Issues Fixed in Cloudera Manager 5

The following sections describe issues fixed in each Cloudera Manager 5 release.

Issues Fixed in Cloudera Manager 5.16.2

The API method "ApiHiveCloudReplicationArguments" is missing for Cloudera Manager 5.15

The Cloudera Manager Python API client released in 5.16.1 missed changes that were introduced in version 5.15, including changes related to Backup and Disaster Recovery (BDR) Hive Replication. Those missing changes have been ported.

Cloudera Bug: OPSAPS-48873

Backup and Disaster Recovery fails if dfs.nameservices is overridden with multiple nameservice names

This fix handles the scenario for multiple nameservices in the dfs.nameservices configuration. Now the feature cross-checks that with the fs.defaultFS configured in core-site.xml.

Cloudera Bug: OPSAPS-48579

Error handling differs between multi-thread and single-thread Hive replication

This fix aligns multi-thread Hive replication error handling with the single-thread case. Multi-thread Hive replication now has the appropriate error types, suppressed by the replication.hive.ignoreTableNotFound and replication.hive.ignoreDataBaseNotFound safety valves implicitly.

Cloudera Bug: OPSAPS-49987

Issues Fixed in Cloudera Manager 5.16.1

Yarn Application Masters fail when a concurrent Deploy Client Configuration job is executed

Yarn Application Masters fail because the container-executor.cfg file is missing when a YARN application is executed concurrently with a Deploy Client Configurations job. The container-executor hierarchy has been moved to /var/lib/yarn-ce, which is not modified by the Deploy Client Configuration command.

No changes are required for Cloudera Manager/CDH 5.16.0 and higher. Use the following Workaround for Cloudera Manager/CDH 5.15.1 and 5.14.4:
  1. On the Cloudera Manager server host, add the following line to the /etc/default/cloudera-scm-server file:
    export CMF_FF_YARN_SAFE_CONTAINER_EXECUTOR_DIR=true
  2. Restart the Cloudera Manager Server:
    service cloudera-scm-server restart
  3. Restart the NodeManager(s) so they can pick up the new configuration change:
    1. In the Cloudera Manager Admin console, go to the YARN service.
    2. Click the Instances tab.
    3. Select all hosts with the NodeManager Role Type.
    4. Click Actions for Selected > Restart.

Cloudera Bug: OPSAPS-24398

Aborting a BDR replication does not stop and issues an empty error

The abort functionality now works as expected.

Cloudera Bug: OPSAPS-39694

HDFS replication fails when reserved raw data is replicated

Fixed an issue with HDFS replication where reserved raw data is replicated with the delete strategy.

Cloudera Bug: OPSAPS-47244

Threshold settings prevent correct configuration

When Threshold settings are saved with values such as Any or Never, a bug in the validation code prevented the user from saving the threshold to a specific value. This is now fixed.

Cloudera Bug: OPSAPS-46657

Gateway roles and Isilon replication jobs

Fixed a bug where Cloudera Manager did not allow Gateway roles for Isilon clusters, which prevented replications jobs from running.

Cloudera Bug: OPSAPS-46154

Save Changes remains enabled after clicking (possible autocomplete issue)

Google Chrome version 66, released on 28 April 2018, introduced behavior changes which can trigger unintended modification of existing configuration values in Cloudera Manager. If a page contains a password field, the browser aggressively applies auto-complete form data to the first text field and first password form fields. These changes are applied without user input or explicit notification (fields are highlighted).

Cloudera Bug: OPSAPS-46118

Spark cross-realm authentication fails

Spark now correctly respects auth_to_local name rules for HDFS services with cross-realm trust configured.

Cloudera Bug: OPSAPS-46103

Host installation or upgrade using key based authentication where private key is protected by passphrase does not work

In Cloudera Manager, host installation and upgrade does not work when using key-based host authentication with SSH where the private key is protected by a passphrase.

Cloudera Bug: OPSAPS-45571

Failures during Cloudera Manager installation or upgrade

Fixed an issue where Cloudera Manager agent installation or upgrade failed due to misconfigured or problematic third-party repositories that were interfering with the process.

Cloudera Bug: OPSAPS-45576

Cloudera Manager should not omit LDAP GROUP_MAPPING passwords from NodeManager

Some sensitive authentication configurations were not emitted for the Yarn Node Manager when using LDAP group mapping. This is now corrected for clusters running CDH 5.5 and higher where encryption is available for those sensitive configurations.

Cloudera Bug: OPSAPS-45440

Upgrading a license finishes on wrong page

The Enable Trial workflow previously finished on the upgrade page, now it goes back to the Home page upon completion.

Cloudera Bug: OPSAPS-45444

Flume uses default values for Kafka TLS settings

Fixed an issue where Flume used default values for Kafka TLS settings. For further details, see the original Known Issue.

Note that this fix causes Flume to be marked as having a stale configuration. To resolve the staleness, restart Flume.

Cloudera Bug: OPSAPS-45669

Cloudera Manager upgrade page load issues in Internet Explorer

The new Cloudera Manager Upgrade page doesn't load in IE9, 10 or 11 due to using a feature that is not supported in IE. This is now fixed in 5.15.1.

Cloudera Bug: OPSAPS-45779

Do not expose configuration history to non-admin users

Users were previously able to go directly to the configuration history and rollback page using the URL, even though the link itself is not visible. This is now protected.

Cloudera Bug: OPSAPS-45781

Incorrect page reloads on Instances and All Hosts paged

The Instances page and the All Hosts page now do not reload when a command finishes.

Cloudera Bug: OPSAPS-45761

Kudu package missing from CDH installation using packages

Fixed an issue where Cloudera Manager did not install Kudu packages when CDH was installed using packages instead of parcels.

Cloudera Bug: OPSAPS-45692

Reports Manager displays incorrectly

When the Reports Manager is not installed, Cloudera Manager Admin Console pages now display correctly and irrelevant links have been removed.

Cloudera Bug: OPSAPS-44873

Cloudera Manager fails when enabling Kerberos if TLS is already configured

When enabling kerberos for a cluster running TLS, the system cannot use the privileged ports ( < 1024). Instead, the wizard will prompt user to use the appropriate port values.

Cloudera Bug: OPSAPS-33345

Kafka JMX connections listen on all interfaces unnecessarily

Kafka broker and MirrorMaker processes now listen on only the loopback interface for JMX connections. This caused Cloudera Manager to report that Kafka had stale configurations.

Cloudera Bug: OPSAPS-47365

BDR replicates Kudu HMS entries as-is

Hive tables created by Kudu are now excluded from Backup and Disaster Recovery replication.

Cloudera Bug: OPSAPS-46549

Restart warnings are incorrect after starting role with outdated configuration

Fixed an issue where some roles that required restarts were not correctly identified after starting a role marked as Started with Outdated Configuration.

Cloudera Bug: OPSAPS-45237

Host inspector should check system user group membership

The new Host Inspector will now warn if user doesn't belong to its own group

Cloudera Bug: OPSAPS-46592

Null Pointer Exception on Cloudera Manager Upgrade Page

Fixed a NPE on the new Cloudera Manager Upgrade page. This only happens when the agent could not retrieve the host status.

Cloudera Bug: OPSAPS-46616

Upgrade to CDH 5.15.1 fails with CM 5.15.1 and OpenJDK

Fixes Java version parsing issue with OpenJDK during Cloudera Manager upgrade.

Cloudera Bug: OPSAPS-47620

Issues Fixed in Cloudera Manager 5.15.2

Restart Warnings are incorrect after starting a role with an outdated configuration

Fixed an issue where some roles that required restarts were not correctly identified after starting a role marked as "Started with Outdated Configuration".

Cloudera Bug: OPSAPS-47775, OPSAPS-47493

Releases affected: 5.13, 5.14, 5.15

Upgrade to CDH 5.15.1 fails with CM 5.15.1 and OpenJDK

Fixes Java version parsing issue with OpenJDK during Cloudera Manager upgrade.

Cloudera Bug: OPSAPS-47620

Kafka JMX connections listen on all interfaces unnecessarily

Kafka broker and MirrorMaker processes now listen on only the loopback interface for JMX connections. This caused Cloudera Manager to report that Kafka had stale configurations.

Cloudera Bug: OPSAPS-47365

Flume uses default values for Kafka TLS settings

Fixed an issue where Flume used default values for Kafka TLS settings. For further details, see the original Known Issue.

Note that this fix causes Flume to be marked as having a stale configuration. To resolve the staleness, restart Flume.

Cloudera Bug: OPSAPS-45669

Issues Fixed in Cloudera Manager 5.15.1

Cloudera Manager read-only user can access sensitive cluster information

Fixed an issue where, due to a security vulnerability, a Cloudera Manager read-only user can access sensitive cluster information.

For the latest update on this issue, see the corresponding Knowledge article:

TSB 2018-306: Cloudera Manager Information Disclosure

Cloudera Bug: OPSAPS-45688

Open Redirect and XSS in Cloudera Manager

Technical Service Bulletin 2018-321 (TSB)

One type of page in Cloudera Manager uses a returnUrl parameter to redirect the user to another page in Cloudera Manager once a wizard is completed. The validity of this parameter was not checked. As a result, the user could be automatically redirected to an attacker’s external site or perform a malicious JavaScript function that results in cross-site scripting (XSS).

With this fix, Cloudera Manager no longer allows any value in the returnUrl parameter with patterns such as http://, https://, //, or javascript. The only exceptions to this rule are the SAML login/logout URLs, since they are explicitly configured and are not passed via the returnUrl parameter.

Products affected: Cloudera Manager

Releases affected:

  • 5.15.0 and all earlier releases

Users affected: The following Cloudera Manager roles: “cluster administrator”, “full administrators”, and “configurators”.

Date/time of detection: June 20, 2018

Detected by: Mohit Rawat & Ekta Mittal

Severity (Low/Medium/High): 8.8 High (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Impact: Open redirects can silently redirect a victim to an attacker’s site. XSS vulnerabilities can be used to steal credentials or to perform arbitrary actions as the targeted user.

CVE: CVE-2018-15913

Immediate action required: Upgrade to Cloudera Manager 5.15.1 or higher

Addressed in release/refresh/patch:

  • Cloudera Manager 5.15.1 and higher
  • Cloudera Manager 6.0.0

Flume uses default values for Kafka TLS settings

Fixed an issue where Flume used default values for Kafka TLS settings. For further details, see the original Known Issue.

Note that this fix causes Flume to be marked as having a stale configuration. To resolve the staleness, restart Flume.

Cloudera Bug: OPSAPS-45669

Abort Installation button causes errors

Abort Installation button causes errors When installing or upgrading hosts using the Upgrade or Installation wizards, when the ""abort"" link is clicked an error message is displayed. (waiting for answer in comments)

Cloudera Bug: OPSAPS-45655

Host Inspector reports identical JDK versions as different.

The Host Inspector was reporting JDKs installed with a different installation path as different JDK versions.

Cloudera Bug: OPSAPS-44931

Upgrading a license finishes on wrong page

The Enable Trial workflow previously finished on the upgrade page, now it goes back to the Home page upon completion.

Cloudera Bug: OPSAPS-45444

Cloudera Manager should not omit LDAP GROUP_MAPPING passwords from NodeManager

Some sensitive authentication configurations were not emitted for the Yarn Node Manager when using LDAP group mapping. This is now corrected for clusters running CDH 5.5 and higher where encryption is available for those sensitive configurations.

Cloudera Bug: OPSAPS-45440

Do not expose configuration history to non-admin users

Users were previously able to go directly to the configuration history and rollback page using the URL, even though the link itself is not visible. This is now protected.

Cloudera Bug: OPSAPS-45781

Cloudera Manager upgrade page load issues in Internet Explorer

The new Cloudera Manager Upgrade page doesn't load in IE9, 10 or 11 due to using a feature that is not supported in IE. This is now fixed in 5.15.1.

Cloudera Bug: OPSAPS-45779

Gateway roles and Isilon replication jobs

Fixed a bug where Cloudera Manager did not allow Gateway roles for Isilon clusters, which prevented replications jobs from running.

Cloudera Bug: OPSAPS-46154

Cloudera Backup and Disaster Recovery cannot import Hive metadata

Fixed a bug where Cloudera Backup and Disaster Recovery could not import Hive metadata that included a Partitioned View with a null StorageDescriptor.

Cloudera Bug: OPSAPS-45900

Threshold settings prevent correct configuration

When Threshold settings are saved with values such as Any or Never, a bug in the validation code prevented the user from saving the threshold to a specific value. This is now fixed.

Cloudera Bug: OPSAPS-46657

Incorrect page reloads on Instances and All Hosts paged

The Instances page and the All Hosts page now do not reload when a command finishes.

Cloudera Bug: OPSAPS-45761

Null Pointer Exception on Cloudera Manager Upgrade Page

Fixed a NPE on the new Cloudera Manager Upgrade page. This only happens when the agent could not retrieve the host status.

Cloudera Bug: OPSAPS-46616

Spark cross-realm authentication fails

Spark now correctly respects auth_to_local name rules for HDFS services with cross-realm trust configured.

Cloudera Bug: OPSAPS-46103

Yarn Application Masters fail when a concurrent Deploy Client Configuration job is executed

Yarn Application Masters fail because the container-executor.cfg file is missing when a YARN application is executed concurrently with a Deploy Client Configurations job. The container-executor hierarchy has been moved to /var/lib/yarn-ce, which is not modified by the Deploy Client Configuration command.

No changes are required for Cloudera Manager/CDH 5.16.0 and higher. Use the following Workaround for Cloudera Manager/CDH 5.15.1 and 5.14.4:
  1. On the Cloudera Manager server host, add the following line to the /etc/default/cloudera-scm-server file:
    export CMF_FF_YARN_SAFE_CONTAINER_EXECUTOR_DIR=true
  2. Restart the Cloudera Manager Server:
    service cloudera-scm-server restart
  3. Restart the NodeManager(s) so they can pick up the new configuration change:
    1. In the Cloudera Manager Admin console, go to the YARN service.
    2. Click the Instances tab.
    3. Select all hosts with the NodeManager Role Type.
    4. Click Actions for Selected > Restart.

Cloudera Bug: OPSAPS-24398

Cloudera Manager does not list any CDH package options other than "custom"

When doing a package installation or upgrade of CDH, no versions of CDH5 are shown in the Cloudera Manager Admin Console.

Cloudera Bug: OPSAPS-45732

Issues Fixed in Cloudera Manager 5.15.0

Cloudera Manager read-only user can access sensitive cluster information

Fixed an issue where, due to a security vulnerability, a Cloudera Manager read-only user can access sensitive cluster information.

For the latest update on this issue, see the corresponding Knowledge article:

TSB 2018-306: Cloudera Manager Information Disclosure

Cloudera Bug: OPSAPS-45688

Cross-site scripting vulnerability in Cloudera Manager

Fixed the cross-site vulnerability described in TSB-2018-285 (XSS Scripting Vulnerability in Cloudera Manager). For more information, see the Known Issue description

Cloudera Bug: DOCS-3186

Cannot install or start Cloudera Manager on SLES12

Fixed an issue where Path A (non-production) installations of Cloudera Manager do not work on SLES version 12.

See TSB-279 for more information.

Cloudera Bug: OPSAPS-44284

Extra entries in the Manage Host Override dialog

Fixed an issue where duplicate hostnames appeared when editing configuration overrides for Host level configurations.

Cloudera Bug: OPSAPS-44814

Cloudera logo disappears in Upgrade Wizard

Fixed an issue where the Cloudera Manager logo might not get refreshed in the browser automatically when upgrading from Cloudera Manager 5.10 to 5.11 or higher. This issue caused the logo to disappear.

Cloudera Bug: OPSAPS-44676

Errors thrown for Hive replications managed by a single Cloudera Manager

Fixed an issue where an exception is thrown when collecting replication diagnostics for a Hive replication schedule between two clusters managed by a single Cloudera Manager.

Cloudera Bug: OPSAPS-45197

YARN NodeManager stale due to missing CGroups

Fixed an issue where the YARN NodeManager may show as being stale due to System Resources even when it is not. The named-cpu value may show as changed even though it was not modified.

Cloudera Bug: OPSAPS-43973

Warning message "Cloud file creation time does not match saved time" in S3 replication

Fixed multiple false warning log message issue during HDFS-S3 restore operation.

Cloudera Bug: OPSAPS-43681

Concurrent Hive replications on different Hives fail with clashing command error

Fixed an issue that caused Hive replications to fail due to conflicting Hive replication schedules when there are two clusters managed by the same Cloudera Manager.

Cloudera Bug: OPSAPS-43652

Impala Dynamic Resource Pools access

Fixed an issue where Cloudera Manager did not generate the aclSubmitApps element in the fair-scheduler.xml file when a user did not specify any user or groups for the root pool. Cloudera Manager now automatically generates aclSubmitAppswith a space character. This change means the default is no access for all users.

Cloudera Bug: OPSAPS-45046

Cannot start CM5.13.1 after one-click manual install on SLES12 SP2

This fix upgrades the PostgreSQL JDBC driver. The new JDBC driver only supports PostgreSQL versions 8.2 and higher. RHEL5 defaults to PostgreSQL 8.1.

Use the following workaround for RHEL5
  1. Download Postgresql 9.0-802 JDBC4: https://jdbc.postgresql.org/download/postgresql-9.0-802.jdbc4.jar
  2. Copy it as /usr/share/java/postgresql-connector-java.jar and then install the server.

Cloudera Bug: OPSAPS-43624

AvroTypeException preventing Cloudera Manager Agent from connecting to the Cloudera Manager Server

Fixed an issue where an agent heartbeat fails and leads to the agent not connecting to the Cloudera Manager Server.

Cloudera Bug: OPSAPS-44971

Host Templates Regression on CM 5.13.x or 5.14

Fixed an issue where the Apply Host Template feature in the Add Host wizard was broken.

Cloudera Bug: OPSAPS-45334

Agent stops heartbeating due to Avro parsing errors.

Fixed an issue where, under certain conditions, the Cloudera Manager Agent stops heart beating with the Cloudera Manager Server due to Avro RPC parsing errors.

Cloudera Bug: OPSAPS-45282

Error "Mismatched input PATTERN expecting EOF" on the Detail Usage page of the Resource Manager

Fixed an issue where a user sees an error message about Mismatched input PATTERN.

Cloudera Bug: OPSAPS-42437

Agent exception "Could not evaluate resource {u'hard_limit': 500, u'soft_limit': 300}: 'unicode' object has no attribute 'items'"

Fixes an issue in Cloudera Manager agent where cgroup soft and hard memory limits were not applied on the host.

Cloudera Bug: OPSAPS-45229

Host installation or upgrade using key based authentication where private key is protected by passphrase does not work

In Cloudera Manager, host installation and upgrade does not work when using key-based host authentication with SSH where the private key is protected by a passphrase.

Cloudera Bug: OPSAPS-45571

Backup and Disaster Recovery replication fails between two clusters when data is copied from one encryption zone to another when using CDH 5.12.0 or higher

Fixed an issue where replication fails when two clusters use HDFS HA, and the nameservice names are the same.

Both the source and destination clusters must upgrade to a release that contains the fix.

Cloudera Bug: OPSAPS-43556

Fixed in: Cloudera Manager 5.15.0, 5.14.3, 5.13.3

Logging issue slows down Hive and HDFS Replication jobs

Fixed an issue that occurred when using Cloudera Manager for cross-cluster replication of HDFS and Hive. Unnecessary warning logs are printed during the initial phase of replication (‘copy listing’). These logs were printed for each and every file that Cloudera Backup and Disaster Recovery (BDR) copies. This causes very verbose log output which slows down this phase of the replication job and can affect overall replication times considerably. This happens only when both source and target clusters are running Cloudera Manager 5.14.0.

See TSB-290 for more information.

Fixed Versions: Cloudera Manager 5.15.0, 5.14.1

Cloudera Bug: OPSAPS-44160

Scheduled snapshot and replication jobs are skipped

Fixed an issue where scheduled Snapshot and Replication jobs can be skipped if there are too many commands scheduled to run at the same time (more than 100), or if Cloudera Manager has paused due to garbage collection.

Fixed Versions: Cloudera Manager 5.15.0, 5.14.2, 5.13.2

Cloudera Bug: OPSAPS-44153

Table statistics are lost when replicating an existing table without partitions

Cloudera Backup and Disaster Recovery added a workaround for the Hive bug HIVE-15653 and now preserves table statistics for unpartitioned tables during subsequent runs.

Fixed Versions: Cloudera Manager 5.15.0, 5.14.2, 5.13.2

Cloudera Bug: OPSAPS-44070

The Replication performance CSV file header does not match content

Fixed an issue where the header in the HDFS Replication performance file (in CSV format) does not match its contents.

Fixed in: Cloudera Manager 5.15.0, 5.14.2, 513.2

Cloudera Bug: OPSAPS-43997

BDR Cloud (s3) Replication job fail with delegation token creation issue

Fixed an issue where HDFS to Amazon S3 or Hive to Amazon S3 replication jobs fail when an expired delegation token is used to run a MapReduce/YARN job.

Cloudera Bug: OPSAPS-44008

Spark CSD should emit proper environment variables for older CDH version 5.4.x

Fixed configuration of Kerberos credentials for the Spark History Server in CDH 5.4.

Cloudera Bug: OPSAPS-43985

Hive Replication export step fails with StaleObjectStateException

Fixed an issue where replication commands sometimes fail because of concurrent executions in the database.

Cloudera Bug: OPSAPS-43964

Add "sentry" group in "hadoop.proxyuser.hive.groups" on upgrade to CDH 5.13.0 and higher

For CDH5.13.0 and higher, when Hive is used with Sentry, Hive Proxy Groups should contain either a wildcard ('*') for the Sentry Group for Sentry to work with Hive. If this is not present, Cloudera Manager adds the Sentry Group to Hive Proxy Groups when upgrading CDH.

Cloudera Bug: OPSAPS-43809

Cloudera Manager Server reports 'Too many open files' error

Fixed an issue where collection of diagnostic bundles would lead to slow file descriptor leaks in Cloudera Manager Server that eventually cause the server to become non-operational or unresponsive.

Cloudera Bug: OPSAPS-44922

Cloudera Manager Upgrade (5.14.0 to 5.14.1) stuck at refreshing package metadata - configurator not found

Fixed a bug in the host installation/upgrade wizard that occurred when retrying individual hosts. The error message "Configurator not found" might appear and prevent installation or upgrade of all hosts.

Cloudera Bug: OPSAPS-44694

Issues Fixed in Cloudera Manager 5.14.4

Cloudera Manager read-only user can access sensitive cluster information

Fixed an issue where, due to a security vulnerability, a Cloudera Manager read-only user can access sensitive cluster information.

For the latest update on this issue, see the corresponding Knowledge article:

TSB 2018-306: Cloudera Manager Information Disclosure

Cloudera Bug: OPSAPS-45688

Gateway roles and Isilon replication jobs

Fixed a bug where Cloudera Manager did not allow Gateway roles for Isilon clusters, which prevented replications jobs from running.

Cloudera Bug: OPSAPS-46154

Save Changes remains enabled after clicking (possible autocomplete issue)

Google Chrome version 66, released on 28 April 2018, introduced behavior changes which can trigger unintended modification of existing configuration values in Cloudera Manager. If a page contains a password field, the browser aggressively applies auto-complete form data to the first text field and first password form fields. These changes are applied without user input or explicit notification (fields are highlighted).

Cloudera Bug: OPSAPS-46118

Cloudera Backup and Disaster Recovery cannot import Hive metadata

Fixed a bug where Cloudera Backup and Disaster Recovery could not import Hive metadata that included a Partitioned View with a null StorageDescriptor.

Cloudera Bug: OPSAPS-45900

Do not expose configuration history to non-admin users

Users were previously able to go directly to the configuration history and rollback page using the URL, even though the link itself is not visible. This is now protected.

Cloudera Bug: OPSAPS-45781

Cloudera Manager should not omit LDAP GROUP_MAPPING passwords from NodeManager

Some sensitive authentication configurations were not emitted for the Yarn Node Manager when using LDAP group mapping. This is now corrected for clusters running CDH 5.5 and higher where encryption is available for those sensitive configurations.

Cloudera Bug: OPSAPS-45440

Errors thrown for Hive replications managed by a single Cloudera Manager

Fixed an issue where an exception is thrown when collecting replication diagnostics for a Hive replication schedule between two clusters managed by a single Cloudera Manager.

Cloudera Bug: OPSAPS-45197

Agent exception "Could not evaluate resource {u'hard_limit': 500, u'soft_limit': 300}: 'unicode' object has no attribute 'items'"

Fixes an issue in Cloudera Manager agent where cgroup soft and hard memory limits were not applied on the host.

Cloudera Bug: OPSAPS-45229

Yarn Application Masters fail when a concurrent Deploy Client Configuration job is executed

Yarn Application Masters fail because the container-executor.cfg file is missing when a YARN application is executed concurrently with a Deploy Client Configurations job. The container-executor hierarchy has been moved to /var/lib/yarn-ce, which is not modified by the Deploy Client Configuration command.

