, Cloudera Manager/CDH will also choose that particular Java as the default to run against, meaning that Cloudera Manager/CDH fail to start, throwing the following message in logs: Caused by: java.lang.SecurityException: The jurisdiction policy files are not signed by a trusted signer!.

Cloudera Bug: OPSAPS-21914

When "Remote App Log Directory" is changed in YARN configuration, the property yarn.nodemanager.remote-app-log-dir are not included in the JobHistory Server yarn-site.xml and Gateway yarn-site.xml.

Cloudera Bug: OPSAPS-20906; KI added Cloudera Manager 5.0.1

<property>
<name>yarn.nodemanager.remote-app-log-dir</name>
<value>/path/to/logs</value>
</property>

In a secure CDH 4.1 cluster, Hue and Impala cannot share the same Hive instance. If "Bypass Hive Metastore Server" is disabled on the Hive service, then Hue will not be able to talk to Hive. Conversely, if "Bypass Hive Metastore" enabled on the Hive service, then Impala will have a validation error.

Cloudera Bug: OPSAPS-20482

Severity: High

Workaround: Upgrade to CDH 4.2.

Cloudera Bug: OPSAPS-17243

Workaround: None.

Cloudera Bug: OPSAPS-18473

Encrypted shuffle has been introduced in CDH 4.1, but it is not currently possible to enable it through Cloudera Manager.

Cloudera Bug: OPSAPS-8480

Severity: Medium

Workaround: None.

Hive CLI does not work in CDH 4 when "Bypass Hive Metastore Server" is enabled.

Cloudera Bug: OPSAPS-20721

Workaround: Configure Hive and disable the "Bypass Hive Metastore Server" option.

Alternatively, an approach can be taken that will cause the "Hive Auxiliary JARs Directory" to not work, but will enable basic Hive commands to work. Add the following to "Gateway Client Environment Advanced Configuration Snippet for hive-env.sh," then re-deploy the Hive client configuration:

HIVE_AUX_JARS_PATH="
AUX_CLASSPATH=/usr/share/java/mysql-connector-java.jar:/usr/share/java/oracle-connector-java.jar:$(find /usr/share/cmf/lib/postgresql-jdbc.jar 2> /dev/null | tail -n 1)

The downloaded client configuration for YARN includes the topology.py script. The location of this script is given by the net.topology.script.file.name property in core-site.xml. But the core-site.xml file downloaded with the client configuration has an incorrect absolute path to /etc/hadoop/... for topology.py. This can cause clients that run against this configuration to fail (including Spark clients run in yarn-client mode, as well as YARN clients).

Cloudera Bug: OPSAPS-20337

Workaround: Edit core-site.xml to change the value of the net.topology.script.file.name property to the path where the downloaded copy of topology.py is located. This property must be set to an absolute path.

When search_bind_authentication is set to false, Cloudera Manager does not include it in hue.ini.

Cloudera Bug: OPSAPS-20926

[desktop]
[[ldap]]
search_bind_authentication=false

An erroneous "Failed parameter validation" warning is displayed on the HBase configuration page on CDH 4.1 in Cloudera Manager 5.0.0

Severity: Low

Cloudera Bug: OPSAPS-20310

Workaround: Use CDH4.2 or higher, or ignore the warning.

In large clusters, when problems appear with a host or role, administrators may choose to decommission the host or role to fix it and then recommission the host or role to put it back in production. Decommissioning, especially host decommissioning, is slow, hence the importance of parallelization, so that host recommissioning can be initiated before decommissioning is done.

Cloudera Bug: OPSAPS-19055

Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.

In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.

The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.

Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.

Users affected: All

Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.

Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.

Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.

Severity: High

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

This issue can occur when Cloudera Navigator auditing is turned on. The auditing code reads audit logs and sends them to the Audit Server. It acquires a lock to protect the list of roles being audited. The same list is also modified by the Cloudera Manager Agent's main thread when a role is started or stopped. If the Audit thread takes too much time to send audits to the Audit Server (which can happen if there is backlog of audit logs), it starves the main Agent thread. This causes the main Agent thread to not send heartbeats and to not respond to commands from the Cloudera Manager Server.

In Cloudera Manager 5, starting new ZooKeeper Servers shortly after adding them can cause ZooKeeper data loss when the number of new servers exceeds the number of old servers.

Cloudera Bug: OPSAPS-25966

The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack takes advantage of a cryptographic flaw in the obsolete TLS/SSLv3 protocol, after first forcing the use of that protocol. The only solution is to disable TLS/SSLv3 entirely. This requires changes across a wide variety of components of CDH and Cloudera Manager. Cloudera Manager 5.0.5 provides these changes for Cloudera Manager 5.0.x deployments. All Cloudera Manager 5.0.x users should upgrade to 5.0.5 as soon as possible. For more information, see the Cloudera Security Bulletin.

Impala 1.3.1 contains changes to the runtime profile format that break the Cloudera Manager Query Monitoring feature. This leads to exceptions in the Cloudera Manager Service Monitor logs, and Impala queries no longer appear in the Cloudera Manager UI or API. The issue affects Cloudera Manager 5.0 and 4.6 - 4.8.2.

Cloudera Bug: OPSAPS-20744; KI added Cloudera Manager 5.0.1

Workaround: None. The issue will be fixed in Cloudera Manager 4.8.3 and Cloudera Manager 5.0.1. To avoid the Service Monitor exceptions, turn off the Cloudera Manager Query Monitoring feature by going to Impala Daemon > Monitoring and setting the Query Monitoring Period to 0 seconds. Note that the Impala Daemons must be restarted when changing this setting, and the setting must be restored once the fix is deployed to turn the query monitoring feature back on. Impala queries will then appear again in Cloudera Manager’s Impala query monitoring feature.

Contact Cloudera Support before upgrading from Cloudera Manager 5.0.0 beta 1 or beta 2 to Cloudera Manager 5.0.0.

Cloudera Bug: OPSAPS-19894

Workaround: Contact Cloudera Support.

HDFS replication between clusters in different Kerberos realms fails when using YARN if the target cluster is CDH 5.

Cloudera Bug: OPSAPS-19930

Workaround: Use MapReduce (MRv1) instead of YARN.

If installing CDH 4 packages, the Impala 1.3.0 option listed in the install wizard does not work because Impala 1.3.0 is not yet released for CDH 4.

Cloudera Bug: OPSAPS-20406

Workaround: Install using parcels (where the unreleased version of Impala does not appear), or select a different version of Impala when installing with packages.