No changes are required for Cloudera Manager/CDH 5.16.0 and higher. Use the following Workaround for Cloudera Manager/CDH 5.15.1 and 5.14.4:
  1. On the Cloudera Manager server host, add the following line to the /etc/default/cloudera-scm-server file:
    export CMF_FF_YARN_SAFE_CONTAINER_EXECUTOR_DIR=true
  2. Restart the Cloudera Manager Server:
    service cloudera-scm-server restart
  3. Restart the NodeManager(s) so they can pick up the new configuration change:
    1. In the Cloudera Manager Admin console, go to the YARN service.
    2. Click the Instances tab.
    3. Select all hosts with the NodeManager Role Type.
    4. Click Actions for Selected > Restart.

Cloudera Bug: OPSAPS-24398

Host installation or upgrade using key based authentication where private key is protected by passphrase does not work

In Cloudera Manager, host installation and upgrade does not work when using key-based host authentication with SSH where the private key is protected by a passphrase.

Cloudera Bug: OPSAPS-45571

Cloudera Manager does not list any CDH package options other than "custom"

When doing a package installation or upgrade of CDH, no versions of CDH5 are shown in the Cloudera Manager Admin Console.

Cloudera Bug: OPSAPS-45732

Issues Fixed in Cloudera Manager 5.14.3

Cross-site scripting vulnerability in Cloudera Manager

Fixed the cross-site vulnerability described in TSB-2018-285 (XSS Scripting Vulnerability in Cloudera Manager). For more information, see the Known Issue description

Cloudera Bug: DOCS-3186

Backup and Disaster Recovery replication fails between two clusters when data is copied from one encryption zone to another when using CDH 5.12.0 or higher

Fixed an issue where replication fails when two clusters use HDFS HA, and the nameservice names are the same.

Both the source and destination clusters must upgrade to a release that contains the fix.

Cloudera Bug: OPSAPS-43556

Fixed in: Cloudera Manager 5.15.0, 5.14.3, 5.13.3

HDFS and Hive Replications may fail after upgrading to CM 5.14.2 on clusters where HDFS HA is enabled

Fixed an issue that caused HDFS and Hive replications to fail if the destination cluster is managed by Cloudera Manager 5.14.2.

For more information, see TSB-305.

Cloudera Bug: OPSAPS-45600

Issues Fixed in Cloudera Manager 5.14.2

Cross-site scripting vulnerability in Cloudera Manager

Fixed the cross-site vulnerability described in TSB-2018-285 (XSS Scripting Vulnerability in Cloudera Manager). For more information, see the Known Issue description

Cloudera Bug: DOCS-3186

CGroup Hard Memory resource reports incorrect units of measurement

The Host > Resources page now reports the correct units for the CGroup Hard Memory resource.

Cloudera Bug: OPSAPS-41473

Scheduled snapshot and replication jobs are skipped

Fixed an issue where scheduled Snapshot and Replication jobs can be skipped if there are too many commands scheduled to run at the same time (more than 100), or if Cloudera Manager has paused due to garbage collection.

Fixed Versions: Cloudera Manager 5.15.0, 5.14.2, 5.13.2

Cloudera Bug: OPSAPS-44153

The Replication performance CSV file header does not match content

Fixed an issue where the header in the HDFS Replication performance file (in CSV format) does not match its contents.

Fixed in: Cloudera Manager 5.15.0, 5.14.2, 513.2

Cloudera Bug: OPSAPS-43997

BDR Cloud (s3) Replication job fail with delegation token creation issue

Fixed an issue where HDFS to Amazon S3 or Hive to Amazon S3 replication jobs fail when an expired delegation token is used to run a MapReduce/YARN job.

Cloudera Bug: OPSAPS-44008

Cloudera Manager Upgrade (5.14.0 to 5.14.1) stuck at refreshing package metadata - configurator not found

Fixed a bug in the host installation/upgrade wizard that occurred when retrying individual hosts. The error message "Configurator not found" might appear and prevent installation or upgrade of all hosts.

Cloudera Bug: OPSAPS-44694

Hive Replication export step fails with StaleObjectStateException

Fixed an issue where replication commands sometimes fail because of concurrent executions in the database.

Cloudera Bug: OPSAPS-43964

Add "sentry" group in "hadoop.proxyuser.hive.groups" on upgrade to CDH 5.13.0 and higher

For CDH5.13.0 and higher, when Hive is used with Sentry, Hive Proxy Groups should contain either a wildcard ('*') for the Sentry Group for Sentry to work with Hive. If this is not present, Cloudera Manager adds the Sentry Group to Hive Proxy Groups when upgrading CDH.

Cloudera Bug: OPSAPS-43809

Spark CSD should emit proper environment variables for older CDH version 5.4.x

Fixed configuration of Kerberos credentials for the Spark History Server in CDH 5.4.

Cloudera Bug: OPSAPS-43985

Cloudera Manager Server reports 'Too many open files' error

Fixed an issue where collection of diagnostic bundles would lead to slow file descriptor leaks in Cloudera Manager Server that eventually cause the server to become non-operational or unresponsive.

Cloudera Bug: OPSAPS-44922

Table statistics are lost when replicating an existing table without partitions

Cloudera Backup and Disaster Recovery added a workaround for the Hive bug HIVE-15653 and now preserves table statistics for unpartitioned tables during subsequent runs.

Fixed Versions: Cloudera Manager 5.15.0, 5.14.2, 5.13.2

Cloudera Bug: OPSAPS-44070

Issues Fixed in Cloudera Manager 5.14.1

Hive Replications Can Fail Intermittently

This issue, which was also reported in TSB-2018-276, is fixed in CDH 5.13.2. For further details, see the original Known Issue.

Cloudera Manager upgrade workflow incorrectly requires deploying some optional management roles

Fixed an issue that occurred when a user upgrades to Cloudera Manager 5.14.0, and after all the agents have been updated to 5.14.0. The user sees an Upgrade Wizard, and is asked to select where to place the Navigator Metadata Server, Navigator Audit Server, and the Reports Manager roles. The Continue button is disabled until user adds one of these roles.

See TSB-289.

Cloudera Bug: OPSAPS-44629

Cloudera Bug: OPSAPS-44629

Logging issue slows down Hive and HDFS Replication jobs

Fixed an issue that occurred when using Cloudera Manager for cross-cluster replication of HDFS and Hive. Unnecessary warning logs are printed during the initial phase of replication (‘copy listing’). These logs were printed for each and every file that Cloudera Backup and Disaster Recovery (BDR) copies. This causes very verbose log output which slows down this phase of the replication job and can affect overall replication times considerably. This happens only when both source and target clusters are running Cloudera Manager 5.14.0.

See TSB-290 for more information.

Fixed Versions: Cloudera Manager 5.15.0, 5.14.1

Cloudera Bug: OPSAPS-44160

Issues Fixed in Cloudera Manager 5.14.0

Transient 502 proxy error displays red popup in Hue

As of CDH 5.12 and later, the Hue Load balancer started throwing transient 502 proxy error that appear as a red popup on Hue web pages. This happens frequently on a secure cluster. The Hue server's runcpserver.log file does not log these 502 errors. The error is logged in /var/log/hue-httpd/error_log. Cloudera Manager now properly configures the Hue load balancer to avoid these issues.

Cloudera Bug: OPSAPS-43317

Cloudera Manager User Administrator role Error

Fixed a bug that occurred when a Cloudera Manager user with the User Administrator goes to the Settings page. The Redaction Parameters for Diagnostic Bundles parameter displays the following error message:

Invalid JSON configuration: SyntaxError: Unexpected token * in JSON at position 0.

Cloudera Bug: OPSAPS-41286

Cluster upgrade fails in wizard with "There is already a pending command on this entity."

Previously, if the customer selects the Skip Host Inspector option, the wizard proceeds to the next page but the command still runs in the background and the user sees the message "There is already a pending command on this entity." Cloudera Manager now ensures that the Host Inspector command is aborted when user selects Skip Host Inspector. It is still possible that other commands (scheduled or not) will run at the same time as the upgrade command. In this case, user will still see the same error message.

Cloudera Bug: OPSAPS-43740

Configuration "diff" throws TypeMismatchException

The feature that compares the configuration between multiple services or multiple clusters on the configuration page threw an error in Cloudera Manager 5.13. This is now fixed.

Cloudera Bug: OPSAPS-43130

Send Test Alert response dialog does not work

Since Cloudera Manager 5.12, the ability to send a Test Alert has been broken. This is now fixed.

Cloudera Bug: OPSAPS-42826

Incorrect warnings when configuring HBase Thrift Server in Kerberized cluster

Previously, when configuring the HBase Thrift Server security in a Kerberized cluster, incorrect warnings such as "When HBase is configured to use Kerberos, HBase Thrift Authentication is ignored when Enable TLS/SSL for HBase Thrift Server over HTTP is enabled" would appear. With this fix, these warnings are eliminated.

Cloudera Bug: OPSAPS-41441

Historical Disk Usage By User download CSV is not adding the metric type customer is choosing

When creating the "Historical Disk Usage By User" report from the Cluster > Cluster_name > Reports page, the download button did not honor the chosen metric. This is now fixed.

Cloudera Bug: OPSAPS-43474

WebServerMetricCollector breaks

Fixed a bug causing broken Impala monitoring functionality when password authentication is enabled for the Impala Daemon Web server.

Cloudera Bug: OPSAPS-43216

Cloudera Manager LDAP authentication fails

When the External Authentication type is set to LDAP, and the LDAP server is Active Directory, and the LDAP Group Search Base field is configured to be the root of the directory tree, authentication may fail with a PartialResultException message in the logs. This exception is now handled so that authentication succeeds.

Cloudera Bug: OPSAPS-43262

Logging in to Cloudera Manager 5.12.x with Internet Explorer 11 fails

Fixed an issue where Internet Explorer defaults to DocMode 7 due to the removal of the X-UA-Compatible header in Cloudera Manager 5.12. When the user uses Compatibility Mode in Internet Explorer 9, 10, 11, or Edge, the browser is incorrectly identified as Internet Explorer 7.0 and as a result Cloudera Manager issues an error message (You are using an unsupported browser) and does not allow the user to log in.

Cloudera Bug: OPSAPS-42870

Hive Replication jobs fail intermittently

Fixed a bug where Hive Replications can fail intermittently on the first step. The failure message says: "The remote command failed with error message: Hive Replication Export Step failed".

See TSB-276.

Fixed in: Cloudera Manager 5.14.0, 5.13.1

Cloudera Bug: OPSAPS-43676

Collect HDFS Replication process files in Hive Replication Diagnostic Bundle

The Hive Replication Diagnostic bundle now collects the HDFS Replication step's process log files.

Cloudera Bug: OPSAPS-43583

Hive Replication fails in unsecured clusters when proxy user is not a superuser on replication source

Fixed a bug that caused Hive Replication jobs to fail in unsecured clusters during the transfer step if the proxy user is not a superuser on the replication source.

Cloudera Bug: OPSAPS-43505

lsof output in host statistics can be huge due to duplicate per-thread entries

Fixed an issue where the output of the lsof command that is captured in support bundles showed open files per-thread as well as per-process. This could cause the size of the support bundle to increase significantly, and in some cases could cause the host statistics collection phase of support bundle collection to fail. Because the per-thread information is generally redundant, it has been removed from the lsof output.

Cloudera Bug: OPSAPS-42646

Cloudera Manager unable to refresh parcel information

Fixes an issue with refreshing parcels. Information about all available parcels was failing to refresh if one of the repositories contained an invalid manifest file.

Cloudera Bug: OPSAPS-43614

Collection of Impala logs should not fail even when some log files are not present

Fixed an issue of missing Impala and Kudu role logs in the diagnostic bundle when their log directories have broken symlinks.

Cloudera Bug: OPSAPS-41194

Transfer Metadata Files step fails when the home directory of the username is encrypted

This fixes a known issue with Hive and HDFS replication where those replications fail if the /user/$proxyuser or /user/hdfs directories are encrypted. The bug was introduced in Cloudera Manager 5.12 for Hive Replication and in Cloudera Manager 5.13 for HDFS Replication.

Cloudera Bug: OPSAPS-42439

Duplicate replication job on Cloudera Manager restart

This fixes a known issue where a restart of Cloudera Manager that occurs while HDFS or Hive replication jobs are running can cause a duplicate replication job to be started.

Cloudera Bug: OPSAPS-42557

ACLs and external attributes comparison in HDFS and Hive Replication can be incorrect

Fixes a bug where ACLs and external attributes (Xattrs) may be copied over during HDFS and Hive replication even when they have not changed.

Cloudera Bug: OPSAPS-42818

HDFS Replication does not show the progress marker

This fixes an issue in Cloudera Manager in which progress markers for HDFS Replication were not visible in the Admin Console.

Cloudera Bug: OPSAPS-42805

ACLs and external attributes comparison in HDFS and Hive Replication can be incorrect

Fixes a bug where ACLs and external attributes (Xattrs) may be copied over during HDFS and Hive replication even when they have not changed.

Cloudera Bug: OPSAPS-42818

Cloudera Manager fails to start when gateway roles have configuration overrides

Fixes an issue where descriptor generation fails and the Cloudera Management Service fails to start if any Gateway roles have a configuration override.

Cloudera Bug: OPSAPS-43517

Replication fails with 'another command' error when the previous run is aborted

Fixes a bug introduced in Cloudera Manager 5.13 where a replication command is aborted, the next run of the command fails with the following error message: "Another HDFS replication command .... is in progress".

Cloudera Bug: OPSAPS-42808

Do not include unhealthy hosts when calculating acceptable estimation rate

Fixed an issue affecting the reliable generation of diagnostic bundles when some hosts are in an unhealthy state.

Cloudera Bug: OPSAPS-42720

Duplicate Hive Logs in diagnostic bundles.

Fixes a bug where some Hive logs would be duplicated in diagnostic bundles.

Cloudera Bug: OPSAPS-41611

"100%" health aggregation thresholds no longer permitted

Cloudera Manager now validates that custom services (CSDs) cannot define an invalid threshold for the role health of a service that affects overall service health. Now the thresholds for these health warnings ("percentGreenForGreen" and "percentYellowGreenForYellow ") must be less than 100%.

Cloudera Bug: OPSAPS-42853

Allow validations for HIVE_METASTORE_MAX_MESSAGE_SIZE to be suppressible

Fixed an issue where the validation warning for "Max Message Size for Hive MetaStore" configuration parameter could not be suppressed. The new behavior allows any validations to be suppressed.

Cloudera Bug: OPSAPS-43320

Preserve export.json and distcp-staging path when a different user runs /user replication

This fixes an issue in which a replication job that replicates the /user directory in HDFS using the "delete missing" delete policy causes other concurrent replication jobs to fail.

Cloudera Bug: OPSAPS-43050

Spark History Server ignores hadoop.security.auth_to_local mapping

The Spark History Server now respects the configured Kerberos-to-local user name mappings of the HDFS service.

Cloudera Bug: OPSAPS-42577

Impala Queries State are displayed wrong

The Impala queries page now shows the state of running queries correctly instead of calling them Finished.

Cloudera Bug: OPSAPS-43410

Rolling upgrade can fail when high availability services are stopped

Fixed a bug where rolling upgrades of CDH could fail when certain services Cloudera Manager expects to be able to restart without downtime are already stopped. Now, Cloudera Manager tolerates this and starts those services after upgrade as part of the cluster's rolling restart.

Cloudera Bug: OPSAPS-42515

Pagination on Commands page skips some commands

Fixed a bug with the pagination on the All Recent Commands page in which commands were not always listed consistently.

Cloudera Bug: OPSAPS-43052

Get all schedules operation is very slow in Cloudera Manager 5.11 and higher

Before Cloudera Manager 5.14, the getAllSchedules API returned a list of failed files for all runs of a schedule. This operation slows down execution of the API and has been changed so that a list of failed files is returned only when the view is specified as full.

Cloudera Bug: OPSAPS-42587

Improve reporting of Replication progress

Live monitoring of throughput and estimated completion time for HDFS and Hive Replications running using Cloudera Manager Backup and Disaster Recovery (BDR) are now available in log files.

Cloudera Bug: OPSAPS-42756

Remove the recommendation to restart Cloudera Manager when adding trusted Kerberos realm

Changing the list of trusted Kerberos realms no longer requires a restart of Cloudera Manager.

Cloudera Bug: OPSAPS-43237

Inefficiency when checking staleness and host status

Fixed an inefficiency in staleness checking and checking host status that caused slowness in the Cloudera Manager Admin Console.

Cloudera Bug: OPSAPS-42698

NameNode migration timeout while saving namespace of size more than 7GB

Fixes an issue during HDFS NameNode migration between hosts, where the "Saving Namespace" step may timeout if the fsimage size is large.

Cloudera Bug: OPSAPS-38236

Add Diagnostic Events for Agent Upgrades

Added installation and upgrade events for the Cloudera Manager agent software running on a cluster host to the diagnostic bundle.

Cloudera Bug: OPSAPS-42468

Limit the size of Hive log files collected in BDR diagnostic

Hive-related log files included in diagnostic bundle are now be limited to 100MB (before compression).

Cloudera Bug: OPSAPS-41610

Hive partitions not dropped in Hive replication

When partitions are deleted from a Hive table on the source cluster, Cloudera Backup and Disaster Recovery now correctly deletes the same partitions on Hive replication target. This fixes the bug introduced in Cloudera Manager 5.8.

Cloudera Bug: OPSAPS-42613

MR2Params.DEFAULT_MAPREDUCE_REDACTED_PROPERTIES should include Microsoft Azure credentials

Fixes a bug that caused a possible leak of sensitive cloud account information because redaction of these job configuration properties was not enabled by default for MapReduce jobs.

Cloudera Bug: OPSAPS-43753

Cross-site scripting issues fixed

A number of cross-site scripting issues have been identified through internal auditing and have all been fixed.

Cloudera Bug: OPSAPS-42828

Default end time in cluster utilization APIs is not parsed correctly

Fixed an issue where the cluster utilization report APIs did not work if the end time of the report was not specified with the to parameter. End time is meant to be an optional parameter, and now such API calls work without the to parameter.

Cloudera Bug: OPSAPS-42820

Replication fails if the home directory of the username in the schedule is encrypted

Fixed an issue where BDR replication fails if the user directory of the user specified in the Run as Peer User or Run as username field in the replication schedule is encrypted.

Fixed in: Cloudera Manager 5.14.0, 5.13.1

Cloudera Bug: OPSAPS-42445

Issues Fixed in Cloudera Manager 5.13.3

Cross-site scripting vulnerability in Cloudera Manager

Fixed the cross-site vulnerability described in TSB-2018-285 (XSS Scripting Vulnerability in Cloudera Manager). For more information, see the Known Issue description

Cloudera Bug: DOCS-3186

Cloudera Manager Server reports 'Too many open files' error

Fixed an issue where collection of diagnostic bundles would lead to slow file descriptor leaks in Cloudera Manager Server that eventually cause the server to become non-operational or unresponsive.

Cloudera Bug: OPSAPS-44922

Backup and Disaster Recovery replication fails between two clusters when data is copied from one encryption zone to another when using CDH 5.12.0 or higher

Fixed an issue where replication fails when two clusters use HDFS HA, and the nameservice names are the same.

Both the source and destination clusters must upgrade to a release that contains the fix.

Cloudera Bug: OPSAPS-43556

Fixed in: Cloudera Manager 5.15.0, 5.14.3, 5.13.3

Issues Fixed in Cloudera Manager 5.13.2

Cross-site scripting vulnerability in Cloudera Manager

Fixed the cross-site vulnerability described in TSB-2018-285 (XSS Scripting Vulnerability in Cloudera Manager). For more information, see the Known Issue description

Cloudera Bug: DOCS-3186

Hive Replications Can Fail Intermittently

This issue, which was also reported in TSB-2018-276, is fixed in CDH 5.13.2. For further details, see the original Known Issue.

Add "sentry" group in "hadoop.proxyuser.hive.groups" on upgrade to CDH 5.13.0 and higher

For CDH5.13.0 and higher, when Hive is used with Sentry, Hive Proxy Groups should contain either a wildcard ('*') for the Sentry Group for Sentry to work with Hive. If this is not present, Cloudera Manager adds the Sentry Group to Hive Proxy Groups when upgrading CDH.

Cloudera Bug: OPSAPS-43809

BDR Cloud (s3) Replication job fail with delegation token creation issue

Fixed an issue where HDFS to Amazon S3 or Hive to Amazon S3 replication jobs fail when an expired delegation token is used to run a MapReduce/YARN job.

Cloudera Bug: OPSAPS-44008

Cloudera Manager User Administrator role Error

Fixed a bug that occurred when a Cloudera Manager user with the User Administrator goes to the Settings page. The Redaction Parameters for Diagnostic Bundles parameter displays the following error message:

Invalid JSON configuration: SyntaxError: Unexpected token * in JSON at position 0.

Cloudera Bug: OPSAPS-41286

Cluster upgrade fails in wizard with "There is already a pending command on this entity."

Previously, if the customer selects the Skip Host Inspector option, the wizard proceeds to the next page but the command still runs in the background and the user sees the message "There is already a pending command on this entity." Cloudera Manager now ensures that the Host Inspector command is aborted when user selects Skip Host Inspector. It is still possible that other commands (scheduled or not) will run at the same time as the upgrade command. In this case, user will still see the same error message.

Cloudera Bug: OPSAPS-43740

Collect HDFS Replication process files in Hive Replication Diagnostic Bundle

The Hive Replication Diagnostic bundle now collects the HDFS Replication step's process log files.

Cloudera Bug: OPSAPS-43583

Configuration "diff" throws TypeMismatchException

The feature that compares the configuration between multiple services or multiple clusters on the configuration page threw an error in Cloudera Manager 5.13. This is now fixed.

Cloudera Bug: OPSAPS-43130

Historical Disk Usage By User download CSV is not adding the metric type customer is choosing

When creating the "Historical Disk Usage By User" report from the Cluster > Cluster_name > Reports page, the download button did not honor the chosen metric. This is now fixed.

Cloudera Bug: OPSAPS-43474

Hive Replication export step fails with StaleObjectStateException

Fixed an issue where replication commands sometimes fail because of concurrent executions in the database.

Cloudera Bug: OPSAPS-43964

Hive Replication fails in unsecured clusters when proxy user is not a superuser on replication source

Fixed a bug that caused Hive Replication jobs to fail in unsecured clusters during the transfer step if the proxy user is not a superuser on the replication source.

Cloudera Bug: OPSAPS-43505

Hive Replication jobs fail intermittently

Fixed a bug where Hive Replications can fail intermittently on the first step. The failure message says: "The remote command failed with error message: Hive Replication Export Step failed".

See TSB-276.

Fixed in: Cloudera Manager 5.14.0, 5.13.1

Cloudera Bug: OPSAPS-43676

Collection of Impala logs should not fail even when some log files are not present

Fixed an issue of missing Impala and Kudu role logs in the diagnostic bundle when their log directories have broken symlinks.

Cloudera Bug: OPSAPS-41194

Scheduled snapshot and replication jobs are skipped

Fixed an issue where scheduled Snapshot and Replication jobs can be skipped if there are too many commands scheduled to run at the same time (more than 100), or if Cloudera Manager has paused due to garbage collection.

Fixed Versions: Cloudera Manager 5.15.0, 5.14.2, 5.13.2

Cloudera Bug: OPSAPS-44153

Table statistics are lost when replicating an existing table without partitions

Cloudera Backup and Disaster Recovery added a workaround for the Hive bug HIVE-15653 and now preserves table statistics for unpartitioned tables during subsequent runs.

Fixed Versions: Cloudera Manager 5.15.0, 5.14.2, 5.13.2

Cloudera Bug: OPSAPS-44070

The Replication performance CSV file header does not match content

Fixed an issue where the header in the HDFS Replication performance file (in CSV format) does not match its contents.

Fixed in: Cloudera Manager 5.15.0, 5.14.2, 513.2

Cloudera Bug: OPSAPS-43997

WebServerMetricCollector breaks

Fixed a bug causing broken Impala monitoring functionality when password authentication is enabled for the Impala Daemon Web server.

Cloudera Bug: OPSAPS-43216

Spark CSD should emit proper environment variables for older CDH version 5.4.x

Fixed configuration of Kerberos credentials for the Spark History Server in CDH 5.4.

Cloudera Bug: OPSAPS-43985

lsof output in host statistics can be huge due to duplicate per-thread entries

Fixed an issue where the output of the lsof command that is captured in support bundles showed open files per-thread as well as per-process. This could cause the size of the support bundle to increase significantly, and in some cases could cause the host statistics collection phase of support bundle collection to fail. Because the per-thread information is generally redundant, it has been removed from the lsof output.

Cloudera Bug: OPSAPS-42646

Issues Fixed in Cloudera Manager 5.13.1

Replication fails if the home directory of the username in the schedule is encrypted

Fixed an issue where BDR replication fails if the user directory of the user specified in the Run as Peer User or Run as username field in the replication schedule is encrypted.

Fixed in: Cloudera Manager 5.14.0, 5.13.1

Cloudera Bug: OPSAPS-42445

Add Diagnostic Events for Agent Upgrades

Added installation and upgrade events for the Cloudera Manager agent software running on a cluster host to the diagnostic bundle.

Cloudera Bug: OPSAPS-42468

Cross-site scripting issues fixed

A number of cross-site scripting issues have been identified through internal auditing and have all been fixed.

Cloudera Bug: OPSAPS-42828

Logging in to Cloudera Manager 5.12.x with Internet Explorer 11 fails

Fixed an issue where Internet Explorer defaults to DocMode 7 due to the removal of the X-UA-Compatible header in Cloudera Manager 5.12. When the user uses Compatibility Mode in Internet Explorer 9, 10, 11, or Edge, the browser is incorrectly identified as Internet Explorer 7.0 and as a result Cloudera Manager issues an error message (You are using an unsupported browser) and does not allow the user to log in.

Cloudera Bug: OPSAPS-42870

ACLs and external attributes comparison in HDFS and Hive Replication can be incorrect

Fixes a bug where ACLs and external attributes (Xattrs) may be copied over during HDFS and Hive replication even when they have not changed.

Cloudera Bug: OPSAPS-42818

Transfer Metadata Files step fails when the home directory of the username is encrypted

This fixes a known issue with Hive and HDFS replication where those replications fail if the /user/$proxyuser or /user/hdfs directories are encrypted. The bug was introduced in Cloudera Manager 5.12 for Hive Replication and in Cloudera Manager 5.13 for HDFS Replication.

Cloudera Bug: OPSAPS-42439

Replication fails with 'another command' error when the previous run is aborted

Fixes a bug introduced in Cloudera Manager 5.13 where a replication command is aborted, the next run of the command fails with the following error message: "Another HDFS replication command .... is in progress".

Cloudera Bug: OPSAPS-42808

New Advanced Configuration Snippet for overriding the hdfs-site/core-site.xml values for Impala configurations

You can now use the following Advanced Configuration Snippets for core-site.xml for all Impalad and Catalog Server roles:
  • Impala Catalog Server Advanced Configuration Snippet (Safety Valve) for core-site.xml
  • Impala Daemon Advanced Configuration Snippet (Safety Valve) for core-site.xml

Cloudera Bug: OPSAPS-9586

Improve reporting of Replication progress

Live monitoring of throughput and estimated completion time for HDFS and Hive Replications running using Cloudera Manager Backup and Disaster Recovery (BDR) are now available in log files.

Cloudera Bug: OPSAPS-42756

Cloudera Manager fails to start when gateway roles have configuration overrides

Fixes an issue where descriptor generation fails and the Cloudera Management Service fails to start if any Gateway roles have a configuration override.

Cloudera Bug: OPSAPS-43517

Limit the size of Hive log files collected in BDR diagnostic

Hive-related log files included in diagnostic bundle are now be limited to 100MB (before compression).

Cloudera Bug: OPSAPS-41610

Do not include unhealthy hosts when calculating acceptable estimation rate

Fixed an issue affecting the reliable generation of diagnostic bundles when some hosts are in an unhealthy state.

Cloudera Bug: OPSAPS-42720

Duplicate Hive Logs in diagnostic bundles.

Fixes a bug where some Hive logs would be duplicated in diagnostic bundles.

Cloudera Bug: OPSAPS-41611

Hive partitions not dropped in replication target cluster

Fixes a bug introduced in Backup and Disaster Recovery for Cloudera Manager 5.8 where HDFS and Hive replication were not dropping partitions on the target cluster that had been dropped on the source cluster.

Cloudera Bug: OPSAPS-43282

Incorrect warnings when configuring HBase Thrift Server in Kerberized cluster

Previously, when configuring the HBase Thrift Server security in a Kerberized cluster, incorrect warnings such as "When HBase is configured to use Kerberos, HBase Thrift Authentication is ignored when Enable TLS/SSL for HBase Thrift Server over HTTP is enabled" would appear. With this fix, these warnings are eliminated.

Cloudera Bug: OPSAPS-41441

"100%" health aggregation thresholds no longer permitted

Cloudera Manager now validates that custom services (CSDs) cannot define an invalid threshold for the role health of a service that affects overall service health. Now the thresholds for these health warnings ("percentGreenForGreen" and "percentYellowGreenForYellow ") must be less than 100%.

Cloudera Bug: OPSAPS-42853

Duplicate replication job on Cloudera Manager restart

This fixes a known issue where a restart of Cloudera Manager that occurs while HDFS or Hive replication jobs are running can cause a duplicate replication job to be started.

Cloudera Bug: OPSAPS-42557

Allow validations for HIVE_METASTORE_MAX_MESSAGE_SIZE to be suppressible

Fixed an issue where the validation warning for "Max Message Size for Hive MetaStore" configuration parameter could not be suppressed. The new behavior allows any validations to be suppressed.

Cloudera Bug: OPSAPS-43320

Preserve export.json and distcp-staging path when a different user runs /user replication

This fixes an issue in which a replication job that replicates the /user directory in HDFS using the "delete missing" delete policy causes other concurrent replication jobs to fail.

Cloudera Bug: OPSAPS-43050

HDFS Replication does not show the progress marker

This fixes an issue in Cloudera Manager in which progress markers for HDFS Replication were not visible in the Admin Console.

Cloudera Bug: OPSAPS-42805

YARN postponed cgroups cleanup could remove hadoop-yarn directory when NodeManager is running

This fixes a bug in which, under certain conditions after a YARN or cluster restart, Cloudera Manager would delete the local directory used by the YARN NodeManager for creation of YARN container cgroups. On systems configured to use cgroups for YARN CPU isolation, this would prevent new YARN workloads from running on specific hosts until the directory was recreated manually.

Cloudera Bug: OPSAPS-40755

Inefficiency when checking staleness and host status

Fixed an inefficiency in staleness checking and checking host status that caused slowness in the Cloudera Manager Admin Console.

Cloudera Bug: OPSAPS-42698

Improved dynamic chunk operation of BDR

For HDFS and Hive replication, copying data in chunks sized by bytes, not a fixed number of files is now the default behavior.

Cloudera Bug: OPSAPS-42682

Remove the recommendation to restart Cloudera Manager when adding trusted Kerberos realm

Changing the list of trusted Kerberos realms no longer requires a restart of Cloudera Manager.

Cloudera Bug: OPSAPS-43237

BDR performance improvement

This fix delivers a big performance boost by parallelizing the process of checking for changes in file permissions, ACLs, and external attributes. Directory permissions are now preserved in the CopyMapper phase instead of theCopyCommitter phase.

Cloudera Bug: OPSAPS-42834

Spark History Server ignores hadoop.security.auth_to_local mapping

The Spark History Server now respects the configured Kerberos-to-local user name mappings of the HDFS service.

Cloudera Bug: OPSAPS-42577

NameNode migration timeout while saving namespace of size more than 7GB

Fixes an issue during HDFS NameNode migration between hosts, where the "Saving Namespace" step may timeout if the fsimage size is large.

Cloudera Bug: OPSAPS-38236

Issues Fixed in Cloudera Manager 5.13.0

CM should report Spark service health as bad when the SparkHistoryServer is down

The Spark service health now reflects the health of its configured roles.

Cloudera Bug: OPSAPS-34698

Timeout between BDR peers increased

The communications timeout between two peer Cloudera Manager servers for communication during BDR replication has been increased to 10 seconds.

Cloudera Bug: OPSAPS-39225

New Impala metrics for hedged reads, JVM heap usage and connection setup queue size

The new metrics are for JVM Heap usage of the Catalog Server and Hedged reads.

Cloudera Bug: OPSAPS-39831, OPSAPS-40212, OPSAPS-40771

ClassCastException during upgrade with custom services (CSD) that support rolling restart

Fixed a bug that caused a ClassCastException during upgrade of clusters with custom (CSD) services that explicitly define rolling restart steps for master roles.

Cloudera Bug: OPSAPS-40182

Only one existing NodeManager role marked stale in Cloudera Manager when a new NodeManager is added

Fixes an issue with staleness detection logic. The new staleness detection logic, introduced in 5.11.0, caused a regression where it does not mark all the services stale. This affects rolling restart of the services.

Cloudera Bug: OPSAPS-40332

Proper termination and cleanup of YARN applications during decommissioning

Fixed an issue where YARN applications may not exit gracefully or clean-up properly if hosts are decommissioned while application containers are still running. This could lead to unexpected container/application failure and/or orphaned container processes on YARN worker nodes. Now, when decommissioning a NodeManager or host running a NodeManager, Cloudera Manager first waits for the configured YARN graceful decommission timeout (if applicable), and allows additional time for ResourceManager to properly terminate the NodeManager and its child processes.

Cloudera Bug: OPSAPS-40731

Health Event Startup Policy incorrectly mutes health events

Fixed an issue where all health events are ignored and no alerts get sent when the Health Event Startup Policy is set to none.

Cloudera Bug: OPSAPS-40851

Non-ASCII characters in logs caused failure of log collection for diagnostic bundles

Fixed an issue where log files did not get collected correctly as part of diagnostic bundles because they contained non-ASCII characters.

Cloudera Bug: OPSAPS-40949

Exception thrown when searching large log files

Fixed an issue where an exception might be thrown when searching a log when the log file size is larger than 2 GB.

Cloudera Bug: OPSAPS-41710

Exception thrown when accessing a service status page while stopping one of its roles

Fixed an issue where an NullPointerException occurred when accessing the service status page in the Cloudera Manager Admin Console while stopping a role.

Cloudera Bug: OPSAPS-41222

Increase Maximum Document Buffer size default to 2047 in Reports Manager

The default upper limit for the Reports Manager's Maximum Document Buffer Size configuration parameter has been increased to 2047 MB.

Cloudera Bug: OPSAPS-41358

Spilled memory not populated in Impala queries and in the Spilled Memory tab in the Cluster Utilization report

Fixed an issue where the Memory Spilled metric for each Impala query was not correctly populated. This prevented various features that depend on this metric from functioning correctly. For example, the Spilled Memory tab of the Cluster Utilization Report was not populated with data.

Cloudera Bug: OPSAPS-41447

HSM KMS trust store password is visible in logs

In previous releases, when using the Cloudera Navigator HSM KMS (for use with a Thales or Luna Hardware Security Module), the KMS's trust store password was displayed in some process logs on the KMS hosts. While the trust store password is not considered sensitive, some customers set their trust store password to the same value as their key store password, which is sensitive. In this release, the HMS KMS's trust store password is no longer displayed.

Cloudera Bug: OPSAPS-41626

Hue Load Balancer caused login failure

Fixed an issue where using Apache httpd 2.4 as the Hue load balancer caused Hue logins to fail when TLS is enabled for Hue. This change requires Cloudera Manager to set the use_x_forwarded_host parameter in the hue.ini file to "true". After upgrading Cloudera Manager, Cloudera Manager will report that the Hue Server and Load Balancer role configurations are stale. If your cluster is affected by this bug, you must restart the Hue service.

Cloudera Bug: OPSAPS-41850

Upgrade is blocked when HMS validation fails

While upgrading to Cloudera Manager 5.12 and CDH 5.12, Cloudera Manager added a new Hive Metastore validation step that is executed as a part of the CDH upgrade command to detect any corruption in the Hive Metastore. In 5.12, when corruption is detected and validation fails, the upgrade command fails and leaves the cluster in an intermediate state, meaning that some services may be started while others are stopped, which is not desirable.

This issue has been fixed In Cloudera Manager 5.12.1. Because it is possible for Hive to tolerate some forms of minor schema corruption, and because it is impossible to run the schema validation tool prior to CDH 5.12, the Hive Metastore validation is now executed as the last step of the upgrade command, which occurs after all the services in the cluster have fully been upgraded and restarted. Although this step still appears to be part of upgrade step, your upgrade is actually complete and you can deal with schema integrity issues following the upgrade. If you see this step failing, exit the upgrade wizard and contact Cloudera Support for assistance repairing any schema corruption. You may then re-run the validation tool manually from the Hive service actions menu after repair is complete to verify a successful repair.

Cloudera Bug: OPSAPS-41936

Default values for yarn.scheduler.fair.assignmultiple can block YARN applications from running on CDH 5.5 or CDH 5.6

In some previous versions of Cloudera Manager, the default value of yarn.scheduler.fair.assignmultiple was incorrect and can cause problems in CDH 5.5 and 5.6. This has been fixed. Note: if you use CDH versions 5.5.x or 5.6.x and upgrade to CM 5.13, you may see a staleness indicator for the YARN service. The staleness shows yarn.scheduler.fair.max.assign as being added. This is expected, and you should restart the YARN service to avoid a serious bug in the Resource Manager (YARN-4477).

Cloudera Bug: OPSAPS-42118

Add Host Wizard does not apply host template

Fixed an issue where the Apply Host Template feature in the Add Hosts Wizard did not apply the host template.

Cloudera Bug: OPSAPS-42134

Advanced configuration properties for Hue Load Balancer have no effect

Fixed an issue where Advanced Configuration Snippets for the Hue Load Balancer were not able to override the settings SSLProtocol and SSLCipherSuite.

Cloudera Bug: OPSAPS-42187

Issues with Kafka Active Controller when managing multiple Kafka services

Fixed an issue where Cloudera Manager did not track the Active Controller in Kafka correctly if there were multiple Kafka services running under the same Cloudera Manager instance.

Cloudera Bug: OPSAPS-42216

JDK 7 performance regression for Cloudera Manager-managed deployments of HBase

This change sets the JVM property ReservedCodeCacheSize to 256MB in the default JVM startup options for HBase roles. This change attempts to prevent performance issues seen when HBase uses Java 7. The value set is the same as the default when using Java 8.

Cloudera Bug: OPSAPS-42259

NullPointerException on the Command Details page while deploying client configuration

Fixed a NullPointerException on the Command Details page that caused the Deploy Client Configuration status to not display.

Cloudera Bug: OPSAPS-42390

BDR jobs replicating specific directories can cause other jobs to fail when using certain Delete Policy modes

Fixed an issue where a replication schedule copying the /user/, /user/hdfs or /user/$bdr_user directory with the Delete Policy set to delete missing files can cause other replication jobs that run simultaneously to fail.

Cloudera Bug: OPSAPS-42492

Rolling upgrade can fail when high availability services are stopped

Fixed a bug where rolling upgrades of CDH could fail when certain services Cloudera Manager expects to be able to restart without downtime are already stopped. Now, Cloudera Manager tolerates this and starts those services after upgrade as part of the cluster's rolling restart.

Cloudera Bug: OPSAPS-42515

Issues Fixed in Cloudera Manager 5.12.2

Do not include unhealthy hosts when calculating acceptable estimation rate

Fixed an issue affecting the reliable generation of diagnostic bundles when some hosts are in an unhealthy state.

Cloudera Bug: OPSAPS-42720

BDR jobs replicating specific directories can cause other jobs to fail when using certain Delete Policy modes

Fixed an issue where a replication schedule copying the /user/, /user/hdfs or /user/$bdr_user directory with the Delete Policy set to delete missing files can cause other replication jobs that run simultaneously to fail.

Cloudera Bug: OPSAPS-42492

Rolling upgrade can fail when high availability services are stopped

Fixed a bug where rolling upgrades of CDH could fail when certain services Cloudera Manager expects to be able to restart without downtime are already stopped. Now, Cloudera Manager tolerates this and starts those services after upgrade as part of the cluster's rolling restart.

Cloudera Bug: OPSAPS-42515

Spark History Server ignores hadoop.security.auth_to_local mapping

The Spark History Server now respects the configured Kerberos-to-local user name mappings of the HDFS service.

Cloudera Bug: OPSAPS-42577

Default values for yarn.scheduler.fair.assignmultiple can block YARN applications from running on CDH 5.5 or CDH 5.6

In some previous versions of Cloudera Manager, the default value of yarn.scheduler.fair.assignmultiple was incorrect and can cause problems in CDH 5.5 and 5.6. This has been fixed. Note: if you use CDH versions 5.5.x or 5.6.x and upgrade to CM 5.13, you may see a staleness indicator for the YARN service. The staleness shows yarn.scheduler.fair.max.assign as being added. This is expected, and you should restart the YARN service to avoid a serious bug in the Resource Manager (YARN-4477).

Cloudera Bug: OPSAPS-42118

Add Host Wizard does not apply host template

Fixed an issue where the Apply Host Template feature in the Add Hosts Wizard did not apply the host template.

Cloudera Bug: OPSAPS-42134

Incorrect warnings when configuring HBase Thrift Server in Kerberized cluster

Previously, when configuring the HBase Thrift Server security in a Kerberized cluster, incorrect warnings such as "When HBase is configured to use Kerberos, HBase Thrift Authentication is ignored when Enable TLS/SSL for HBase Thrift Server over HTTP is enabled" would appear. With this fix, these warnings are eliminated.

Cloudera Bug: OPSAPS-41441

CM - log refresh takes me to the top of the page every 5 seconds

Fixed an issue in the Install Details dialog that scrolling position was not respected and always moves to the very top. Now it stays in the location that user has scrolled to.

Cloudera Bug: OPSAPS-40836

YARN postponed cgroups cleanup could remove hadoop-yarn directory when NodeManager is running

This fixes a bug in which, under certain conditions after a YARN or cluster restart, Cloudera Manager would delete the local directory used by the YARN NodeManager for creation of YARN container cgroups. On systems configured to use cgroups for YARN CPU isolation, this would prevent new YARN workloads from running on specific hosts until the directory was recreated manually.

Cloudera Bug: OPSAPS-40755

New Advanced Configuration Snippet for overriding the hdfs-site/core-site.xml values for Impala configurations

You can now use the following Advanced Configuration Snippets for core-site.xml for all Impalad and Catalog Server roles:
  • Impala Catalog Server Advanced Configuration Snippet (Safety Valve) for core-site.xml
  • Impala Daemon Advanced Configuration Snippet (Safety Valve) for core-site.xml

Cloudera Bug: OPSAPS-9586

Allow validations for HIVE_METASTORE_MAX_MESSAGE_SIZE to be suppressible

Fixed an issue where the validation warning for "Max Message Size for Hive MetaStore" configuration parameter could not be suppressed. The new behavior allows any validations to be suppressed.

Cloudera Bug: OPSAPS-43320

Preserve export.json and distcp-staging path when a different user runs /user replication

This fixes an issue in which a replication job that replicates the /user directory in HDFS using the "delete missing" delete policy causes other concurrent replication jobs to fail.

Cloudera Bug: OPSAPS-43050

[sentry] Warn when policy files are in use

New Behavior: CM will show a suppressible warning when Sentry Policy files are used when the service can be configured to work with the Sentry Service in that CDH version. Note: HBase Solr Indexer does not currently support the Sentry Service in any CDH version and only supports policy files. Therefore, this validation warning will not be available for HBase Solr Indexer.

Cloudera Bug: OPSAPS-42865

Logging in to Cloudera Manager 5.12.x with Internet Explorer 11 fails

Fixed an issue where Internet Explorer defaults to DocMode 7 due to the removal of the X-UA-Compatible header in Cloudera Manager 5.12. When the user uses Compatibility Mode in Internet Explorer 9, 10, 11, or Edge, the browser is incorrectly identified as Internet Explorer 7.0 and as a result Cloudera Manager issues an error message (You are using an unsupported browser) and does not allow the user to log in.

Cloudera Bug: OPSAPS-42870

BDR performance improvement

This fix delivers a big performance boost by parallelizing the process of checking for changes in file permissions, ACLs, and external attributes. Directory permissions are now preserved in the CopyMapper phase instead of theCopyCommitter phase.

Cloudera Bug: OPSAPS-42834

ACLs and external attributes comparison in HDFS and Hive Replication can be incorrect

Fixes a bug where ACLs and external attributes (Xattrs) may be copied over during HDFS and Hive replication even when they have not changed.

Cloudera Bug: OPSAPS-42818

NullPointerException on the Command Details page while deploying client configuration

Fixed a NullPointerException on the Command Details page that caused the Deploy Client Configuration status to not display.

Cloudera Bug: OPSAPS-42390

Issues Fixed in Cloudera Manager 5.12.1

Hue Load Balancer caused login failure

Fixed an issue where using Apache httpd 2.4 as the Hue load balancer caused Hue logins to fail when TLS is enabled for Hue. This change requires Cloudera Manager to set the use_x_forwarded_host parameter in the hue.ini file to "true". After upgrading Cloudera Manager, Cloudera Manager will report that the Hue Server and Load Balancer role configurations are stale. If your cluster is affected by this bug, you must restart the Hue service.

Cloudera Bug: OPSAPS-41850

HSM KMS trust store password is visible in logs

In previous releases, when using the Cloudera Navigator HSM KMS (for use with a Thales or Luna Hardware Security Module), the KMS's trust store password was displayed in some process logs on the KMS hosts. While the trust store password is not considered sensitive, some customers set their trust store password to the same value as their key store password, which is sensitive. In this release, the HMS KMS's trust store password is no longer displayed.

Cloudera Bug: OPSAPS-41626

Maximum Diagnostic Bundle Size reported incorrectly

  • The Send Diagnostic Data command was erroneously reporting the maximum allowed bundle size when the diagnostic bundle is created using the By Date Range option. This message was fixed to show the right allowed bundle size.
  • The Send Diagnostic Data command displayed unclear error messages when the estimation step fails. This has been fixed to show a clear error message.

Cloudera Bug: OPSAPS-41020

Upgrade is blocked when HMS validation fails

While upgrading to Cloudera Manager 5.12 and CDH 5.12, Cloudera Manager added a new Hive Metastore validation step that is executed as a part of the CDH upgrade command to detect any corruption in the Hive Metastore. In 5.12, when corruption is detected and validation fails, the upgrade command fails and leaves the cluster in an intermediate state, meaning that some services may be started while others are stopped, which is not desirable.

This issue has been fixed In Cloudera Manager 5.12.1. Because it is possible for Hive to tolerate some forms of minor schema corruption, and because it is impossible to run the schema validation tool prior to CDH 5.12, the Hive Metastore validation is now executed as the last step of the upgrade command, which occurs after all the services in the cluster have fully been upgraded and restarted. Although this step still appears to be part of upgrade step, your upgrade is actually complete and you can deal with schema integrity issues following the upgrade. If you see this step failing, exit the upgrade wizard and contact Cloudera Support for assistance repairing any schema corruption. You may then re-run the validation tool manually from the Hive service actions menu after repair is complete to verify a successful repair.

Cloudera Bug: OPSAPS-41936

Spilled memory not populated in Impala queries and in the Spilled Memory tab in the Cluster Utilization report

Fixed an issue where the Memory Spilled metric for each Impala query was not correctly populated. This prevented various features that depend on this metric from functioning correctly. For example, the Spilled Memory tab of the Cluster Utilization Report was not populated with data.

Cloudera Bug: OPSAPS-41447

Increase Maximum Document Buffer size default to 2047 in Reports Manager

The default upper limit for the Reports Manager's Maximum Document Buffer Size configuration parameter has been increased to 2047 MB.

Cloudera Bug: OPSAPS-41358

Exception thrown when searching large log files

Fixed an issue where an exception might be thrown when searching a log when the log file size is larger than 2 GB.

Cloudera Bug: OPSAPS-41710

Proper termination and cleanup of YARN applications during decommissioning

Fixed an issue where YARN applications may not exit gracefully or clean-up properly if hosts are decommissioned while application containers are still running. This could lead to unexpected container/application failure and/or orphaned container processes on YARN worker nodes. Now, when decommissioning a NodeManager or host running a NodeManager, Cloudera Manager first waits for the configured YARN graceful decommission timeout (if applicable), and allows additional time for ResourceManager to properly terminate the NodeManager and its child processes.

Cloudera Bug: OPSAPS-40731

Viewing agent logs in Internet Explorer renders incorrectly

When viewing agent logs in Internet Explorer, the logs may render as HTML instead of text. This has been fixed by forcing browsers to render the log page as text.

Cloudera Bug: OPSAPS-41122

Threads CPU time and Total Time are not populated in Impala Query Monitoring

The Thread CPU Time and Total Time attributes of Impala Query Monitoring are now correctly populated.

Cloudera Bug: OPSAPS-39647

Issues Fixed in Cloudera Manager 5.12.0

Renaming an empty directory on Amazon S3 when using DynamoDB with S3Guard may fail

Fixed an issue where renaming an empty directory on Amazon S3 when using DynamoDB with S3Guard may fail

Cloudera bug: CDH-51869

Apache bug: HADOOP-14036

Changes to the /tmp directory causes Hue failures

Changing permissions or removing files in the /tmp directory can cause Hue to fail because the Hue Kerberos ticket cache file, located by default in the /tmp directory, is no longer available. The default location has been changed to /var/run/hue.

You can change the location of the Hue Kerberos ticket cache by changing the Hue Kerberos Credentials Cache Directory property. In Cloudera Manager, go to the Hue service, select the Configuration tab, and search for the property. Restart the Hue service to enable the change.

After upgrading Cloudera Manager you must also restart the Hue service.

Cloudera Bug: OPSAPS-26101

Exception when setting maintenanceOwners to null

Fixed how null values for the maintenanceOwners parameter are handled when creating clusters with the Cloudera Manager API.

Cloudera Bug: OPSAPS-32880

Upgrade continues when there are hosts with warnings

Fixed an issue where an upgrade continues even if hosts have a warning. Host warnings must be resolved before an upgrade can complete.

Cloudera Bug: OPSAPS-40945

Address renewal requirements for delegation tokens in DR

Fixed an issue where BDR replication jobs fail on a Kerberos enabled cluster if the job duration is longer than the renewal interval for the hdfs delegation token. With this fix, both the delegation token and Kerberos ticket are renewed until the max lifetime of token/ticket (default value is 7 days). This enables longer replications without needing to bring down the source cluster.

Cloudera Bug: OPSAPS-32811

hostname parameter is not passed to Impala catalog role

IMPALA-5253 contained a security fix for clusters using Impala with TLS (SSL) security enabled. This fix was also made in several maintenance versions of CDH that require you to upgrade Cloudera Manager. If you upgrade to a CDH version with this fix without upgrading Cloudera Manager, Impala will not function when TLS is enabled for Impala. You should upgrade Cloudera Manager first if you want to move to a CDH version with the security fix.

This issue affects upgrades of Cloudera Manager and CDH to version 5.11.1.

There are two ways you can workaround this issue:

  • Upgrade to one of the following versions of Cloudera Manager before upgrading CDH:
    • 5.13.0
    • 5.12.1
    • 5.11.2
    • 5.10.2
    • 5.9.3
    • 5.8.5
-or-
  • Before upgrading CDH, set the -hostname option to the fully-qualified domain name of the Catalog Server using the Catalog Server Command Line Argument Advanced Configuration Snippet (Safety Valve) configuration property:
    -hostname=fully-qualified-domain-name of Impala Catalog Server
    (To set this property, in Cloudera Manager, go to the Impala service, select the Configuration tab and search for the property.
CDH versions with the Impala security fix:
  • 5.11.1
  • 5.10.2
  • 5.9.3
  • 5.8.5

Cloudera bug: OPSAPS-41218

Hive Replication fails with OTHER_ERROR with duplicate view/table names

Fixed an issue where Hive replication fails if the same name is used for a table on the target cluster which is also used for a view on the source cluster. With this change, Hive replication properly handles all cases where a view and table on source/target clusters have the same name.

Cloudera Bug: OPSAPS-36302

Underscores in LDAP domain names not allowed

Fixed an issue where LDAP domain names could not contain underscores. This fix affects Cloudera Manager, Hue and Cloudera Navigator.

Cloudera Bug: OPSAPS-40487

Only use healthy HDFS/Hive hosts for launching replication jobs

BDR Replication Host Selection Policy has been updated. The process that launches and coordinates a HDFS/Hive replication job will now only run on the following hosts:
  • Hosts that run any role of the HDFS/Hive Service (for HDFS or Hive replication)
  • Hosts that have a Non-Gateway role
  • Hosts where the health status is in the GOOD or CONCERNING state with preference given to GOOD
  • Hosts that are whitelisted, if configured

Cloudera Bug: OPSAPS-40040

Low watermark value for Memstore Flush default is incorrect

For CDH versions 5.8 and higher, the Low Watermark for Memstore Flush configuration parameter is associated with the HBase parameter hbase.regionserver.global.memstore.lowerLimit.

This value represents the fullness threshold of the memstore as a percentage of memstore capacity. The default value for this parameter was incorrectly set too low at .38. This can cause severe under utilization of the memstore.

The default has been corrected to be .95. When upgrading to a version of Cloudera Manager with this fix, if the value was previously set to the old default of .38, it will automatically be increased to the new default, which may cause Cloudera Manager to mark your HBase service as having a stale configuration, requiring a restart.

Additionally, if an existing Low Watermark for Memstore Flush configuration parameter has a value <= .9, it will be flagged as a configuration warning.

Fixed in: Cloudera Manager 5.12, 5.11.1, 5.10.2, 5.9.3, 5.8.5

Cloudera Bug: OPSAPS-38468

Accessing Sqoop2 with Hue fails

Fixed an issue where accessing Sqoop2 with Hue fails with the following error: Sqoop error: Could not get connectors.

CDH 5.5.0 or higher clusters running a Hue Service require a restart of Hue services because of a new configuration file. This new configuration file is required for Hue's Sqoop2 Application functions in secure settings, but it will show up whether or not Sqoop or security settings are in use.

Cloudera Bug: OPSAPS-27286

Make Oozie Load-balancer URL mandatory when enabling Oozie HA

Fixed an issue when the Oozie Load Balancer field in the Oozie configuration is not set and Oozie high availability is in use (two or more Oozie Server roles are deployed). This now creates a validation error and Cloudera Manager does not let you start or restart Oozie until the problem is fixed.

Fixed in: Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-39372

Wire encryption configuration properties

HDFS client data-transfer encryption cipher related properties are now published to HTTPFs. Previously they were emitted just to HDFS Gateways, which caused HTTPFs performance to suffer when Data Transfer Encryption was turned on. When upgrading to Cloudera Manager 5.12, all HTTPFs instances will be marked stale, and a restart of those roles is required for these properties to take effect.

Cloudera Bug: OPSAPS-39981

Missing Sentry configuration files

Fixed an issue where some configuration files (core-site.xml) were missing from Sentry configuration.

Cloudera Bug: OPSAPS-33710

LoggingOutInterceptor log level

To enhance security, when API debugging is enabled, the entire API request and response is no longer printed at the DEBUG log level. To see the request/response, set the logging level to TRACE. Note that this may expose sensitive information in the logs.

Cloudera Bug: OPSAPS-34538

Failed health checks because of deprecated ntpc command

Fixed an issue where the ntpdc command was used in the host Clock Offset health test even if the command is deprecated for an operating system.

Cloudera Bug: OPSAPS-38268

Reports Manager throws ArrayIndexOutOfBoundsException when indexing fsimage

Fixes an issue where an ArrayIndexOutOfBoundsException can be thrown by Reports Manager.

Fixed in Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40914

Spark History Server password handling

Improved password handling for the Spark History Server. After upgrading to Cloudera Manager 5.12, Cloudera Manager may consider the Spark service as having a stale configuration due to this change, requiring a restart.

Cloudera Bug: OPSAPS-40298

Agent process directories re-mounted on agent restart

Fixed an issue where restarting an agent on newer Linux distributions such as Ubuntu 16.04 or Red Hat 7 would result in process run directories being remounted and lost.

Cloudera Bug: OPSAPS-41259

Process secrets no longer protected with file permissions

Fixed an issue where secret data, including passwords and other data, can be exposed in the /var/run/cloudera-scm-agent/process-name/proc.json or /var/run/cloudera-scm-agent/process-name/config.zip files because these files are world readable. See TSB-235 for more information.

Fixed in: Cloudera Manager 5.12, 5.11, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40536

Configuration files can be downloaded from the UI

Certain files that may contain sensitive information can no longer be downloaded from the Processes tab in Cloudera Manager. If access to those files is required, you must log into the appropriate host.

Cloudera Bug: OPSAPS-40309

Command download filename uniqueness

Fixed an issue where downloading the command output did not generate a unique file name.

Cloudera Bug: OPSAPS-40249

StopRunner is not honouring the keyAdministrator Role Activities

Fixed an issue where a CSD descriptor was not respecting the correct authorization for start/stop when specifying a service-level stopRunner (which enables graceful shutdown). This could cause some user roles to be able to start but not stop some services.

Cloudera Bug: OPSAPS-41030

Hue Load Balancer SSL Handshake error

Fixed an issue with the SSL handshake in Hue when Apache httpd 2.4 or higher is used as the load balancer. The Hue load balancer previously set the ProxyPreserveHost directive to On, when it should have been set to Off. This causes problems making SSL connections when using Apache httpd 2.4 or higher. The error caused problems when verifying the CN, which older versions of Apache httpd did not encounter because they did not properly verify the CN.

When upgrading Cloudera Manager, the Hue load balancer may be marked as having a stale configuration. If you are experiencing issues connecting to Hue with SSL, restart the Hue service to update the configuration.

Cloudera Bug: OPSAPS-40700

LDAP trust failures not showing in stack traces

When an external user authenticating via LDAP or Active Directory fails to login to Cloudera Manager, the failure stack trace is now logged in the Cloudera Manager server log to help debug the failure.

Cloudera Bug: OPSAPS-40065

getRoles filtering is not working with Cloudera Manager API version11 and higher

Fixed a bug that broke backwards compatibility with Cloudera Manager API version 11 (introduced with the Cloudera Manager 5.6 release) for the following endpoint:
/api//clusters/clusterName/services/serviceName/roles?filter=type==ROLE_TYPE

Cloudera Bug: OPSAPS-40184

Cluster templates don't include role level configuration

Fixed an issue with Cluster Templates where role level configuration was not getting exported. This was causing cluster to fail when trying user try to import a cluster template exported from a cluster on which HDFS HA was enabled.

Cloudera Bug: OPSAPS-31528

Dynamic Resource Pool drop-down options are not visible when using Internet Explorer 11

Fixed a typo on the Dynamic Resource Pools page that prevents Internet Explorer from rendering the add/edit resource pool dialog box.

Cloudera Bug: OPSAPS-40522

Cloudera Manager Server not validating agent hostnames with TLS

Fixed an issue where, when using TLS, hostnames were not verified during agent to server communication. To fix this, Cloudera Manager has a new setting: Verify Agent Hostname Against Certificate. When enabled, agent hostnames must match the hostname in the agent certificate, which is validated when agents send heartbeats to the Cloudera Manager Server.

Cloudera Bug: OPSAPS-40125

User Administrator role cannot configure S3Guard

Fixed an issue where the user administrator role was disallowed from managing S3 configuration.

Cloudera Bug: OPSAPS-40083

Allow diagnostic bundle estimation timeout to be configurable

Sometimes on a large or busy cluster, collection of diagnostic data using the By Date Range option can fail due to a timeout during estimation step of the diagnostic bundle collection. You can now configure both the host level estimation timeout and the overall estimation timeout using Java options. These options can be set on the Cloudera Manager Server host I in the /etc/default/cloudera-scm-server file by adding the following to the line that begins with export CMF_JAVA_OPTS:
  • -Dcom.cloudera.RoleLogEstimator.maxEstimateTimeoutSeconds=number of seconds (If not specified, the default is 90 seconds)
  • -Dcom.cloudera.RoleLogEstimator.estimateTimeoutPerHostSeconds=number of seconds (If not specified, default is 60 seconds)
Restart the Cloudera Manager server for the updated Java flags to take effect:
sudo service cloudera-scm-server restart

Fixed in: Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40987

Peak Memory Usage report for Impala does not display data

Fixed an issue where the Impala Peak Memory Usage page in the Cluster Utilization Report did not display any data in Cloudera Manager.

Fixed in: Cloudera Manager 5.12, 5.11.2, 5.9.3

Cloudera Bug: OPSAPS-39836

NullPointerException when accessing the configuration page for Alerts

Fixed an issue where a NullPointerException occurred when viewing the configuration page for alerts.

Fixed in Cloudera Manager 5.12, 5.11.2, 5.10.2

Cloudera Bug: OPSAPS-39296

Issues Fixed in Cloudera Manager 5.11.2

Agent process directories re-mounted on agent restart

Fixed an issue where restarting an agent on newer Linux distributions such as Ubuntu 16.04 or Red Hat 7 would result in process run directories being remounted and lost.

Cloudera Bug: OPSAPS-41259

hostname parameter is not passed to Impala catalog role

IMPALA-5253 contained a security fix for clusters using Impala with TLS (SSL) security enabled. This fix was also made in several maintenance versions of CDH that require you to upgrade Cloudera Manager. If you upgrade to a CDH version with this fix without upgrading Cloudera Manager, Impala will not function when TLS is enabled for Impala. You should upgrade Cloudera Manager first if you want to move to a CDH version with the security fix.

This issue affects upgrades of Cloudera Manager and CDH to version 5.11.1.

There are two ways you can workaround this issue:

  • Upgrade to one of the following versions of Cloudera Manager before upgrading CDH:
    • 5.13.0
    • 5.12.1
    • 5.11.2
    • 5.10.2
    • 5.9.3
    • 5.8.5
-or-
  • Before upgrading CDH, set the -hostname option to the fully-qualified domain name of the Catalog Server using the Catalog Server Command Line Argument Advanced Configuration Snippet (Safety Valve) configuration property:
    -hostname=fully-qualified-domain-name of Impala Catalog Server
    (To set this property, in Cloudera Manager, go to the Impala service, select the Configuration tab and search for the property.
CDH versions with the Impala security fix:
  • 5.11.1
  • 5.10.2
  • 5.9.3
  • 5.8.5

Cloudera bug: OPSAPS-41218

Maximum Diagnostic Bundle Size reported incorrectly

  • The Send Diagnostic Data command was erroneously reporting the maximum allowed bundle size when the diagnostic bundle is created using the By Date Range option. This message was fixed to show the right allowed bundle size.
  • The Send Diagnostic Data command displayed unclear error messages when the estimation step fails. This has been fixed to show a clear error message.

Cloudera Bug: OPSAPS-41020

Allow diagnostic bundle estimation timeout to be configurable

Sometimes on a large or busy cluster, collection of diagnostic data using the By Date Range option can fail due to a timeout during estimation step of the diagnostic bundle collection. You can now configure both the host level estimation timeout and the overall estimation timeout using Java options. These options can be set on the Cloudera Manager Server host I in the /etc/default/cloudera-scm-server file by adding the following to the line that begins with export CMF_JAVA_OPTS:
  • -Dcom.cloudera.RoleLogEstimator.maxEstimateTimeoutSeconds=number of seconds (If not specified, the default is 90 seconds)
  • -Dcom.cloudera.RoleLogEstimator.estimateTimeoutPerHostSeconds=number of seconds (If not specified, default is 60 seconds)
Restart the Cloudera Manager server for the updated Java flags to take effect:
sudo service cloudera-scm-server restart

Fixed in: Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40987

Reports Manager throws ArrayIndexOutOfBoundsException when indexing fsimage

Fixes an issue where an ArrayIndexOutOfBoundsException can be thrown by Reports Manager.

Fixed in Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40914

Proper termination and cleanup of YARN applications during decommissioning

Fixed an issue where YARN applications may not exit gracefully or clean-up properly if hosts are decommissioned while application containers are still running. This could lead to unexpected container/application failure and/or orphaned container processes on YARN worker nodes. Now, when decommissioning a NodeManager or host running a NodeManager, Cloudera Manager first waits for the configured YARN graceful decommission timeout (if applicable), and allows additional time for ResourceManager to properly terminate the NodeManager and its child processes.

Cloudera Bug: OPSAPS-40731

Peak Memory Usage report for Impala does not display data

Fixed an issue where the Impala Peak Memory Usage page in the Cluster Utilization Report did not display any data in Cloudera Manager.

Fixed in: Cloudera Manager 5.12, 5.11.2, 5.9.3

Cloudera Bug: OPSAPS-39836

Make Oozie Load-balancer URL mandatory when enabling Oozie HA

Fixed an issue when the Oozie Load Balancer field in the Oozie configuration is not set and Oozie high availability is in use (two or more Oozie Server roles are deployed). This now creates a validation error and Cloudera Manager does not let you start or restart Oozie until the problem is fixed.

Fixed in: Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-39372

NullPointerException when accessing the configuration page for Alerts

Fixed an issue where a NullPointerException occurred when viewing the configuration page for alerts.

Fixed in Cloudera Manager 5.12, 5.11.2, 5.10.2

Cloudera Bug: OPSAPS-39296

Issues Fixed in Cloudera Manager 5.11.1

All required fonts are now installed by Cloudera Manager

Fixed an issue where Cloudera Manager made requests to googleapi.com to download some of its required fonts, which fails if the browser does not have Internet access. Cloudera Manager now includes all of the necessary fonts.

Cloudera Bug:OPSAPS-40609.

Automated Cloudera Manager installer fails on Ubuntu 16.04

Fixed an issue where running the cloudera-manager-installer.bin installer file (as described in the documentation) fails on Ubuntu 16.04 LTS (Xenial).

Cloudera Bug: DOCS-2037.

Unable to connect to Oozie with curl

Fixed an issue where some Linux distributions could not connect to Oozie with curl through HTTPS when DHE-based ciphers are present.

Cloudera Bug: OPSAPS-40407

getRoles filtering is not working with Cloudera Manager API version11 and higher

Fixed a bug that broke backwards compatibility with Cloudera Manager API version 11 (introduced with the Cloudera Manager 5.6 release) for the following endpoint:
/api//clusters/clusterName/services/serviceName/roles?filter=type==ROLE_TYPE

Cloudera Bug: OPSAPS-40184

Exception when setting maintenanceOwners to null

Fixed how null values for the maintenanceOwners parameter are handled when creating clusters with the Cloudera Manager API.

Fixed in: Cloudera Manager 5.12, 5.11.1, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-32880

HBase configuration is supplied for Hive when HBase service is not selected

Fixed an issue where Cloudera Manager provided configuration for the hive-site.xml file even if the HBase Service setting in Hive is not selected, which could cause unnecessary errors when Hive-on-Spark attempts to connect to HBase. Cloudera Manager now correctly emits the HBase-related configuration in the hive-site.xml only when Hive is dependent on HBase.

This issue has been fixed in the following releases:
  • CM5.8.5 and higher maintenance releases,
  • CM5.9.2 and higher maintenance releases,
  • CM5.10.2 and higher maintenance releases,
  • CM5.11.1 and higher maintenance releases

When you upgrade Cloudera Manager from an older version to one of the fixed versions, many services may have stale configurations. You must restart of all the stale services in order for them to receive the updated configuration in the hive-site.xml file.

Cloudera Bug: OPSAPS-39021

Accessing Sqoop2 with Hue fails

Fixed an issue where accessing Sqoop2 with Hue fails with the following error: Sqoop error: Could not get connectors.

CDH 5.5.0 or higher clusters running a Hue Service require a restart of Hue services because of a new configuration file. This new configuration file is required for Hue's Sqoop2 Application functions in secure settings, but it will show up whether or not Sqoop or security settings are in use.

Cloudera Bug: OPSAPS-27286

Exception when setting maintenanceOwners to null

Fixed how null values for the maintenanceOwners parameter are handled when creating clusters with the Cloudera Manager API.

Cloudera Bug: OPSAPS-32880

Underscores in LDAP domain names not allowed

Fixed an issue where LDAP domain names could not contain underscores. This fix affects Cloudera Manager, Hue and Cloudera Navigator.

Cloudera Bug: OPSAPS-40487

Only use healthy HDFS/Hive hosts for launching replication jobs

BDR Replication Host Selection Policy has been updated. The process that launches and coordinates a HDFS/Hive replication job will now only run on the following hosts:
  • Hosts that run any role of the HDFS/Hive Service (for HDFS or Hive replication)
  • Hosts that have a Non-Gateway role
  • Hosts where the health status is in the GOOD or CONCERNING state with preference given to GOOD
  • Hosts that are whitelisted, if configured

Cloudera Bug: OPSAPS-40040

CSD graceful service stop second step failure

Fixed an issue in the stop command execution for CSD services authored to use a service-level graceful shutdown. The stop command could be shown with the second step (forced kill) marked as failed when all roles were already stopped. This issue also affects shutdown of Kafka using Cloudera Manager 5.11.0 and can impact Kafaka upgrades.

Fixed in: Cloudera Manager 5.11.1, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40002

Metric missing from Workload Summary for Kudu

Fixed an issue where the total_kudu_rows_upserted_rate_across_kudu_replicas metric was not included in the Workload Summary for Kudu.

Cloudera Bug: OPSAPS-40551

Low watermark value for Memstore Flush default is incorrect

For CDH versions 5.8 and higher, the Low Watermark for Memstore Flush configuration parameter is associated with the HBase parameter hbase.regionserver.global.memstore.lowerLimit.

This value represents the fullness threshold of the memstore as a percentage of memstore capacity. The default value for this parameter was incorrectly set too low at .38. This can cause severe under utilization of the memstore.

The default has been corrected to be .95. When upgrading to a version of Cloudera Manager with this fix, if the value was previously set to the old default of .38, it will automatically be increased to the new default, which may cause Cloudera Manager to mark your HBase service as having a stale configuration, requiring a restart.

Additionally, if an existing Low Watermark for Memstore Flush configuration parameter has a value <= .9, it will be flagged as a configuration warning.

Fixed in: Cloudera Manager 5.12, 5.11.1, 5.10.2, 5.9.3, 5.8.5

Cloudera Bug: OPSAPS-38468

Failed health checks because of deprecated ntpc command

Fixed an issue where the ntpdc command was used in the host Clock Offset health test even if the command is deprecated for an operating system.

Cloudera Bug: OPSAPS-38268

Dynamic Resource Pool drop-down options are not visible when using Internet Explorer 11

Fixed a typo on the Dynamic Resource Pools page that prevents Internet Explorer from rendering the add/edit resource pool dialog box.

Cloudera Bug: OPSAPS-40522

Cluster templates don't include role level configuration

Fixed an issue with Cluster Templates where role level configuration was not getting exported. This was causing cluster to fail when trying user try to import a cluster template exported from a cluster on which HDFS HA was enabled.

Cloudera Bug: OPSAPS-31528

Graceful shutdown of Kafka brokers does not work as expected

Fixed an issue where the new Graceful Shutdown Timeout configuration property does not work as expected. As a result, Kafka takes an additional 30 seconds (by default) to shut down, but will still only have 30 seconds to complete its controlled shutdown, before Cloudera Manager forcibly shuts down Kafka brokers regardless of the configured timeout.

Fixed in Cloudera Manager 5.11.1.

Cloudera Bug: OPSAPS-40106.

Issues Fixed in Cloudera Manager 5.11.0

ResourceManager state store recovery may fail.

Fixed an issue where ResourceManager state store recovery may fail. The YARN service will become stale when a cluster containing a YARN service with a ZooKeeper dependency set is upgraded to Cloudera Manager 5.10.1+ or 5.11+. Restart the YARN service normally or with a rolling restart.

Cloudera Bug: OPSAPS-38908

Cloudera Bug: OPSAPS-38908

Privilege Escalation in Cloudera Manager

Fixed an issue where a read-only Cloudera Manager user can discover the usernames of other users and elevate the privileges of another user. A user cannot elevate their own privilege.

Cloudera Bug: OPSAPS-34124

The cloudera-server-db fast_stop fails on Debian-based systems

Fixed an issue where the cloudera-server-db fast_stop command fails on non-sytemd Debian systems like Debian 7 with a command not found error.

Cloudera Bug: OPSAPS-39393

Cluster template export exports Autoconfiguration settings

Fixed an issue where the API to export cluster templates exported settings that were auto-configured. Auto-configured settings should not be exported in the cluster template.

Cloudera Bug: OPSAPS-39031

Pauses in Cloudera Manager after adding peer

Fixed an issue that caused pauses and slow performance of the Cloudera Manager Admin Console occur after creating a peer.

Fixed in Cloudera Manager 5.11

Cloudera Bug: OPSAPS-38868.

Max heap is wrong for ZooKeeper

Fixed an issue where the JVM Heap Memory Usage chart for ZooKeeper displayed the wrong value for maximum memory.

Cloudera Bug: OPSAPS-38821

Error starting the NodeManager when the /tmp directory is mounted as noexec

Fixed an issue where an error occurs when starting the NodeManager because the /tmp directory is mounted as noexec.

Cloudera Bug: OPSAPS-33053

Cloudera Manager cannot delete principals from AD when regenerating principals

Fixed an issue where generating Kerberos credentials failed when Active Directory properties like OU have a space in them or are too long to fit in a line.

Cloudera Bug: OPSAPS-37100

The Cloudera Manager Python API may experience connection errors

Python 2.7 and later enables certificate chain validation by default, and specifying a custom SSL context with an CA certificate may be required to prevent connection errors. The ApiResource constructor in the Cloudera Manager Python API now takes an optional "ssl_context" argument where a custom SSL context can be provided. This allow clients to specify the CA certificate of the API endpoint's certificate.

Cloudera Bug: OPSAPS-31699

The service cloudera-scm-server force_start command fails with Postgres SQL

Fixed an issue where a force start of the Cloudera Manager server failed if Cloudera Manager used PostgreSQL.

Cloudera Bug: OPSAPS-32915

Parcels cannot be removed from Cloudera Manager

Fixed an issue where parcels could not be removed from the Cloudera Manager database when the manifest.json file is not available in the remote repository or removed from the remote location.

Cloudera Bug: OPSAPS-34964

Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled

Fixed an issue where the Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled for Navigator Metadata Server.

Fixed in 5.11, 5.10.1, ,5.9.2, 5.7.6

Cloudera Bug: OPSAPS-38865

Warning about suspicious non-ASCII punctuation character in KMS ACLs

When setting up the KMS ACLs for HDFS encryption, the warning "Suspicious non-ASCII punctuation character "’" at character position 9118" displays. This warning can be safely ignored, and editing any KMS ACL in Cloudera Manager will make the warning disappear. This bug fix removes this warning.

Fixed in Cloudera Manager 5.11.0, 5.10.1

Cloudera Bug: OPSAPS-38670

Kafka fails when configured with Sentry and an old Kafka version

Fixed an issue that occurred when Kafka was configured to use Sentry for authorization, and Kafka was not version 2.1 or higher, which caused Kafka to fail with the following exception: java.lang.ClassNotFoundException: org.apache.sentry.kafka.authorizer.SentryKafkaAuthorizer.

Cloudera Bug: OPSAPS-37907

Fixed in: Cloudera Manager 5.11.0, 5.10.1

Invalid regex needs agent hard_restarted

Fixed Cloudera Manager agent problem that requires hard restart when an invalid regular expression is used to specify tables in Hive replication.

Fixed in: Cloudera Manager 5.11.0, 5.10.1, 5.9.2

Cloudera Bug: OPSAPS-38946 and OPSAPS-36974

Issue with views after BDR Hive Replication

Fixed an issue where a change to a Hive view on a source cluster was not reflected in the target cluster after Hive Replication with the Force Overwrite option selected.

Cloudera Bug: OPSAPS-39034

Sentry Database upgrades

During a CDH upgrade, the Sentry Database Upgrade step will be performed only when necessary. Previously, the Sentry Database Upgrade step always ran.

Cloudera Bug: OPSAPS-25405

Hive Replication fails when Impala is SSL enabled but Hadoop services are not

Fixed an issue where a NullPointerException is thrown when using Hive Replication with SSL enabled on an Impala service but not on other Hadoop services.

Cloudera Bug: OPSAPS-38700

Fixed in Cloudera Manager 5.11, 5.10.1, 5.9.2

Issues Fixed in Cloudera Manager 5.10.2

Underscores in LDAP domain names not allowed

Fixed an issue where LDAP domain names could not contain underscores. This fix affects Cloudera Manager, Hue and Cloudera Navigator.

Cloudera Bug: OPSAPS-40487

Low watermark value for Memstore Flush default is incorrect

For CDH versions 5.8 and higher, the Low Watermark for Memstore Flush configuration parameter is associated with the HBase parameter hbase.regionserver.global.memstore.lowerLimit.

This value represents the fullness threshold of the memstore as a percentage of memstore capacity. The default value for this parameter was incorrectly set too low at .38. This can cause severe under utilization of the memstore.

The default has been corrected to be .95. When upgrading to a version of Cloudera Manager with this fix, if the value was previously set to the old default of .38, it will automatically be increased to the new default, which may cause Cloudera Manager to mark your HBase service as having a stale configuration, requiring a restart.

Additionally, if an existing Low Watermark for Memstore Flush configuration parameter has a value <= .9, it will be flagged as a configuration warning.

Fixed in: Cloudera Manager 5.12, 5.11.1, 5.10.2, 5.9.3, 5.8.5

Cloudera Bug: OPSAPS-38468

Heap dump files don't contain the correct process ID

Fixed an issue where if Sentry crashed with an OutOfMemory error, the generated dump file name was not unique, and therefore the file could be overwritten on subsequent occurrences of the error. This has been fixed to include the PID in the dump file name, which is the standard practice for other CDH services.

Cloudera Bug: OPSAPS-40600

CSD graceful service stop second step failure

Fixed an issue in the stop command execution for CSD services authored to use a service-level graceful shutdown. The stop command could be shown with the second step (forced kill) marked as failed when all roles were already stopped. This issue also affects shutdown of Kafka using Cloudera Manager 5.11.0 and can impact Kafaka upgrades.

Fixed in: Cloudera Manager 5.11.1, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40002

getRoles filtering is not working with Cloudera Manager API version11 and higher

Fixed a bug that broke backwards compatibility with Cloudera Manager API version 11 (introduced with the Cloudera Manager 5.6 release) for the following endpoint:
/api//clusters/clusterName/services/serviceName/roles?filter=type==ROLE_TYPE

Cloudera Bug: OPSAPS-40184

Only use healthy HDFS/Hive hosts for launching replication jobs

BDR Replication Host Selection Policy has been updated. The process that launches and coordinates a HDFS/Hive replication job will now only run on the following hosts:
  • Hosts that run any role of the HDFS/Hive Service (for HDFS or Hive replication)
  • Hosts that have a Non-Gateway role
  • Hosts where the health status is in the GOOD or CONCERNING state with preference given to GOOD
  • Hosts that are whitelisted, if configured

Cloudera Bug: OPSAPS-40040

Dynamic Resource Pool drop-down options are not visible when using Internet Explorer 11

Fixed a typo on the Dynamic Resource Pools page that prevents Internet Explorer from rendering the add/edit resource pool dialog box.

Cloudera Bug: OPSAPS-40522

HBase configuration is supplied for Hive when HBase service is not selected

Fixed an issue where Cloudera Manager provided configuration for the hive-site.xml file even if the HBase Service setting in Hive is not selected, which could cause unnecessary errors when Hive-on-Spark attempts to connect to HBase. Cloudera Manager now correctly emits the HBase-related configuration in the hive-site.xml only when Hive is dependent on HBase.

This issue has been fixed in the following releases:
  • CM5.8.5 and higher maintenance releases,
  • CM5.9.2 and higher maintenance releases,
  • CM5.10.2 and higher maintenance releases,
  • CM5.11.1 and higher maintenance releases

When you upgrade Cloudera Manager from an older version to one of the fixed versions, many services may have stale configurations. You must restart of all the stale services in order for them to receive the updated configuration in the hive-site.xml file.

Cloudera Bug: OPSAPS-39021

The cloudera-server-db fast_stop fails on Debian-based systems

Fixed an issue where the cloudera-server-db fast_stop command fails on non-sytemd Debian systems like Debian 7 with a command not found error.

Cloudera Bug: OPSAPS-39393

Exception when setting maintenanceOwners to null

Fixed how null values for the maintenanceOwners parameter are handled when creating clusters with the Cloudera Manager API.

Cloudera Bug: OPSAPS-32880

Cannot upload large diagnostic bundles

Fixed an issue where large diagnostic bundles, such as ones greater than 4 GB, fail to upload.

Cloudera Bug: OPSAPS-40100

NullPointerException when accessing the configuration page for Alerts

Fixed an issue where a NullPointerException occurred when viewing the configuration page for alerts.

Fixed in Cloudera Manager 5.12, 5.11.2, 5.10.2

Cloudera Bug: OPSAPS-39296

Issues Fixed in Cloudera Manager 5.10.1

ResourceManager state store recovery may fail.

Fixed an issue where ResourceManager state store recovery may fail. The YARN service will become stale when a cluster containing a YARN service with a ZooKeeper dependency set is upgraded to Cloudera Manager 5.10.1+ or 5.11+. Restart the YARN service normally or with a rolling restart.

Cloudera Bug: OPSAPS-38908

Cloudera Bug: OPSAPS-38908

Privilege Escalation in Cloudera Manager

Fixed an issue where a read-only Cloudera Manager user can discover the usernames of other users and elevate the privileges of another user. A user cannot elevate their own privilege.

Cloudera Bug: OPSAPS-34124

Warning about suspicious non-ASCII punctuation character in KMS ACLs

When setting up the KMS ACLs for HDFS encryption, the warning "Suspicious non-ASCII punctuation character "’" at character position 9118" displays. This warning can be safely ignored, and editing any KMS ACL in Cloudera Manager will make the warning disappear. This bug fix removes this warning.

Fixed in Cloudera Manager 5.11.0, 5.10.1

Cloudera Bug: OPSAPS-38670

Hive Replication fails when Impala is SSL enabled but Hadoop services are not

Fixes a bug where some Hadoop services did not recognize the Impala SSL configuration, which caused Hive replications to fail when SSL is enabled. To enable SSL, see: Configuring TLS/SSL for HDFS, YARN and MapReduce.

This support also ensures that connection to Impala is successful when SSL is enabled even if Kerberos is not enabled.

Fixed in: Cloudera Manager 5.10.1, 5.9.2, 5.8.4

Cloudera Bug: OPSAPS-38700

Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled

Fixed an issue where the Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled for Navigator Metadata Server.

Fixed in 5.11, 5.10.1, ,5.9.2, 5.7.6

Cloudera Bug: OPSAPS-38865

Spark CSD may cause issues in yarn-cluster mode

Spark client configuration has been fixed to avoid application failures in certain cases when launching applications in YARN cluster mode.

Fixed in Cloudera Manager 5.10.1, 5.9.2

Cloudera Bug: OPSAPS-39118

Invalid regex needs agent hard_restarted

Fixed Cloudera Manager agent problem that requires hard restart when an invalid regular expression is used to specify tables in Hive replication.

Fixed in: Cloudera Manager 5.11.0, 5.10.1, 5.9.2

Cloudera Bug: OPSAPS-38946 and OPSAPS-36974

Kafka fails when configured with Sentry and an old Kafka version

Fixed an issue that occurred when Kafka was configured to use Sentry for authorization, and Kafka was not version 2.1 or higher, which caused Kafka to fail with the following exception: java.lang.ClassNotFoundException: org.apache.sentry.kafka.authorizer.SentryKafkaAuthorizer.

Cloudera Bug: OPSAPS-37907

Fixed in: Cloudera Manager 5.11.0, 5.10.1

Hive Replication fails when Impala is SSL enabled but Hadoop services are not

Fixed an issue where a NullPointerException is thrown when using Hive Replication with SSL enabled on an Impala service but not on other Hadoop services.

Cloudera Bug: OPSAPS-38700

Fixed in Cloudera Manager 5.11, 5.10.1, 5.9.2

Issues Fixed in Cloudera Manager 5.10.0

Importing cluster templates fails

Fixes an issue where the Cluster Import command fails after updating parcel repositories and when the parameter addRepositories=true is included in the command and there are no pre-configured repositories in the cluster.

Cloudera Bug: OPSAPS-33059

DB Oracle client libraries cannot be found on host due to missing libaio1

On a parcels install, Hue can be set up with an Oracle Database. This requires placing required Oracle packages in a specific location. See Hue Custom Databases.

Cloudera Bug: OPSAPS-34339

CM - error connecting to an Oracle DB with a Package install for HUE's DB

On a packages install, Hue can be set up with an Oracle Database and proceed past the Test Connection page in the setup wizard. This requires placing required Oracle packages in a specific location. See Hue Custom Databases.

Cloudera Bug: OPSAPS-34608

Support non-public schemas with PostgreSQL

Cloudera Manager used to work with only 'public' schema in PostgreSQL. With this change, Cloudera Manager now supports custom schema names. Cloudera Manager relies on the schema search path in PostgreSQL, which can be set for a user or database. For more information, see https://www.postgresql.org/docs/current/static/ddl-schemas.html.

Cloudera Bug: OPSAPS-33752

Truststore password shouldn't be required

Trust store passwords are not required. This fixes a bug where some Cloudera components erroneously reported that a password was required.

Cloudera Bug: OPSAPS-38183

Server error deleting a host - Cannot delete or update a parent row: a foreign key constraint fails

Fixes a database constraint violation that occurs when you use Cloudera Manager to delete a host that has cluster-wide configurations. (Kerberos configurations, for example.)

Cloudera Bug: OPSAPS-38150

Hide unlicensed configurations instead of disabling them

Cloudera Express no longer shows configurations that requires a license to manage.

Cloudera Bug: OPSAPS-38214

Various improvements in the Pools page

Many small usability issues have been fixed in the resource pools page:
  • You can now click on an input row and go directly to that input field in the edit dialog.
  • The columns where you enter minimum and maximum values for Virtual cores and Memory now appear under headings Min Resources and Max Resources
  • On the Create Resource Pool page, the Configuration Sets tab has been renamed to Resource Limits.

Cloudera Bug: OPSAPS-38133

Override the SMON client configuration so the MapReduce job does not produce compressed output

This fixes an issue where YARN utilization report may not work when MapReduce job output is specified as "Compressed" and a compression codec is used for it.

Cloudera Bug: OPSAPS-38460

Excess load on Cloudera Manager database

Fixed an issue where the load on the Cloudera Manager database increases significantly on clusters with 100-200 nodes or more and when there are host-level configuration overrides. This has been resolved by using a smaller default value for the default_batch_fetch_size property in the hibernate configuration.

Fixed in: Cloudera Manager 5.10.0, 5.9.2, 5.8.4, 5.7.6

Cloudera Bug: OPSAPS-37985

Dollar sign '$' character in password results in an IllegalArgumentException

Fixed an issue where CSD-based services could not use certain special characters like '$' without getting an exception. This is most frequently an issue for passwords.

Cloudera Bug: OPSAPS-37542

Incorrect Scheduling Policy of Resource Pool Configuration in YARN

If a user did not make any resource policy change on an existing cluster, the default scheduling policy used is FAIR, but the Cloudera Manager Admin console incorrectly displays the policy as DRF. This is now fixed to show FAIR. When the user creates new clusters, the default scheduling policy will be DRF.

Cloudera Bug: OPSAPS-37478

Cannot select time period in custom charts in C5.9

The quick time selection (30m, 1h, etc) on custom dashboards now work correctly.

Cloudera Bug: OPSAPS-37190

Increase the default value of Safemode Minimum DataNodes property to 1

In Cloudera Manager 5.9 and lower, the HDFS property Safemode Minimum DataNodes has a default value of 0. This property configures the number of DataNodes that must register with the NameNode before the NameNode exits safe mode. This property now has a default value of 1 in CDH 5.9 and higher

In an empty cluster (that is, a cluster with no HDFS data) where the property is set to 0, this has the side effect of extending the duration of startup safe mode by about 30 seconds. For non-empty clusters, this change has no visible effect. This change only applies to new CDH 5.9 and higher clusters created with Cloudera Manager 5.10 or higher. Existing CDH 5.9 clusters are not affected; pre-CDH 5.9 clusters that are upgraded to CDH 5.9 or higher are also unaffected.

Cloudera Bug: OPSAPS-36988

Turn off HSTS header in Hue Load Balancer

Only the Hue server now only generates the HSTS HTTP header. Previously, both the Hue server and Hue Load Balancer generated the HSTS HTTP header.

Cloudera Bug: OPSAPS-35536

AWS ID being used for UUID, which can cause duplicate hosts

Prevent duplicate hosts from being reported in Cloudera Manager due to use of the AWS instance ID as a unique host identifier. Cloudera Manager now uses a random number as the host unique identifier instead. This prevents a duplicate host issue when host is running on a cloud service such as AWS and the host is added using the Cloudera Manager wizard and manually added later.

Cloudera Bug: OPSAPS-35282

Cloudera Manager corrupts passwords and other attributes

Previously, some users found that '******' were inserted in the database literally. Cloudera Manager now performs a check on this special string prevents it from being stored in the Cloudera Manager database.

Cloudera Bug: OPSAPS-34252

Database wizard error message when the database does not exist is misleading

Cloudera Manager now generates a proper error message when the database does not exist and the username and password do exist. Cloudera Manager now displays the message "Able to find the Database server, but not the specified database. Please check if the database name is correct and make sure that the user can access the database."

Cloudera Bug: OPSAPS-33915

Hive Replication: Make parameters replication on by default

Parameters of databases, tables, partitions, and indexes are replicated by default during Hive replications. You can disable this replication. See Replication of Parameters.

Cloudera Bug: OPSAPS-38197

NFS Gateway daemon in HDFS needs SSL server configs

The Web server of the HDFS NFS Gateway that is used to publish metrics and view configurations is now covered by SSL protection when enabled across the HDFS service. This fixes an issue that caused a failure when starting the Web interface for the NFS gateway.

Cloudera Bug: OPSAPS-33202

CM server error - JsonMappingException

Fixed an issue where a race condition can happen when getting the log links for unhealthy roles and then causes a null pointer exception for the Cloudera Manager homepage.

Cloudera Bug: OPSAPS-32804

"Restart needed" button doesn't appear after changing the server's private key password in the KeyTrustee Server service configuration

When passwords change, the stale configuration icons displays. When you click one of these icons, the Stale Configurations page displays but the page does not indicate which passwords have changed.

Cloudera Bug: OPSAPS-29146

Issues Fixed in Cloudera Manager 5.9.3

Reports Manager throws ArrayIndexOutOfBoundsException when indexing fsimage

Fixes an issue where an ArrayIndexOutOfBoundsException can be thrown by Reports Manager.

Fixed in Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40914

Make Oozie Load-balancer URL mandatory when enabling Oozie HA

Fixed an issue when the Oozie Load Balancer field in the Oozie configuration is not set and Oozie high availability is in use (two or more Oozie Server roles are deployed). This now creates a validation error and Cloudera Manager does not let you start or restart Oozie until the problem is fixed.

Fixed in: Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-39372

Allow diagnostic bundle estimation timeout to be configurable

Sometimes on a large or busy cluster, collection of diagnostic data using the By Date Range option can fail due to a timeout during estimation step of the diagnostic bundle collection. You can now configure both the host level estimation timeout and the overall estimation timeout using Java options. These options can be set on the Cloudera Manager Server host I in the /etc/default/cloudera-scm-server file by adding the following to the line that begins with export CMF_JAVA_OPTS:
  • -Dcom.cloudera.RoleLogEstimator.maxEstimateTimeoutSeconds=number of seconds (If not specified, the default is 90 seconds)
  • -Dcom.cloudera.RoleLogEstimator.estimateTimeoutPerHostSeconds=number of seconds (If not specified, default is 60 seconds)
Restart the Cloudera Manager server for the updated Java flags to take effect:
sudo service cloudera-scm-server restart

Fixed in: Cloudera Manager 5.12, 5.11.2, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40987

Low watermark value for Memstore Flush default is incorrect

For CDH versions 5.8 and higher, the Low Watermark for Memstore Flush configuration parameter is associated with the HBase parameter hbase.regionserver.global.memstore.lowerLimit.

This value represents the fullness threshold of the memstore as a percentage of memstore capacity. The default value for this parameter was incorrectly set too low at .38. This can cause severe under utilization of the memstore.

The default has been corrected to be .95. When upgrading to a version of Cloudera Manager with this fix, if the value was previously set to the old default of .38, it will automatically be increased to the new default, which may cause Cloudera Manager to mark your HBase service as having a stale configuration, requiring a restart.

Additionally, if an existing Low Watermark for Memstore Flush configuration parameter has a value <= .9, it will be flagged as a configuration warning.

Fixed in: Cloudera Manager 5.12, 5.11.1, 5.10.2, 5.9.3, 5.8.5

Cloudera Bug: OPSAPS-38468

Exception when setting maintenanceOwners to null

Fixed how null values for the maintenanceOwners parameter are handled when creating clusters with the Cloudera Manager API.

Cloudera Bug: OPSAPS-32880

CSD graceful service stop second step failure

Fixed an issue in the stop command execution for CSD services authored to use a service-level graceful shutdown. The stop command could be shown with the second step (forced kill) marked as failed when all roles were already stopped. This issue also affects shutdown of Kafka using Cloudera Manager 5.11.0 and can impact Kafaka upgrades.

Fixed in: Cloudera Manager 5.11.1, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40002

Heap dump files don't contain the correct process ID

Fixed an issue where if Sentry crashed with an OutOfMemory error, the generated dump file name was not unique, and therefore the file could be overwritten on subsequent occurrences of the error. This has been fixed to include the PID in the dump file name, which is the standard practice for other CDH services.

Cloudera Bug: OPSAPS-40600

Only use healthy HDFS/Hive hosts for launching replication jobs

BDR Replication Host Selection Policy has been updated. The process that launches and coordinates a HDFS/Hive replication job will now only run on the following hosts:
  • Hosts that run any role of the HDFS/Hive Service (for HDFS or Hive replication)
  • Hosts that have a Non-Gateway role
  • Hosts where the health status is in the GOOD or CONCERNING state with preference given to GOOD
  • Hosts that are whitelisted, if configured

Cloudera Bug: OPSAPS-40040

Process secrets no longer protected with file permissions

Fixed an issue where secret data, including passwords and other data, can be exposed in the /var/run/cloudera-scm-agent/process-name/proc.json or /var/run/cloudera-scm-agent/process-name/config.zip files because these files are world readable. See TSB-235 for more information.

Fixed in: Cloudera Manager 5.12, 5.11, 5.10.2, 5.9.3

Cloudera Bug: OPSAPS-40536

Peak Memory Usage report for Impala does not display data

Fixed an issue where the Impala Peak Memory Usage page in the Cluster Utilization Report did not display any data in Cloudera Manager.

Fixed in: Cloudera Manager 5.12, 5.11.2, 5.9.3

Cloudera Bug: OPSAPS-39836

Validator for for hive.metastore.server.max.message.size can break Hive Metastore startup

The recommended value for Max Message Size for Hive MetaStore configuration parameter should be at least 10% of the value for the Java Heap Size of Hive Metastore Server in Bytes parameter, but should never exceed 2147483647B. Previously, the validator for Max Message Size for Hive MetaStore was showing an incorrect value in its validation message. This validator is now fixed to show the correct recommended value.

Cloudera Bug: OPSAPS-38434

getRoles filtering is not working with Cloudera Manager API version11 and higher

Fixed a bug that broke backwards compatibility with Cloudera Manager API version 11 (introduced with the Cloudera Manager 5.6 release) for the following endpoint:
/api//clusters/clusterName/services/serviceName/roles?filter=type==ROLE_TYPE

Cloudera Bug: OPSAPS-40184

Issues Fixed in Cloudera Manager 5.9.2

Privilege Escalation in Cloudera Manager

Fixed an issue where a read-only Cloudera Manager user can discover the usernames of other users and elevate the privileges of another user. A user cannot elevate their own privilege.

Cloudera Bug: OPSAPS-34124

Excess load on Cloudera Manager database

Fixed an issue where the load on the Cloudera Manager database increases significantly on clusters with 100-200 nodes or more and when there are host-level configuration overrides. This has been resolved by using a smaller default value for the default_batch_fetch_size property in the hibernate configuration.

Fixed in: Cloudera Manager 5.10.0, 5.9.2, 5.8.4, 5.7.6

Cloudera Bug: OPSAPS-37985

Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled

Fixed an issue where the Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled for Navigator Metadata Server.

Fixed in 5.11, 5.10.1, ,5.9.2, 5.7.6

Cloudera Bug: OPSAPS-38865

Invalid regex needs agent hard_restarted

Fixed Cloudera Manager agent problem that requires hard restart when an invalid regular expression is used to specify tables in Hive replication.

Fixed in: Cloudera Manager 5.11.0, 5.10.1, 5.9.2

Cloudera Bug: OPSAPS-38946 and OPSAPS-36974

Spark CSD may cause issues in yarn-cluster mode

Spark client configuration has been fixed to avoid application failures in certain cases when launching applications in YARN cluster mode.

Fixed in Cloudera Manager 5.10.1, 5.9.2

Cloudera Bug: OPSAPS-39118

Dollar sign '$' character in password results in an IllegalArgumentException

Fixed an issue where CSD-based services could not use certain special characters like '$' without getting an exception. This is most frequently an issue for passwords.

Cloudera Bug: OPSAPS-37542

Hive Replication fails when Impala is SSL enabled but Hadoop services are not

Fixed an issue where a NullPointerException is thrown when using Hive Replication with SSL enabled on an Impala service but not on other Hadoop services.

Cloudera Bug: OPSAPS-38700

Fixed in Cloudera Manager 5.11, 5.10.1, 5.9.2

Issues Fixed in Cloudera Manager 5.9.1

Cannot select time period in custom charts in C5.9

The quick time selection (30m, 1h, and so on) on custom dashboards does not work in 5.9.x.

Cloudera Bug: OPSAPS-37190

Hive table Views do not get restored from S3

When creating a Hive Replication schedule that copies Hive data from S3 and you select the Reference Data From Cloud option, Hive table Views are not restored correctly and result in a Null Pointer Exception when querying data from the view.

Cloudera Bug: OPSAPS-37549

Cloudera Manager blocks from HS2 enabling both LDAP and Kerberos authorization

HS2 now supports LDAP and Kerberos authentication on the same instance for CDH 5.7.0 or higher. Previously, this was considered an error.

Cloudera Bug: OPSAPS-34310

Support non-public schemas

Cloudera Manager used to work with only the public schema in Postgresql. With this change, Cloudera Manager now supports custom schema names. Cloudera Manager relies on the schema search path in postgresql, which can be set for a user, database, etc: See https://www.postgresql.org/docs/current/static/ddl-schemas.html

Cloudera Bug: OPSAPS-33752

Alert Publisher throws "unsigned 32bit value" error after long uptime

Fixes an issue where the Alert Publisher throws "unsigned 32bit value" error after long uptime. TimeTick is an extension of UnsignedInteger32 type. TimeTick represents time in 1/100 seconds. Its value range is 0 to 4294967295. Activity Monitor's uptime is a Java long type that can exceed the range of TimeTicks. Before this fix, long uptime could cause the Alert Publisher to throw the "unsigned 32bit value" error.

Cloudera Bug: OPSAPS-35564

Issues Fixed in Cloudera Manager 5.9

Configuration changes marking too many roles as stale

When upgrading to Cloudera Manager 5.9 or later, YARN will become stale due to the following properties changing to be emitted to the Resource Manager role only:

  • yarn.scheduler.fair.user-as-default-queue
  • yarn.scheduler.fair.preemption
  • yarn.scheduler.fair.sizebasedweight
  • yarn.scheduler.fair.assignmultiple
  • yarn.scheduler.fair.locality.threshold.node
  • yarn.scheduler.fair.locality.threshold.rack

This fixes a problem where changes to these configurations would mark too many roles as stale. You can safely ignore staleness to any role caused by the removal of these configuration parameters.

Cloudera Bug: OPSAPS-32610

Impala load_catalog_in_background configuration should be set to false by default in Cloudera Manager

Changed default value for load_catalog_in_background to false. This fixes catalog scalability issues observed in Impala since v2.2.

Cloudera Bug: OPSAPS-35869

Oozie first run fails with custom principals

Fixed an issue in Cloudera Manager 5.8.1 where the first time Oozie is run it fails if using Kerberos custom principals.

Cloudera Bug: OPSAPS-35822

Cluster export fails when service configuration is invalid

Fixed an issue in the export cluster template code path where it was failing because of stale configuration settings in the Cloudera Manager database. This can occur when configurations are deprecated on older CDH releases.

Cloudera Bug: OPSAPS-35586

Add gateway role to Kafka and move dependencies' client configs into Kafka's client configs

Cloudera recommends that you place your Kafka host in the same logical cluster as your Sentry host. However, if you deploy Kafka as a separate logical cluster, you can deploy a dummy Sentry service on Kafka's logical cluster with an override for Sentry-site.xml to point to the Sentry service on first logical cluster, and then it can be turned off. This is a workaround that allows Cloudera Manager to generate the appropriate Sentry client configurations for Kafka.

Cloudera Bug: OPSAPS-35369

Sentry Upgrade command is not retriable

If the Sentry Upgrade command fails, you can now retry the command.

Cloudera Bug: OPSAPS-35365

Impala Breakpad script does not convert exponentials into decimals and leads to errors

Fixed an issue where the Impala Breakpad script fails if you try to collect more than 10 MB of dumps from a single role.

Cloudera Bug: OPSAPS-34971

HDFS-S3: Incremental backup support

HDFS-S3 replication supports incremental backups using snapshot diffs. HDFS-S3 replication does not support incremental restore using snapshot diff.

Cloudera Bug: OPSAPS-34987

Fix css in navigation

Fixed several small issues:
  1. Do not show role link again on the role instances page.
  2. Do not bold the decommission state.
  3. Do not use long display name for hosts; use short display name.
  4. Show the role link on the role health test page.
  5. Show Today rather than the long time label.
  6. Show only month, date when the year is the same.
  7. Make the icons in navigation line up.
  8. Make the icons in navigation not so wide.
  9. Change all line-height settings to multiples of 4.
  10. Add back the border below the title.

Cloudera Bug: OPSAPS-35262

Fix sorting on the instances page

Fixed the initial sort order on the instances page.

Cloudera Bug: OPSAPS-35268

Nightly Charts are broken due to gridster refactoring

There is a permission issue on the Cluster Status page where the grid is never enabled, and on the View Page where the grid is always enabled for all users. The former change allows the user to customize the Cluster status page. The latter change ensures that users do not get errors when customizing specific view pages.

Cloudera Bug: OPSAPS-34526

Redact s3 credential properties in MR by default.

AWS S3 credentials, if specified in the job configuration by setting fs.s3a.access.key and fs.s3a.secret.key, were shown as clear text in MapReduce UIs. The credentials are now redacted by default in all MapReduce UIs.

Cloudera Bug: OPSAPS-36840

Latest Cloudera Manager Java client does not work on older Cloudera Manager

Fixed an issue in Cloudera Manager client versions 5.8, 5.8.1, and 5.8.2 where ApiCollectDiagnosticDataArguments was incompatible with Cloudera Manager versions lower than 5.8.

Cloudera Bug: OPSAPS-36315

Comment for command retry in the cm_api Python github needs to be updated

Fixed the API command documentation to include the canRetry attribute. Added a new method, ApiCommand.getCanRetry() and deprecated the method ApiCommand.isCanRetry().

Cloudera Bug: OPSAPS-36009

cm_api changes for HDFS Cloud replication schedule args

python api changes for hdfs cloud replication.

Cloudera Bug: OPSAPS-35892

Defaults to 1st Impala service in the cluster when there are multiple Impalas

Fixed an issue that prevented the display of Impala usage on the Cluster Utilization page when there are two Impala services in the same cluster. The UI shows usage for the first Impala service only.

Cloudera Bug: OPSAPS-34495

Staleness check page popped up 30s ~ 60s after clicking the icon.

Fixed an issue where a stale configuration page would take a lot of time to load for a large cluster.

Cloudera Bug: OPSAPS-34497

Oozie points to older sharelib even after running sharelib install command

Fixed the Install Oozie Share Lib action so that the Oozie service is informed that there is a new shared library installed. This eliminates the need for a separate manual restart.

Cloudera Bug: OPSAPS-26825

Cloudera Manager set catalogd default jvm memory to 4G can cause out of memory error on upgrade to Cloudera Manager 5.7+

After upgrading to 5.7 or later, you might see a reduced Java heap maximum on Impala Catalog Server due to a change in its default value. Upgrading from Cloudera Manager lower than 5.7 to Cloudera Manager 5.8.2 no longer causes any effective change in the Impala Catalog Server Java Heap size.

When upgrading from Cloudera Manager 5.7 or later to Cloudera Manager 5.8.2, if the Impala Catalog Server Java Heap Size is set at the default (4GB), it is automatically changed to either 1/4 of the physical RAM on that host, or 32GB, whichever is lower. This can result in a higher or a lower heap, which could cause additional resource contention or out of memory errors, respectively.

Cloudera Bug: OPSAPS-34039

Agent uses USER env var to run everything if it is set

Cloudera Manager Server now runs services using the user ID with which that single-user mode is configured. If single-user mode is configured on the agents to use the user cloudera-scm, then an attempt to run Hive as the user hive fails.

Cloudera Bug: OPSAPS-35621

In LZO enabled clusters, the cluster utilization feature fails

YARN usage aggregation job now runs successfully on clusters where LZO compression is being used.

Cloudera Bug: OPSAPS-33356

HDFS Snapshot policy is selecting unhealthy host to run on

When selecting a role to run HDFS Snapshot command, Cloudera Manager selects a non-decommissioned host in Active status. Also, hosts in maintenance mode have a lower priority than the ones in active state.

Cloudera Bug: OPSAPS-33144

Discourage CSDs from producing client config files that pollute the root dir

For CSD development, there are now deprecation warnings in the CLI validation tool and the Maven validation plugin. These indications provide guidance for future behavior changes in the support of CSD services in Cloudera Manager. A deprecation warning is shown when applicable, but does not affect the outcome of the validation.

Cloudera Bug: OPSAPS-33510

Ensure that one-off processes cannot re-execute.

One-off requests, such as "Inspect Hosts," do not re-execute.

Cloudera Bug: OPSAPS-34255

Hive Replication Command should update copy the Serde properties correctly

Hive Replication now replicates the Serde Properties and also copies the corresponding HDFS file.

Cloudera Bug: OPSAPS-34354

Cloudera Manager complains "Unable to parse the input XML" when you enter an working XML for the "Fair Scheduler XML Advanced Configuration Snippet (Safety Valve)"

Passing a legal XML value to Fair Scheduler XML Advanced Configuration Snippet (Safety Valve) no longer causes a parsing error.

Cloudera Bug: OPSAPS-34329

If files excluded by exclusion filters are renamed, they are not replicated

Customers using Incremental HDFS replication had an issue where if an excluded file (through exclusion filters) is renamed to an included file, the new file was not copied to the destination cluster. This issue is resolved as part of this fix.

Cloudera Bug: OPSAPS-34066

Proper fix to handle parcel activation falsely succeeding when host health is failing

Fixed an issue related to the first run failing when some of the hosts are in bad health. This fix involves adding an extra stop to wait for hosts to report correct the parcel version before proceeding.

Cloudera Bug: OPSAPS-33766

Deferred cgroup removal might not be waiting at all

This fix provides some wait time before the SCM agent attempts to remove control groups (cgroups) again after initial failure.

Cloudera Bug: OPSAPS-32331

SMON should only fall back to Oozie's instrumentation endpoint if the metrics endpoint gives a 503

SMON blindly fell back to Oozie's instrumentation endpoint if it had any problems with the metrics endpoint. Now, SMON falls back only if the metrics endpoint returns a 503 error code, which is the only case it could possibly have success with instrumentation endpoint.

Cloudera Bug: OPSAPS-31988

Support bundle missing client configuration deployment logs

Client configuration deployment logs are now collected as a part of diagnostics support bundle, which were unintentionally removed in Cloudera Manager 5.3.

Cloudera Bug: OPSAPS-31377

Use concurrency option when uploading the sharelib to be faster

You can increase the number of threads used to upload the Oozie sharelib to HDFS. This significantly reduces the time it takes for this operation. This feature is available starting in CDH 5.9.0.

Cloudera Bug: OPSAPS-31078

Host inspector incorrectly warns about kernel version "2.6.32-504.16.2"

Before this fix, the host inspector incorrectly warned about kernel version "2.6.32-504.16.2" as "non-recommended"

Cloudera Bug: OPSAPS-35170

Agent orphan cleanup removes process dir from in flight process

With this fix, the preventative steps in TSB-181 are no longer required.

Cloudera Bug: OPSAPS-35294

Rolling upgrade fails if services stopped

Rolling upgrade will no longer fail if services are stopped.

Cloudera Bug: OPSAPS-34322

Redact Content from Flume configuration

Enabled redaction of sensitive information from Flume configuration.

Cloudera Bug: OPSAPS-34506

Redaction of sensitive information from diagnostic bundles at creation time

Cloudera Manager is designed to transmit certain diagnostic data (or bundles) to Cloudera. The Cloudera Support team uses diagnostic bundles to reproduce, debug, and address technical issues for customers. Cloudera support discovered that potentially sensitive data might be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose. Cloudera has taken the following actions:
  • Modified Cloudera Manager so that known sensitive data is redacted from the bundles before transmission to Cloudera.
  • Updated Cloudera CDH components to remove logging and output of known potentially sensitive properties and configurations.

See Redaction of Sensitive Information from Diagnostic Bundles.

Cloudera Bug: OPSAPS-34621

Huge memory leak if the HDFS File Browser UI remains open for an extended time

If the HDFS File Browser were kept open for long periods of time, it could cause a memory leak that would cause Cloudera Manager to crash. This fix addresses the issue.

Cloudera Bug: OPSAPS-35168

Evaluate impact of disabling second-level cache on performance at scale

Disabled second level hibernate cache, which was causing the cache to become "stale" under load. There is no significant difference in Cloudera Manager performance after disabling the cache.

Cloudera Bug: OPSAPS-34010

Express wizard failing to install ZooKeeper

Installing CDH using Packages on Debian 8.2 through the Cloudera Manager wizard could install the incorrect CDH binaries, leading to failures in starting the cluster. Certain packages are available in both the default repository and the Cloudera repository, which could result in the wizard using the wrong one. The Cloudera Manager wizard now ensures the correct binaries are selected. Workaround: Use the parcels format or manually install the correct packages.

Cloudera Bug: OPSAPS-36100

Empty archive files should not be created for impala role diagnostics

Support Bundles started collecting Impala minidumps bundles in Cloudera Manager 5.8.0 and higher. It was generating an empty TAR file if no bundles were found. With this fix, no empty TAR files are generated.

Cloudera Bug: OPSAPS-34887

Cloudera Manager no longer shows "this step is expected to fail" when enabling HDFS-HA

Cloudera Manager now shows the correct label when performing HA.

Cloudera Bug: OPSAPS-30777

If total_space_bytes is very large, heartbeats fail

Fixed an issue where the heartbeat fails with a host that has a mount point backed by cloud storage, such as AWS.

Cloudera Bug: OPSAPS-35742

Enabling cgroups requires "impala" group even if there is no Impala service

Fixed the presumption that any default-named group exists in hosts. YARN cgroup containers do not require the Impala user/group to be present in hosts.

Cloudera Bug: OPSAPS-35242

OOMKiller script not works for Impala Catalog

Fixed a bug where OutOfMemory errors in the Catalog Server might lead to killing multiple Java processes, including other roles on the same host.

Cloudera Bug: OPSAPS-33991

Issues Fixed in Cloudera Manager 5.8.5

Privilege Escalation in Cloudera Manager

Fixed an issue where a read-only Cloudera Manager user can discover the usernames of other users and elevate the privileges of another user. A user cannot elevate their own privilege.

Cloudera Bug: OPSAPS-34124

Use whitelist to only check known good parcels before first run

During the execution of First-Run command, the command only waits for the Cloudera Manager Agent to detect CDH parcels and does not wait for any other activated parcels. Previously, it was waiting for agents to detect all the activated parcels.

Cloudera Bug: OPSAPS-38304

HBase configuration is supplied for Hive when HBase service is not selected

Fixed an issue where Cloudera Manager provided configuration for the hive-site.xml file even if the HBase Service setting in Hive is not selected, which could cause unnecessary errors when Hive-on-Spark attempts to connect to HBase. Cloudera Manager now correctly emits the HBase-related configuration in the hive-site.xml only when Hive is dependent on HBase.

This issue has been fixed in the following releases:
  • CM5.8.5 and higher maintenance releases,
  • CM5.9.2 and higher maintenance releases,
  • CM5.10.2 and higher maintenance releases,
  • CM5.11.1 and higher maintenance releases

When you upgrade Cloudera Manager from an older version to one of the fixed versions, many services may have stale configurations. You must restart of all the stale services in order for them to receive the updated configuration in the hive-site.xml file.

Cloudera Bug: OPSAPS-39021

getRoles filtering is not working with Cloudera Manager API version11 and higher

Fixed a bug that broke backwards compatibility with Cloudera Manager API version 11 (introduced with the Cloudera Manager 5.6 release) for the following endpoint:
/api//clusters/clusterName/services/serviceName/roles?filter=type==ROLE_TYPE

Cloudera Bug: OPSAPS-40184

Placement rules in DRP UI should provide option to not create sub-pools

Nested User Pools (except existingSecondaryGroup) now support create=true|false as a checkbox in the UI.

Cloudera Bug: OPSAPS-39625

Low watermark value for Memstore Flush default is incorrect

For CDH versions 5.8 and higher, the Low Watermark for Memstore Flush configuration parameter is associated with the HBase parameter hbase.regionserver.global.memstore.lowerLimit.

This value represents the fullness threshold of the memstore as a percentage of memstore capacity. The default value for this parameter was incorrectly set too low at .38. This can cause severe under utilization of the memstore.

The default has been corrected to be .95. When upgrading to a version of Cloudera Manager with this fix, if the value was previously set to the old default of .38, it will automatically be increased to the new default, which may cause Cloudera Manager to mark your HBase service as having a stale configuration, requiring a restart.

Additionally, if an existing Low Watermark for Memstore Flush configuration parameter has a value <= .9, it will be flagged as a configuration warning.

Fixed in: Cloudera Manager 5.12, 5.11.1, 5.10.2, 5.9.3, 5.8.5

Cloudera Bug: OPSAPS-38468

Issues Fixed in Cloudera Manager 5.8.4

CM server error - JsonMappingException

Fixed an issue where a race condition can happen when getting the log links for unhealthy roles and then causes a null pointer exception for the Cloudera Manager homepage.

Cloudera Bug: OPSAPS-32804

Dollar sign ($) char in password results in IllegalArgumentException

Using special characters such as the dollar sign ($) for passwords and other user-supplied values with CSD-based services (those added to Cloudera Manager with custom service descriptors) raised exceptions. This has been resolved.

Cloudera Bug: OPSAPS-37542

Error when distributing parcels : No such torrent

Parcel distribution can fail, returning the error message:
Error when distributing to host: No such torrent:parcel_name.torrent

Workaround: Remove the file /opt/cloudera/parcel-cache/parcel_name.torrent from the host.

Cloudera Bug: OPSAPS-37183

Hive Replication Command should update copy the Serde properties correctly

Hive Replication now replicates the Serde Properties and also copies the corresponding HDFS file.

Cloudera Bug: OPSAPS-34354

Hive Replication fails when Impala is SSL enabled but Hadoop services are not

Fixes a bug where some Hadoop services did not recognize the Impala SSL configuration, which caused Hive replications to fail when SSL is enabled. To enable SSL, see: Configuring TLS/SSL for HDFS, YARN and MapReduce.

This support also ensures that connection to Impala is successful when SSL is enabled even if Kerberos is not enabled.

Fixed in: Cloudera Manager 5.10.1, 5.9.2, 5.8.4

Cloudera Bug: OPSAPS-38700

Excess load on Cloudera Manager database

Fixed an issue where the load on the Cloudera Manager database increases significantly on clusters with 100-200 nodes or more and when there are host-level configuration overrides. This has been resolved by using a smaller default value for the default_batch_fetch_size property in the hibernate configuration.

Fixed in: Cloudera Manager 5.10.0, 5.9.2, 5.8.4, 5.7.6

Cloudera Bug: OPSAPS-37985

Ability to configure the length of Impala queries that SMON keeps in memory

Lengthy queries (such as Impala DDLs) sometimes overloaded the SMON (service monitor) heap, resulting in out-of-memory exceptions (OOME). With this release, queries are limited to 10k characters by default. This setting can be adjusted using the safety valve mechanism (Advanced Configuration Snippet) in Cloudera Manager.

Cloudera Bug: OPSAPS-37053

Issues Fixed in Cloudera Manager 5.8.3

YARN historical reports by user shows pool-user entity

When Cloudera Manager manages multiple clusters, there is no per user tracking for historical applications and queries across clusters. Instead, Historical Applications by User and Historical Queries by User show applications and queries per user and pool. (A pool is associated with a specific cluster.)

Cloudera Bug: OPSAPS-34986.

If total_space_bytes is very large, heartbeats fail

Fixes heartbeat failure with a host that has a mount point backed by cloud storage, such as AWS.

Cloudera Bug: OPSAPS-36144.

OPSAPS-29327 Add config for hive.metastore.server.max.message.size

You can configure hive.meetastore.max.message.size using Max Message Size for Hive MetaStore. The default setting is 100MB. This can cause staleness during a Cloudera Manager upgrade.

Cloudera Bug: OPSAPS-34098.

CM blocks from HS2 enabling both LDAP and Kerberos authentication

HS2 now supports LDAP and Kerberos authentication on the same instance for CDH 5.7.0 and higher.

Cloudera Bug: OPSAPS-34310.

Backport OPSAPS-36100 Debian 8.2 packages cdh install fix to C5.8

Installing CDH using Packages on Debian 8.2 through the Cloudera Manager wizard could install the incorrect CDH binaries, leading to failures in starting the cluster. Certain packages are available in both the default repository and the Cloudera repository, which caused the installer to get confused and pick the wrong one. Cloudera Manager's wizard now ensures the correct binaries are selected.

Cloudera Bug: OPSAPS-36971.

Impala load_catalog_in_background config should set to "false" by default in CM

Changed default value for load_catalog_in_background to false. This fixes catalog scalability issues observed in Impala since v2.2.

Cloudera Bug: OPSAPS-35869.

[api] Latest CM Java client does not work on older CM

Fixed an issue in Cloudera Manager client versions 5.8, 5.8.1, and 5.8.2 where ApiCollectDiagnosticDataArguments was incompatible with Cloudera Manager versions lower than 5.8.

Cloudera Bug: OPSAPS-36315

Empty archive files should not be created for Impala role diagnostics

Support Bundles started collecting Impala minidump bundles with Cloudera Manager 5.8 and higher. If no bundles were found, Cloudera Manager generated an empty TAR file. With this fix, no empty TAR files are generated.

Cloudera Bug: OPSAPS-34887

OOMKiller script not works for Impala Catalog

Fixed a bug where OutOfMemory errors in the Catalog Server could lead to killing multiple java processes including other roles on the same host.

Cloudera Bug: OPSAPS-33991

Sentry Upgrade command is not retriable

If the Sentry Upgrade command fails, you can now retry the command.

Cloudera Bug: OPSAPS-35365

Support non-public schemas

Cloudera Manager used to work with only 'public' schema in PostgreSQL. With this change, Cloudera Manager supports custom schema names. Cloudera Manager relies on the schema search path in PostgreSQL, which can be set for a user, database, and so on. https://www.postgresql.org/docs/current/static/ddl-schemas.html

Cloudera Bug: OPSAPS-33752

Issues Fixed in Cloudera Manager 5.8.2

Improve advanced configuration snippet redaction to encompass cloud provider credentials and other access tokens

The redaction of potentially sensitive parameters in advanced configuration snippets is extended to those commonly used by the Azure Data Lake.

Cloudera Bug: OPSAPS-29523

If files excluded by exclusion filters are renamed, they are not replicated

Customers using Incremental HDFS replication had an issue where if an excluded file (through exclusion filters) is renamed to an 'included' file, the new file is still not copied to the destination cluster. This issue is resolved as part of this fix.

Cloudera Bug: OPSAPS-34066

Hive Replication Command should update copy the Serde properties correctly

Hive Replication now replicates the Serde Properties and also copies the corresponding HDFS file.

Cloudera Bug: OPSAPS-34354

Increase default Solrd watchdog Timeout value

Solr server initialization can take up to 60 secs to complete. During this time interval, Solr server does not respond to the solrd watchdog requests. This can result in solrd watchdog terminating the Solr server process. The default timeout duration for watchdog is increased to 70 secs.

Cloudera Bug: OPSAPS-34320

Add service changes YARN settings

In Cloudera Manager 5.7, adding any new service to your cluster can cause the YARN setting for mapreduce.job.reduces to change unexpectedly. Adding a service no longer causes this problem.

Cloudera Bug: OPSAPS-34151

OPSAPS-29327 Add config for hive.metastore.server.max.message.size

Hive Metastore max message size can be configured now using Max Message Size for Hive MetaStore. It defaults to 100MB. It can cause staleness for customers on Cloudera Manager upgrade.

Cloudera Bug: OPSAPS-34098

XSS in Kerberos activation

In lower releases, there was an XSS vulnerability on the Kerberos page. This is now fixed.

Cloudera Bug: OPSAPS-33883

Upload deployment.json fails when it contains replication info

While trying to migrate Cloudera Manager using deployment.json file with existing Hive replication, schedules used to fail. This has been fixed in this release.

Cloudera Bug: OPSAPS-33927

Cloudera Manager set cataloged default jvm memory to 4G may cause oom on upgrade to Cloudera Manager 5.7+

After upgrading to 5.7 or later, customers could see a reduced Java heap maximum on Impala Catalog Server, due to a change in its default value. Upgrading from Cloudera Manager < 5.7 to Cloudera Manager 5.8.2 no longer sees any effective change in the Impala Catalog Server Java Heap size.

Cloudera Bug: OPSAPS-34039

Oozie first run fails with custom principals

In 5.8.1, Oozie first run fails if using kerberos custom principals. This is now fixed.

Cloudera Bug: OPSAPS-35822

Hive Replication shows "Dry Run" incorrectly

The earlier known issue that running Hive Replication shows "Dry Run" in status message is fixed now.

Cloudera Bug: OPSAPS-33206

HDFS Snapshot policy is selecting unhealthy host to run on

Policy for selecting a role to run HDFS Snapshot command: We select a non-decommissioned host that is in Active status. Also, hosts in maintenance mode have a lower priority than hosts in active state.

Cloudera Bug: OPSAPS-33144

Cluster export fails when service configuration is invalid

The export cluster template code path was failing because of stale configuration in the Cloudera Manager database. Having a stale configuration in the database is possible. This could happen when configurations are deprecated on older CDH releases.

Cloudera Bug: OPSAPS-35586

Agent orphan cleanup removes process dir from in flight process

With this fix, the preventative steps in TSB-181 are no longer required.

Cloudera Bug: OPSAPS-35294

Fix CatalogServiceClient to handle TLS connections to catalogd for UDF replication

When Impala uses SSL, Cloudera supports TLS Connection to Catalog Server. Customers are able to enable replication for any Impala UDFs/Metadata (in Hive Replication).

Cloudera Bug: OPSAPS-34801

Redact Content from Flume config

Enabled redacting sensitive information from Flume configuration.

Cloudera Bug: OPSAPS-34506

Host inspector incorrectly warns about kernel version "2.6.32-504.16.2"

Host inspector incorrectly warns about kernel version "2.6.32-504.16.2" as "non-recommended."

Cloudera Bug: OPSAPS-35170

Impala Breakpad script does not convert exponentials into decimals and leads to errors

Impala Breakpad script failure that happens when trying to collect more than 10 MB of dumps from a single role is fixed.

Cloudera Bug: OPSAPS-34971

Oozie points to older sharelib even after running sharelib install command

After an "Install Oozie Share Lib" action, the Oozie service is informed that that there is a new shared lib installed. This eliminates the need for a separate manual restart.

Cloudera Bug: OPSAPS-26825

Issues Fixed in Cloudera Manager 5.8.1

CDH upgrade from 5.7.x to 5.8.x fails when Sentry gateway role is enabled

If the Sentry Gateway role is configured on any hosts of a CDH 5.7.x cluster, the upgrade process to CDH 5.8.x fails.

Upgrades to CDH 5.8.x now complete successfully.

Cloudera Bug: OPSAPS-35356

Issues Fixed in Cloudera Manager 5.8.0

Changes to yarn.nodemanager.remote-app-log-dir not picked up from gateway

YARN log aggregation did not work when yarn.nodemanager.remote-app-log-dir was configured to a non-default location. Now this value is emitted in YARN client configuration, ensuring clients logs go to the proper location.

This fix causes staleness.

Cloudera Bug: OPSAPS-29422

MapReduce2 Counter Limits on Cloudera Manager's YARN page

Fixed an issue where the MapReduce2 property mapreduce.job.counters.max was not included in the configuration for the JobHistory Server, which could cause jobs to fail if there were too many counters. This might happen despite increasing the limit configured in Cloudera Manager. The property is now included in the JobHistory Server configuration, in addition to the related property mapreduce.job.counters.groups.max.

This fix causes staleness.

Cloudera Bug: OPSAPS-26705

Cloudera Bug: OPSAPS-26705

Kafka MirrorMaker unable to start due to KAFKA_HOME not being set

Kafka MirrorMaker would not start when Kafka is installed using packages. This occurred because KAFKA_HOME was not set to the correct default when starting MirrorMaker. This issue affected Cloudera Manager 5.4.0 and higher with Kafka 1.4.0 and higher.

Cloudera Bug: OPSAPS-33293

Kafka unable to start due to misconfigured security.inter.broker.protocol when Kerberos is enabled

Kafka would not start when Kerberos is enabled and the default value of security.inter.broker.protocol was not changed. This occurred because Kafka tried to use the same port for SASL_PLAINTEXT and PLAINTEXT. By default, Cloudera Manager now infers the protocol based on the security settings.

This issue affected Cloudera Manager 5.5.2 and higher with Kafka 2.0.0 and higher.

Upgrading to Cloudera Manager 5.7.1 or higher upgrades currently configured values to INFERRED unless SSL/TLS is enabled and the values are currently either PLAINTEXT or SASL_PLAINTEXT. This does not cause any change in behavior.

Cloudera Bug: OPSAPS-31744

Child commands for deleting or adding a nameservice show stack trace

In an existing HDFS deployment with high availability, when you try to add or delete a nameservice and attempt to view the progress of the child commands, a stack trace is triggered if some of the child commands have not yet run. This fix eliminates the stack trace and informs you that the child commands have not yet been run.

Cloudera Bug: OPSAPS-33383

Setting owner of a file in Isilon fails

On Isilon systems, the owner that the file is being changed to must be present on the system. In general cases, the user is not present, so this command fails with an error message suggesting that the user is not part of the supergroup. This fix addresses the issue by not failing the command.

Cloudera Bug: OPSAPS-33145

Handle drop-recreate partition efficiently

With this change, properties of entities (database, table, partition, index) are not updated by default. You can choose to update properties by setting REPLICATE_PARAMETERS=true in Hive Replication Environment Advanced Configuration Snippet (Safety Valve).

Cloudera Bug: OPSAPS-33954

HiveReplicationCmdArgs.update is not accessible using Cloudera Manager

In Hive replication, you can choose to update one or more of the entities INDICES, PARAMETERS, PARTITIONS, and PRIVILEGES adding the following instruction in Hive Replication Environment Advanced Configuration Snippet (Safety Valve).
PROPERTIES_TO_UPDATE=INDICES,PARAMETERS,PARTITIONS,PRIVILEGES 

Cloudera Bug: OPSAPS-33953

Operation log directory should be configurable and monitored in Cloudera Manager

HiveServer has two new properties for configuration of operation logging.
Property Default
Enable HiveServer2 Operations Logging true
HiverServer2 Operations Log Directory /var/logs/hive/operation_logs

Cloudera Bug: OPSAPS-29483

Kerberos should use non-person objects when creating principals in Active Directory

You can now configure Active Directory account properties. You can use custom values for objectClasses to configure accounts, including non-person objects.

Cloudera Bug: OPSAPS-30301

Changes to yarn.nodemanager.remote-app-log-dir not picked up from gateway

YARN log aggregation did not work when yarn.nodemanager.remote-app-log-dir was configured to a non-default location. Now this value is emitted in YARN client configuration, ensuring clients logs go to the proper location.

Cloudera Bug: OPSAPS-29422

Key Trustee KMS should use round-robin configuration when Key Trustee server uses High Availability

If the Key Trustee server is configured with High Availability, the Key Management Service needs to use round-robin DNS.

Cloudera Bug: OPSAPS-29221

AD_ACCOUNT_PREFIX should not be required

Active Directory Account Prefix was improperly implemented as a required configuration for Security/ Kerberos. The use of this configuration is now optional.

Cloudera Bug: OPSAPS-29196

Proper fix to handle parcel activation falsely succeeding when host health is failing

Fixed an issue related to the first run failing when some of the hosts are in bad health. This fix involves adding an extra stop to wait for hosts to report the correct parcel version before proceeding.

Cloudera Bug: OPSAPS-33766

Document Kerberos + Isilon support in Disaster Recovery

BDR is now supported on Isilon (including on clusters secured with Kerberos).

Cloudera Bug: OPSAPS-33758

Separation of authentication and authorization coprocessor configs in HBase

HBase Secure Bulkload is now enabled for all CDH5.5 and higher clusters, regardless of whether Kerberos is enabled. Also fixed related issue where clusters with authentication (kerberos) but not authorization failed in Hbase-related MapReduce jobs.

Cloudera Bug: OPSAPS-33657

Cloudera Manager - BDR UI - Generate replication diagnostics data. Failed due to java.lang.NullPointerException.

Trying to collect diagnostic data for a Hive replication schedule caused a Java stack trace to be shown on the page. This fix shows an error message instead of displaying a Java stack trace.

Cloudera Bug: OPSAPS-33438

Diagnostic collection fails on a failed BDR job

Failed BDR jobs no longer report errors on "Collect diagnostic data" actions.

Cloudera Bug: OPSAPS-33474

Redact Advanced Configuration Snippets in the UI that contain secrets

Cloudera Manager 5.8 supports redaction of Advanced Configuration Snippet parameters in UI configuration pages. Redaction is based on matching keywords defined as sensitive, and detected within the contents of the Advanced Configuration Snippet text. Users who can edit the parameter still see the sensitive words, but users without edit privileges see only the redacted contents.

Cloudera Bug: OPSAPS-33401

Cloudera Manager - snapshot - take snapshot - needs reset of illegal character when fixed

Fixed an issue in the Take Snapshot dialog where the validation of the snapshot name could become "stuck" and prevent execution of the operation.

Cloudera Bug: OPSAPS-33464

BDR UI: Add Search back - It is difficult to find the desired replication schedule in the Cloudera Manager 5.5 UI

The Replications page provides enhanced search functionality to filter schedules by any specified text. Searches occur within any of these schedule fields: HDFS paths, database names and table names.

Cloudera Bug: OPSAPS-33171

Spark standalone does not come up if HDFS is not available

The Spark standalone service now works without an HDFS service. This requires Spark services to show up as stale and require a restart after upgrade to Cloudera Manager 5.7.1 and higher.

Cloudera Bug: OPSAPS-33509

Cloudera Manager - add hdfs nameservice - gets stack trace

In an existing HDFS High Availability setup, when the user tries to add or delete a nameservice and, in the process, attempts to get progress on the child commands, a stack trace is triggered if some of the child commands have not yet run. This fix eliminates the stack trace and informs the user that the child commands have not yet run.

Cloudera Bug: OPSAPS-33383

BDR Replication Schedule page is slow to load

Replication schedules page load performance is improved.

Cloudera Bug: OPSAPS-33125

Replication DistCp - setOwner behavior on Isilon causing failures

On Isilon systems, the owner to which the file is being changed must be present on the system. In general cases, the user is not present, so this command tends to fail with an error message suggesting that the user is not part of the supergroup. This fix addresses the issue by not failing the command.

Cloudera Bug: OPSAPS-33145

Unable to start Hue on cluster that's using Kerberos and Isilon

Hue service can now start with Isilon if Kerberos is enabled.

Cloudera Bug: OPSAPS-27441

Enable database notifications from Hive

Hive now has the property Enable Stored Notifications in Database. When set, Hive logs DDL notifications in Hive Metastore.

Cloudera Bug: OPSAPS-32629

The hbase user should be whitelisted by default in the list of allowed system users to launch YARN applications

YARN Allowed System Users now includes hbase by default. This is helpful when running certain tools for HBase that need to execute MapReduce jobs.

Cloudera Bug: OPSAPS-32631

Allow HDFS Balancer to login with keytab

When running an HDFS rebalance command on a kerberized cluster with a large amount of data, it could would take enough time to complete that authentication would expire and cause an error. Leveraging a new capability in HDFS, the rebalance command is now able to use a keytab file to automatically renew authentication before it expires.

Cloudera Bug: OPSAPS-32372

Add support for delete tables and databases deleted on the source

Cloudera Manager now supports deletion of entities from a target Hive database when those entities are deleted from source Hive database during Hive incremental replication.

Cloudera Bug: OPSAPS-32625

Default MapReduce option should be YARN

The default MapReduce service for a new replication schedule is YARN.

Cloudera Bug: OPSAPS-32650

BDR Administrator cannot enable snapshots though the role says it can

BDR Administrator authority message is now more accurate: Create replication schedules and snapshot policies.

Cloudera Bug: OPSAPS-32521

Hive incremental replication enhancements

Cloudera Manager 5.8 includes Hive incremental replication support.

Cloudera Bug: OPSAPS-32366

Cloudera Manager API allows users with read-only privileges to list all Cloudera Manager users

A security bug in the Cloudera Manager API allowed users with read-only permissions to view all the existing users in Cloudera Manager. This issue is now fixed.

Cloudera Bug: OPSAPS-32916

Decide the value for TTL for DbNotifications

You can configure Time-to-live for Database Notifications in Hive for notifications present in the NOTIFICATION_LOG. The default is 2 days.

Cloudera Bug: OPSAPS-32898

Make the cluster menu sticky

Previously, the Clusters Menu expanded the first cluster by default. As the user expanded or collapsed the accordion, it remembered the configuration for the current session. When the user goes to the services, roles, or host of another cluster, it maintained the configuration of the previously expanded cluster (which might or might not match). In Cloudera Manager 5.7.1 and higher, Cloudera Manager records the last relevant cluster when the user visits a cluster, service, role or host page, and expands that cluster in the Clusters menu by default.

Cloudera Bug: OPSAPS-32850

NPE on Impala Admission Control page if Memory Limit is not set

In lower releases, if the configuration Impala Daemon Memory Limit is not set, the Impala Admission Control page throws a NullPointerException. This is now fixed.

Cloudera Bug: OPSAPS-33023

Change Impala service configs for admission control

Enable Impala Admission Control and Enable Dynamic Resource Pools are now enabled by default. Customized configuration values are preserved during upgrade.

Cloudera Bug: OPSAPS-32737

Disaster Recovery on Isilon breaks with Kerberos

BDR on Isilon storage is now supported with kerberized clusters.

Cloudera Bug: OPSAPS-32825

Breakpad Crash Reporting for Impala

Support bundles now collect "minidumps" from Impala that help to debug Impala crash issues. As part of this functionality, Cloudera Manager exposes two properties for three roles (Impalad, Catalog Server, Statestore Server).

Property Description
Breakpad Dump Dir This determines where the "minidumps" are temporarily available.
Max Breakpad Dump Files This determines the maximum number of files stored in dump dir (this limits the amount of storage allocated to Impala dump files).

Cloudera Bug: OPSAPS-33050

s3 protocol and scheme should not be pruned during Hive metadata export

With this change, the cloud HDFS path remains as it is after replication.

Cloudera Bug: OPSAPS-32022

YARN mapreduce.shuffle.max.connections is a NodeManager setting and not a client setting

mapreduce.shuffle.max.connections was emitted to files of YARN clients instead of the NodeManager. It is now correctly emitted only for the NodeManager.

Cloudera Bug: OPSAPS-31772

Kafka unable to start due to listener misconfiguration when Kerberos is enabled

Kafka would not start when Kerberos was enabled and the security.inter.broker.protocol default was not changed. This occurred because Kafka would try to use the same port for SASL_PLAINTEXT and PLAINTEXT. By default, Kafka now infers the protocol based on the security settings. This issue affected Cloudera Manager 5.5.2 and higher with Kafka 2.0.0 and higher. Upgrading to Cloudera Manager 5.7.1 and higher upgrades currently configured values to INFERRED unless SSL / TLS is enabled and the values are currently either PLAINTEXT or SASL_PLAINTEXT. This does not cause any change in behavior.

Cloudera Bug: OPSAPS-31744

Chart Builder not showing graphs on IE9

In Cloudera Manager 5.7, charts would not render in the Chart Builder page on IE9. This issue is fixed in Cloudera Manager 5.8.

Cloudera Bug: OPSAPS-31561

Deb 8.2 support for Cloudera Manager

Cloudera Manager is now supported on Debian 8.2.

Cloudera Bug: OPSAPS-31296

ResourceManager would not start if NodeManager were down during the start phase of the restart cycle

All YARN roles are stopped and started together when the service stop or start command is issued with CDH 5.2 and higher. If CDH version is lower than 5.2, the previous behavior of stopping ResourceManagers before NodeManagers and starting them after NodeManagers stays the same.

Cloudera Bug: OPSAPS-30981

Default TLS keystore location for HTTPFS is on non-persistent disk

The default location for the HTTPFS TLS / SSL keystore was /var/run/hadoop-httpfs/.keystore, which could be deleted upon machine reboot. Newly created clusters now have an empty default. When upgrading to Cloudera Manager 5.7.1 or higher, the old value is maintained. There should be no disruption on upgrade, but Cloudera Manager presents a warning that the keystore is in a dangerous location. To fix this problem, move the files to a safe path on the new host, then update the configuration in Cloudera Manager to point to the new path.

Cloudera Bug: OPSAPS-27976

Active Directory principals created without AES 128/256 bit cause job failures if cluster is configured for AES

It is now possible to configure encryption types for Active Directory setups in Cloudera Manager, using a new property on the Kerberos configuration page, Kerberos Encryption Types. You can configure only the following 5 encryption types:
  • rc4-hmac
  • aes128-cts
  • aes256-cts
  • des-cbc-crc
  • des-cbc-md5
Using other values for the encryption type causes validation of this field to fail during upgrade to CDH 5.8.

Cloudera Bug: OPSAPS-27020

MR2 counter limits in the Cloudera Manager YARN page should populate all MR2 config files

The MapReduce2 property mapreduce.job.counters.max was not included in the configuration for the JobHistory Server, which could cause jobs to fail if there were too many counters. This might happen despite increasing the limit configured in Cloudera Manager. The property is now included in the JobHistory Server configuration, in addition to the related property mapreduce.job.counters.groups.max.

Cloudera Bug: OPSAPS-26705

BDR: support use of a custom principal

Cloudera Manager now supports custom Kerberos principals for BDR.

Cloudera Bug: OPSAPS-24658

Add QueryMonitoring chart to Impala service charts

A new chart on the Impala service page shows query duration for completed Impala queries.

Cloudera Bug: OPSAPS-22909

Add symbols to Cloudera Manager generated Active Directory passwords

Cloudera Manager now allows Active Directory password complexity to be configured using a new security configuration on the UI. The following table lists the default values.
Name Value
length 12
minLowerCaseLetters 2
minUpperCaseLetters 2
minDigits 2
minSpaces 0
minSpecialChars 0
specialChars ?.!$%^*()-_+=~
You can modify these values and regenerate Active Directory credentials to create new passwords.

Cloudera Bug: OPSAPS-22853

Regenerate principals should delete from Active Directory, too

It is now possible to regenerate principals for Active Directory setups. This involves deletion of existing accounts and regeneration of new principals. Since some customers might not want to do this through Cloudera Manager, starting with Cloudera Manager 5.8 you can enable the new property Active Directory Delete Accounts on Credential Regeneration. Regenerating credentials with this setting enabled automatically deletes existing accounts and completes the regeneration. This setting is disabled by default. If disabled, regeneration of principals throws an error message saying that deletion of accounts is required. Cloudera Manager needs the new configuration to be set in order to delete accounts automatically.

Cloudera Bug: OPSAPS-22182

XSS in Kerberos activation

In lower releases, there was an XSS vulnerability on the Kerberos page. This is now fixed.

Cloudera Bug: OPSAPS-33883

XSS in host addition

In lower releases, there was an XSS vulnerability on the Add Hosts page. This is now fixed.

Cloudera Bug: OPSAPS-33905

XSS in Host Templates

In lower releases, there was an XSS vulnerability on the Host Templates page. This is now fixed.

Cloudera Bug: OPSAPS-33882

Make it more obvious when phone home is off

In lower releases, it was not obvious in the Send Diagnostics dialog whether data would be sent back to Cloudera. The dialog is enhanced to make this information more visible.

Cloudera Bug: OPSAPS-28674

Allow ad hoc sub-pools to be created within existing pools

Cloudera Manager supports the nestedUserQueue feature in the UI. You no longer have to use the safety valve to specify nestedUserQueues. This means you can make all jobs without specified user queues go to root.<YOUR_POOL>.<username> or root.<YOUR_POOL>.<primaryGroup> from the UI.

Cloudera Bug: OPSAPS-30156

Add an option to duplicate resource pool configs

Selecting Clone lets you create a new pool from the settings of an existing pool.

Cloudera Bug: OPSAPS-32471

Impala Admission Control root pool should have configurable ACLs

Impala Admission Control now supports a global way of editing ACLs.

Cloudera Bug: OPSAPS-33963

Do not create host templates when create cluster wizard is run

During cluster creation, host templates are no longer created automatically.

Cloudera Bug: OPSAPS-32659

The modal height is not calculated correctly

In lower releases, the modal dialog is sometimes too tall. This is now fixed.

Cloudera Bug: OPSAPS-33457

new required fields Key Management Server Proxy Group created if there is more than 1 KMS instance

When adding two Key Trustee KMS roles during the initial setup wizard, sometimes these roles were assigned to different groups. The required configuration was set for some but not all of these groups, causing errors. This is now fixed.

Cloudera Bug: OPSAPS-33946

Links should not be shown on print out

When you print pages from Cloudera Manager, the printout no longer displays link URLs.

Cloudera Bug: OPSAPS-33542

Allow customization of ldap account properties for AD-Kerberos setup

The Active Directory account properties objectClasses and accountExpires are now configurable from the Kerberos Configuration UI page.

Cloudera Bug: OPSAPS-26419

Support bundle has no way to enforce that a certain time is guaranteed to be in bundle

Support bundles can now be collected for a certain time range. Users are also able to get an estimate of the bundle size before collecting the diagnostic data. Only role logs collected as a part of the support bundle are supported by this item in Cloudera Manager 5.8. This item is not available for scheduled support bundles.

Cloudera Bug: OPSAPS-23557

Fix Spark CSD to keep client config files in subdir

The Spark CSD was modified to avoid conflicts with other CSDs that depend on it, and causes the Spark service to show up as stale on upgrade to Cloudera Manager 5.7.1 and higher.

Cloudera Bug: OPSAPS-33511

Cloudera Manager Agent clears out JN data directories that leads to HDFS not restarting

On RHEL 7 class systems, certain configuration actions intended to be executed only once during enablement of HDFS HA might be re-executed when you request a system shutdown or reboot. This can result in data loss. This issue is fixed in Cloudera Manager 5.8, but a hard restart is required on RHEL 7-class systems (including Oracle and CentOS variants) for the fix to take effect. This can be performed after upgrade in a scheduled, rolling manner.

Cloudera Bug: OPSAPS-34171

Hue should not use the embedded sqlite db by default when possible

Hue now has built-in support for PostgreSQL by taking advantage of the system library python-psycopg2. In addition to this library, Hue also includes the system libraries listed in the following table.

System Library
CentOS 5 Not supported
CentOS 6 and 7 postgresql-libs
Ubuntu 10.04 libpq5, python-egenix-mxdatetime and python-central
Ubuntu 12.04 and 14.04 libpq5
SLES 11 sp2 libpq5

Cloudera Bug: OPSAPS-12507

Issues Fixed in Cloudera Manager 5.7.6

The following issues are fixed in Cloudera Manager 5.7.6.

Excess load on Cloudera Manager database

Fixed an issue where the load on the Cloudera Manager database increases significantly on clusters with 100-200 nodes or more and when there are host-level configuration overrides. This has been resolved by using a smaller default value for the default_batch_fetch_size property in the hibernate configuration.

Fixed in: Cloudera Manager 5.10.0, 5.9.2, 5.8.4, 5.7.6

Cloudera Bug: OPSAPS-37985

Hive Replication Command should update copy the Serde properties correctly

Hive Replication now replicates the Serde Properties and also copies the corresponding HDFS file.

Cloudera Bug: OPSAPS-34354

Dollar sign ($) char in password results in IllegalArgumentException

Using special characters such as the dollar sign ($) for passwords and other user-supplied values with CSD-based services (those added to Cloudera Manager with custom service descriptors) raised exceptions. This has been resolved.

Cloudera Bug: OPSAPS-37542

Hive Replication fails when Impala is SSL enabled but Hadoop services are not

Fixes a bug where some Hadoop services did not recognize the Impala SSL configuration, which caused Hive replications to fail when SSL is enabled. To enable SSL, see: Configuring TLS/SSL for HDFS, YARN and MapReduce.

This support also ensures that connection to Impala is successful when SSL is enabled even if Kerberos is not enabled.

Fixed in: Cloudera Manager 5.10.1, 5.9.2, 5.8.4

Cloudera Bug: OPSAPS-38700

CM server error - JsonMappingException

Fixed an issue where a race condition can happen when getting the log links for unhealthy roles and then causes a null pointer exception for the Cloudera Manager homepage.

Cloudera Bug: OPSAPS-32804

Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled

Fixed an issue where the Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled for Navigator Metadata Server.

Fixed in 5.11, 5.10.1, ,5.9.2, 5.7.6

Cloudera Bug: OPSAPS-38865

Issues Fixed in Cloudera Manager 5.7.5

The following issues are fixed in Cloudera Manager 5.7.5.

OOMKiller script does not work for Impala Catalog

Fixed a bug where OutOfMemory errors in the Catalog Server might lead to killing multiple Java processes, including other roles on the same host.

Cloudera Bug: OPSAPS-33991

Issues Fixed in Cloudera Manager 5.7.4

The following issues are fixed in Cloudera Manager 5.7.4.

Agent orphan cleanup removes process dir from in flight process

With this fix, the preventative steps in TSB-181 are no longer required.

Cloudera Bug: OPSAPS-35294

YARN historical reports by user shows pool-user entity

When Cloudera Manager manages multiple clusters, there is no per user tracking for historical applications and queries across clusters. Instead, Historical Applications by User and Historical Queries by User show applications and queries per user and pool. (A pool is associated with a specific cluster.)

Cloudera Bug: OPSAPS-34986

Host inspector incorrectly warns about kernel version "2.6.32-504.16.2"

Host inspector no longer warns that kernel version "2.6.32-504.16.2" as "non-recommended."

Cloudera Bug: OPSAPS-35170

Fix CatalogServiceClient to handle TLS connections to catalogd for UDF replication

When Impala uses SSL, Cloudera supports TLS Connection to Catalog Server. You can enable replication for any Impala UDFs/Metadata (in Hive Replication).

Cloudera Bug: OPSAPS-34801

If total_space_bytes is really big, heartbeats fail

Fixes heartbeat failure with a host that has a mount point backed by cloud storage such as AWS.

Cloudera Bug: OPSAPS-36145

Oozie points to older sharelib even after running sharelib install command

After an "Install Oozie Share Lib" action, the Oozie service is informed that that there is a new shared lib installed. This eliminates the need for a separate manual restart.

Cloudera Bug: OPSAPS-26825

Cloudera Manager blocks from HS2 enabling both LDAP and Kerberos auth

HS2 supports LDAP and Kerberos authentication on the same instance for CDH 5.7.0 or higher. Previously, this was considered an error.

Cloudera Bug: OPSAPS-34310

OOMKiller script does not work for Impala Catalog

Fixed a bug where OutOfMemory errors in the Catalog Server could lead to killing multiple java processes, including other roles on the same host.

Cloudera Bug: OPSAPS-33991

Issues Fixed in Cloudera Manager 5.7.2

Unable to start Hue on cluster that's using Kerberos and Isilon

Hue service can now start with Isilon if Kerberos is enabled.

Cloudera Bug: OPSAPS-27441

BDR UI: Add Search back - It is difficult to find the desired replication schedule in the Cloudera Manager 5.5 UI

The Replications page provides enhanced search functionality to filter schedules by any specified text. Searches occur within any of these schedule fields: HDFS paths, database names and table names.

Cloudera Bug: OPSAPS-33171

Handle drop-recreate partition efficiently

With this change, properties of entities (database, table, partition, index) are not updated by default. You can choose to update properties by setting REPLICATE_PARAMETERS=true in Hive Replication Environment Advanced Configuration Snippet (Safety Valve).

Cloudera Bug: OPSAPS-33954

Hue static directory is browsable

The static web directory in Hue is no longer indexed and browsable when the Hue Load Balancer is used.

XSS in Kerberos activation

In lower releases, there was an XSS vulnerability on the Kerberos page. This is now fixed.

Cloudera Bug: OPSAPS-33883

XSS in host addition

In lower releases, there was an XSS vulnerability on the Add Hosts page. This is now fixed.

Cloudera Bug: OPSAPS-33905

XSS in Host Templates

In lower releases, there was an XSS vulnerability on the Host Templates page. This is now fixed.

Cloudera Bug: OPSAPS-33882

Cloudera Manager Agent clears out JN data directories that leads to HDFS not restarting

On RHEL 7 class systems, certain configuration actions intended to be executed only once during enablement of HDFS HA might be re-executed when you request a system shutdown or reboot. This can result in data loss. This issue is fixed in Cloudera Manager 5.7.2, but a hard restart is required on RHEL 7-class systems (including Oracle and CentOS variants) for the fix to take effect. This can be performed after upgrade in a scheduled, rolling manner.

Cloudera Bug: OPSAPS-34171

Separation of authentication and authorization coprocessor configs in HBase

HBase Secure Bulkload is now enabled for all CDH5.5 and higher clusters, regardless of whether Kerberos is enabled. Also fixed related issue where clusters with authentication (kerberos) but not authorization failed in Hbase-related MapReduce jobs.

Cloudera Bug: OPSAPS-33657

Adding a new service changes mapreduce.job.reduces setting

Adding a new service in Cloudera Manager no longer changes the YARN setting mapreduce.job.reduces.

Cloudera Bug: OPSAPS-34151

BDR: Hive replication status always shows "(Dry Run)"

Running a Hive replication schedule in BDR no longer displays "(Dry Run)" in the status.

BDR Replication Schedule page is slow to load

Replication schedules page load performance is improved.

Cloudera Bug: OPSAPS-33125

HDFS Snapshot running on unavailable nodes

When selecting a host on which to run the HDFS Snapshot command, Cloudera Manager now excludes unavailable hosts, such as hosts in maintenance mode or decommissioned hosts.

Cloudera Bug: OPSAPS-33144

Migrating Cloudera Manager using deployment.json fails if replication schedules are configured

Migrating Cloudera Manager using deployment.json no longer fails if replication schedules are configured.

Cloudera Bug: OPSAPS-33927

Files excluded from replication are not replicated if they are renamed

If a file excluded from replication by an exclusion filter is renamed, it is now replicated properly.

Cloudera Bug: OPSAPS-34066

Issues Fixed in Cloudera Manager 5.7.1

Spark standalone does not come up if HDFS is not available

The Spark standalone service now works without an HDFS service. This requires Spark services to show up as stale and require a restart after upgrade to Cloudera Manager 5.7.1 and higher.

Cloudera Bug: OPSAPS-33509

Kafka unable to start due to listener misconfiguration when Kerberos is enabled

Kafka would not start when Kerberos was enabled and the security.inter.broker.protocol default was not changed. This occurred because Kafka would try to use the same port for SASL_PLAINTEXT and PLAINTEXT. By default, Kafka now infers the protocol based on the security settings. This issue affected Cloudera Manager 5.5.2 and higher with Kafka 2.0.0 and higher. Upgrading to Cloudera Manager 5.7.1 and higher upgrades currently configured values to INFERRED unless SSL / TLS is enabled and the values are currently either PLAINTEXT or SASL_PLAINTEXT. This does not cause any change in behavior.

Cloudera Bug: OPSAPS-31744

Default TLS keystore location for HTTPFS is on non-persistent disk

The default location for the HTTPFS TLS / SSL keystore was /var/run/hadoop-httpfs/.keystore, which could be deleted upon machine reboot. Newly created clusters now have an empty default. When upgrading to Cloudera Manager 5.7.1 or higher, the old value is maintained. There should be no disruption on upgrade, but Cloudera Manager presents a warning that the keystore is in a dangerous location. To fix this problem, move the files to a safe path on the new host, then update the configuration in Cloudera Manager to point to the new path.

Cloudera Bug: OPSAPS-27976

Fix Spark CSD to keep client config files in subdir

The Spark CSD was modified to avoid conflicts with other CSDs that depend on it, and causes the Spark service to show up as stale on upgrade to Cloudera Manager 5.7.1 and higher.

Cloudera Bug: OPSAPS-33511

Cloudera Manager HDFS usage reports do not include Inode references

Lower versions of Cloudera Manager HDFS usage reports do not include Inode references. As a result, usage reports underreported HDFS directory sizes and data used by users and groups in certain circumstances where HDFS snapshots were used.

Cloudera Bug: OPSAPS-33094

Kafka MirrorMaker unable to start due to KAFKA_HOME not being set

Kafka MirrorMaker would not start when Kafka is installed using packages. This occurred because KAFKA_HOME was not set to the correct default when starting MirrorMaker. This issue affected Cloudera Manager 5.4.0 and higher with Kafka 1.4.0 and higher.

Cloudera Bug: OPSAPS-33293

Authentication errors occur due to missing SAML metadata

  • If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you used to notice an error screen while logging out, then this upgrade will fix that issue.
  • If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you did not notice any error screen while logging out, then you will most likely see an error screen while logging out after this upgrade. In order to fix that, you can follow either of these steps:
    1. Update the metadata file in your IdP with the new file from <Cloudera Manager Server>/saml/metadata
    2. Change SAML Entity Alias under Administration > Setting "clouderaManager" to " and restart Cloudera Manager.

Cloudera Bug: OPSAPS-33088

Child commands for deleting or adding a nameservice show stack trace

In an existing HDFS deployment with high availability, when you try to add or delete a nameservice and attempt to view the progress of the child commands, a stack trace is triggered if some of the child commands have not yet run. This fix eliminates the stack trace and informs you that the child commands have not yet been run.

Cloudera Bug: OPSAPS-33383

HiveServer2 Web UI did not use SSL when Kerberos was enabled

SSL configuration for the HiveServer2 Web UI is now used regardless of whether Kerberos is in use.

Cloudera Bug: OPSAPS-33255

Clusters menu expands to last cluster viewed

Previously, the Clusters menu expanded the first cluster by default, and as you expand or collapse the menu, Cloudera Manager remembers that cluster for the session. However, when you go to services, roles, or hosts of another cluster, Cloudera Manager does not remember the other cluster and shows the previously expanded cluster instead.

In release 5.7.1 and higher, Cloudera Manager remembers the last cluster viewed by a user and expands that cluster in the Clusters menu by default.

Cloudera Bug: OPSAPS-32850

Impala does not throw null pointer exception when memory limit is not set

If the configuration property Impala Daemon Memory Limit was not set, the Impala Admission Control page threw a null pointer exception.

Cloudera Bug: OPSAPS-33023

HDFS rolling restart fails after CDH upgrade

In previous Cloudera Manager releases, when one of a pair of highly available NameNodes was down, it was possible for rolling restart or rolling upgrade commands to fail with an error message incorrectly describing the state of the NameNode as "Busy." The error message now correctly identifies the state of the NameNode (typically "Stopped" in this situation).

Cloudera Bug: OPSAPS-33035

The Expand Range option did not work for some charts

The Expand range to fill all values option in Chart Builder now works for all charts.

Cloudera Bug: OPSAPS-33277

Kafka unable to start due to misconfigured security.inter.broker.protocol when Kerberos is enabled

Kafka would not start when Kerberos is enabled and the default value of security.inter.broker.protocol was not changed. This occurred because Kafka tried to use the same port for SASL_PLAINTEXT and PLAINTEXT. By default, Cloudera Manager now infers the protocol based on the security settings.

This issue affected Cloudera Manager 5.5.2 and higher with Kafka 2.0.0 and higher.

Upgrading to Cloudera Manager 5.7.1 or higher upgrades currently configured values to INFERRED unless SSL/TLS is enabled and the values are currently either PLAINTEXT or SASL_PLAINTEXT. This does not cause any change in behavior.

Cloudera Bug: OPSAPS-31744

Oozie JVM heap metrics not reported in Chart Builder for some services

Oozie JVM metrics are now available and display on the role page. They can also be accessed through Chart Builder using the oozie_memory_heap_used and oozie_memory_total_max metrics.

Cloudera Bug: OPSAPS-33006

Spark CSD modified

The Spark CSD was modified to avoid conflicts with other CSDs that depend on it. This change causes the Spark service to require a restart when upgrading to Cloudera Manager 5.7.1.

Cloudera Bug: OPSAPS-33511

Poorly formed Advanced Configuration Snippets cause null pointer exception with diagnostic bundles

Certain poorly formed Advanced Configuration Snippets could cause a Null Pointer Exception when uploading diagnostic bundles and setting up a Cloudera Manager peer.

Cloudera Bug: OPSAPS-33378

Setting owner of a file in Isilon fails

On Isilon systems, the owner that the file is being changed to must be present on the system. In general cases, the user is not present, so this command fails with an error message suggesting that the user is not part of the supergroup. This fix addresses the issue by not failing the command.

Cloudera Bug: OPSAPS-33145

The Install Oozie ShareLib command is now visible to users with the Configurator role.

Cloudera Bug: OPSAPS-33157

Default location for TLS Keystore for HTTPFS is nonpersistent

The default location for the HTTPFS TLS / SSL keystore was /var/run/hadoop-httpfs/.keystore, which could be deleted when the host reboots. Newly created clusters now have an empty default instead of one that could be deleted. When upgrading to Cloudera Manager 5.7.1 or higher, the old value is maintained, so there is no disruption on upgrade. However, Cloudera Manager warns that the path is in a dangerous location. To fix this problem, move the files to a safe path on that host, and then update the configuration in Cloudera Manager to point to the new path.

Cloudera Bug: OPSAPS-27976

Collecting diagnostic bundle displayed Java stack trace

Collecting a diagnostic bundle for a Hive replication schedule caused a Java stack trace to be shown on the page. This fix shows an error message instead of throwing a Java stack trace.

Cloudera Bug: OPSAPS-33438

Unable to stop Cloudera Manager Agent on SLES 11

Fixes TSB-144.

Running the restart or stop service commands failed to stop the Agent.

Cloudera Bug: OPSAPS-33225

Error creating bean

Occasionally, some users encountered the message Error creating bean with name 'newServiceHandlerRegistry' in the Cloudera Manager Admin Console. This issue has been resolved.

Cloudera Bug: OPSAPS-33324

Impala JVM heap size is configurable

The JVM heap size of the Impala catalog server can be configured now using the Java Heap Size of Catalog Server in Bytes property. The property defaults to 4 GB, and like all memory parameters may require tuning.

Cloudera Bug: OPSAPS-26483

Issues Fixed in Cloudera Manager 5.7.0

Plain-text passwords sent to users

An authenticated user could request and receive documents that included passwords they were permitted to modify. This information was sent as plain text. Passwords are no longer included in request responses.

Cloudera Bug: OPSAPS-30757

Cloudera Manager forces Solr shutdown before operations complete

When stopping the Solr service, Cloudera Manager would forcibly stop the service after a period of time. This could result in Solr cores not coming up cleanly. Cloudera Manager now waits for all operations to complete on the Solr server before exiting.

Cloudera Bug: OPSAPS-30903

Re-enabling Kerberos fails due to duplicate roles

As part of enabling Kerberos, a role is created. Attempts to re-enable Kerberos failed because the role already existed from when Kerberos was enabled before. When Kerberos is enabled, Cloudera Manager reuses any required roles if they already exist.

Cloudera Bug: OPSAPS-30703

Processes used incorrect HOME variable

CDH service processes and third-party (CSD) processes used an incorrect HOME variable. These process now now run with the HOME environment variable set to the correct home directory based on the process user.

Cloudera Bug: OPSAPS-30610

Stale Kerberos configuration reported after deploying Kerberos client configuration

After making Kerberos configuration changes through Administration > Settings > Kerberos, and Manage krb5.conf is enabled, the configuration issue 'Cluster has stale Kerberos configuration' might have displayed and might not have disappeared after running Cluster > cluster_name > Deploy Kerberos Client Configuration. The deploying Kerberos client configuration action now waits for pending staleness checks before identifying stale hosts on which to apply Kerberos configuration.

Workaround: Make a different, non-Kerberos edit to a configuration, and save that change. Revert that change immediately afterward.

Cloudera Bug: OPSAPS-30371

Time range settings on report pages are incorrect

Time range settings were incorrect. They are now set correctly on report pages.

Cloudera Bug: OPSAPS-30016

Add Service Wizard fails to set Hive on Spark performance tuning parameters

Automatic configuration for Hive on Spark performance tuning parameters did not run when adding a Hive service to an existing cluster. In the past, these tuning parameters ran when adding a cluster that contained Hive, YARN, and Spark on YARN. The rules now run as long as Hive depends on YARN in both the add service and add cluster wizards.

Cloudera Bug: OPSAPS-25460

Setting empty values for LDAP Base DN and LDAP Domain produces errors

Setting empty values for the LDAP Base DN and LDAP Domain for Impala resulted in errors. These settings are now handled without errors.

Cloudera Bug: OPSAPS-29546

Restart of deleted roles does not wait until deleted roles are identified

Restart and rolling restart commands did not always wait until all deleted roles were identified. As a result, services that had not yet been identified as requiring a restart were not restarted. Restart and rolling restart commands now wait for staleness checks to complete, if the user requests that only stale services be restarted. This avoids a race between staleness computation checking and how services are determined to be stale and thus restarted.

Cloudera Bug: OPSAPS-29190

Miscellaneous problems with the Replication user interface

This release includes several fixes to the replication user interface including the following:
  • The Last Run column incorrectly sorted dates. Dates are now correctly sorted.
  • Collecting diagnostic data for failed Hive Replication commands failed with an error. This data collection now succeeds.
  • Finished schedules were shown as running. Schedules now accurately reflect their state.
  • Scheduled time was incorrectly translated between browser time and server time. Scheduled time is now correctly translated.
  • The Actions menu would be disabled while a replication schedule was running, which blocked changing future runs configurations. The Actions menu is now enabled for replication schedules with commands running.

Cloudera Bug: OPSAPS-29759

Misleading error occurs while deploying client configuration

The error "There is already a pending command on this entity" was shown if a command was in process for a service and an attempt is made to run the "Deploy client configuration" command. This error is no longer shown.

Cloudera Bug: OPSAPS-31461

Gathering task progress produced null pointer exceptions

Gathering progress information on a variety of tasks could result in null pointer exceptions. For example, this could occur when decommissioning a host. Progress information is now gathered as expected.

Cloudera Bug: OPSAPS-32347

User interface elements are hidden when windows are resized

Some windows could be resized so buttons were not visible. For example, this could happen with the Create Replication dialog box. The user interface now handles resizing as expected.

Cloudera Bug: OPSAPS-32060

HDFS data transfers uses 3DES despite configuration

The configuration information for using the AES/CTR/NoPadding cipher suite for HDFS data transfers was incomplete. As a result, traffic was encrypted with the much slower 3DES algorithm. The correct configuration is now included with the HDFS client.

Cloudera Bug: OPSAPS-31607

Solr keystore passwords are no longer presented in clear text

Because of Tomcat restrictions, Solr keystore passwords were sent as clear text on the machines running the service. They are now redacted.

Cloudera Bug: CDH-33626.

Removing a host from a cluster removes all Kerberos client configuration

Removing a host from a cluster automatically removed all Kerberos client configuration from any other hosts still in the cluster. Now, when one host is removed from a cluster, any Kerberos client configuration on other hosts is unaffected.

Cloudera Bug: OPSAPS-29796

Hive replication import fails to include some information

During the Hive replication import phase, schema and location information was not consistently populated. This information is now populated as expected.

Cloudera Bug: OPSAPS-31332

Restarts attempt to deploy client configuration when action is not supported

After upgrading a parcel, restart or rolling restart steps automatically attempted to deploy the client configuration, even if that was not supported by the cluster configuration. Now, client configurations are deployed only if the cluster configuration supports this action.

Cloudera Bug: OPSAPS-31483

Some pages load very slowly

Some pages, such as the All Recent Commands page, may take over 30 seconds to load. This process has been optimized, reducing load times.

Cloudera Bug: OPSAPS-26772

kt_renewer not automatically created when Hue is added to a Kerberos-enabled cluster

When the Hue service was added to a Kerberos-enabled cluster, a single corresponding kt_renewer was not created. The process of adding the Hue service now includes checking if a keytab renewer is required, and creating one if it is.

Cloudera Bug: OPSAPS-31795

Some jobs never run due to memory configuration

It was possible to configure the YARN NodeManager with an amount of available memory less than the amount of memory available to the YARN container. In such a case, a job might never find a NodeManager that meets the memory requirements. The system now ensures that at least one YARN container is configured with an equal or greater amount of memory than the YARN NodeManager value.

Cloudera Bug: OPSAPS-22584

Replication schedule API not compatible with older versions

Clients using the version 10 replication schedule API did not work as expected with instances of Cloudera Manager using version 11 of the API. This meant that clients from Cloudera Manager 5.4.0 and lower did not work as expected with servers running Cloudera Manager 5.5.0 and higher. Clients and servers using these different API versions now function as expected.

Cloudera Bug: OPSAPS-32504

Issues Fixed in Cloudera Manager 5.6.2

Issues Fixed in Cloudera Manager 5.6.1

Scheme and location not filled in consistently during Hive replication import

In previous releases, Hive replication import phase did not consistently fill in scheme and location information. This information is now filled in as expected.

Cloudera Bug: OPSAPS-31522

Cloudera Manager HDFS usage reports do not include Inode references

Lower versions of Cloudera Manager HDFS usage reports do not include Inode references. As a result, usage reports underreported HDFS directory sizes and data used by users and groups in certain circumstances where HDFS snapshots were used.

Cloudera Bug: OPSAPS-33094

Kafka MirrorMaker unable to start due to KAFKA_HOME not being set

Kafka MirrorMaker would not start when Kafka is installed using packages. This occurred because KAFKA_HOME was not set to the correct default when starting MirrorMaker. This issue affected Cloudera Manager 5.4.0 and higher with Kafka 1.4.0 and higher.

Cloudera Bug: OPSAPS-33293

kt_renewer not automatically created when Hue is added to a Kerberos-enabled cluster

When the Hue service was added to a Kerberos-enabled cluster, a single corresponding kt_renewer was not created. The process of adding the Hue service now includes checking if a keytab renewer is required, and creating one if it is.

Cloudera Bug: OPSAPS-31795

Authentication errors occur due to missing SAML metadata

  • If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you used to notice an error screen while logging out, then this upgrade will fix that issue.
  • If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you did not notice any error screen while logging out, then you will most likely see an error screen while logging out after this upgrade. In order to fix that, you can follow either of these steps:
    1. Update the metadata file in your IdP with the new file from <Cloudera Manager Server>/saml/metadata
    2. Change SAML Entity Alias under Administration > Setting "clouderaManager" to " and restart Cloudera Manager.

Cloudera Bug: OPSAPS-33088

Oozie JVM heap metrics not reported in Chart Builder for some services

Oozie JVM metrics are now available and display on the role page. They can also be accessed through Chart Builder using the oozie_memory_heap_used and oozie_memory_total_max metrics.

Cloudera Bug: OPSAPS-33006

Issues Fixed in Cloudera Manager 5.6.0

CDH upgrade fails if the GPL Extras parcel in use

CDH and GPL Extras parcel versions must match exactly. When upgrading CDH, by default Cloudera Manager validates the dependency between the new CDH parcel and existing GPL Extras parcel. Since the dependency is not satisfied, the check returns an error and the upgrade fails.

Cloudera Bug: OPSAPS-26436

Workaround:
  1. Deactivate parcel dependency checking:
    1. Select Administration > Settings.
    2. Search for Validate Parcel Relations.
    3. Deselect the checkbox.
    4. Click Save Changes to commit the changes.
  2. Deactivate the GPL Extras parcel.
  3. Download, distribute, and activate the GPL Extras parcel that matches the CDH upgrade version.
  4. Upgrade CDH.
  5. Reactivate parcel dependency checking.

Issues Fixed in Cloudera Manager 5.5.6

Separation of authentication and authorization coprocessor configs in HBase

HBase Secure Bulkload is now enabled for all CDH5.5 and higher clusters, regardless of whether Kerberos is enabled. Also fixed a related issue where clusters with authentication (Kerberos) but not authorization failed in HBase-related MapReduce jobs.

Cloudera Bug: OPSAPS-33657

Replications page: sort by schedule ID as default

In the Replications page, the table is now sorted by ID as a default.

Cloudera Bug: OPSAPS-33212

Hive Replication shows "Dry Run" incorrectly

Fixes an issue where running Hive Replication shows "Dry Run" in status message.

Cloudera Bug: OPSAPS-33206

HDFS Snapshot policy is selecting unhealthy host to run on

When selecting a role to run HDFS Snapshot command, Cloudera Manager now selects a non-decommissioned host in Active status. Also, hosts in maintenance mode have a lower priority than the ones in active state.

Cloudera Bug: OPSAPS-33144

Cloudera Manager no longer shows "this step is expected to fail" when enabling HDFS-HA

When enabling HDFS-HA, if the NameNode directories are empty, Cloudera Manager reports this as an error. In lower versions, it returned a message saying the failure is expected. Cloudera Manager now shows the correct message when performing HA.

Cloudera Bug: OPSAPS-30777

Configuration for all services is marked stale during upgrade

When you upgrade to version 5.5.6 of Cloudera Manager, the client configuration for all services is marked stale. From the Cluster menu, select Deploy Client Configuration to redeploy the client configuration.

Cloudera Bug: OPSAPS-36234

Issues Fixed in Cloudera Manager 5.5.4

Cluster provisioning fails

In some cases, provisioning of a cluster may fail at the start of the process. This does not happen in all cases and is mainly noticed on RHEL 6 and especially when some hosts are reporting bad health.

Releases affected: 5.5.0-5.5.3, 5.6.0-5.6.1, 5.7.0

Releases containing the fix: 5.5.4, 5.7.1

For releases containing the fix, parcel activation and first run command now completes as expected, even when some hosts report bad health.

This issue is fixed in Cloudera Manager 5.5.4 and 5.7.1 and higher.

Cloudera bug: OPSAPS-33564

Scheme and location not filled in consistently during Hive replication import

In previous releases, Hive replication import phase did not consistently fill in scheme and location information. This information is now filled in as expected.

Cloudera Bug: OPSAPS-31522

Kafka MirrorMaker unable to start due to KAFKA_HOME not being set

Kafka MirrorMaker would not start when Kafka is installed using packages. This occurred because KAFKA_HOME was not set to the correct default when starting MirrorMaker. This issue affected Cloudera Manager 5.4.0 and higher with Kafka 1.4.0 and higher.

Cloudera Bug: OPSAPS-33293

Cloudera Manager HDFS usage reports do not include Inode references

Lower versions of Cloudera Manager HDFS usage reports do not include Inode references. As a result, usage reports underreported HDFS directory sizes and data used by users and groups in certain circumstances where HDFS snapshots were used.

Cloudera Bug: OPSAPS-33094

New Hive tables fail to replicate when Sentry Sync is enabled

When Sentry Sync is enabled, new Hive tables failed to replicate. Replication now occurs as expected.

Cloudera Bug: OPSAPS-33065

kt_renewer not automatically created when Hue is added to a Kerberos-enabled cluster

When the Hue service was added to a Kerberos-enabled cluster, a single corresponding kt_renewer was not created. The process of adding the Hue service now includes checking if a keytab renewer is required, and creating one if it is.

Cloudera Bug: OPSAPS-31795

Authentication errors occur due to missing SAML metadata

  • If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you used to notice an error screen while logging out, then this upgrade will fix that issue.
  • If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you did not notice any error screen while logging out, then you will most likely see an error screen while logging out after this upgrade. In order to fix that, you can follow either of these steps:
    1. Update the metadata file in your IdP with the new file from <Cloudera Manager Server>/saml/metadata
    2. Change SAML Entity Alias under Administration > Setting "clouderaManager" to " and restart Cloudera Manager.

Cloudera Bug: OPSAPS-33088

HDFS rolling restart fails after CDH upgrade

In previous Cloudera Manager releases, when one of a pair of highly available NameNodes was down, it was possible for rolling restart or rolling upgrade commands to fail with an error message incorrectly describing the state of the NameNode as "Busy." The error message now correctly identifies the state of the NameNode (typically "Stopped" in this situation).

Cloudera Bug: OPSAPS-33035

Oozie JVM heap metrics not reported in Chart Builder for some services

Oozie JVM metrics are now available and display on the role page. They can also be accessed through Chart Builder using the oozie_memory_heap_used and oozie_memory_total_max metrics.

Cloudera Bug: OPSAPS-33006

Issues Fixed in Cloudera Manager 5.5.3

Users using external LDAP authentication with no local Cloudera Manager user role explicitly set may default to the read-only role when upgrading to Cloudera Manager 5.5.2

When upgrading to Cloudera Manager 5.5.2, customers who have non-read-only roles configured through LDAP, and have not explicitly set Cloudera Manager local roles, may lose their Cloudera Manager privileges set by LDAP.

Releases affected: Cloudera Manager 5.5.2

Users affected: Customers who use LDAP for Cloudera Manager user authorization and have upgraded Cloudera Manager from a version lower than 5.5.0 to Cloudera Manager 5.5.2. For example:
  • May be affected: Install Cloudera Manager 5.3 -> Upgrade to Cloudera Manager 5.5.1 -> Upgrade to Cloudera Manager 5.5.2
  • Unaffected: Install Cloudera Manager 5.5.1 -> Upgrade to Cloudera Manager 5.5.2
Users not affected:
  • Customers who installed Cloudera Manager 5.5.0 and higher and upgraded.
  • Customers who use Cloudera Manager local role authorization, regardless of upgrade path and version.

Severity: High

Action required: If you have upgraded to Cloudera Manager 5.5.2 and cannot log in with proper permissions, do the following:
  1. Resolve any conflicting user authorization permissions between LDAP and Cloudera Manager local permissions.
  2. Contact Cloudera Support for further instructions if you cannot resolve conflicting LDAP and Cloudera Manager user permissions.
If you have not yet upgraded to Cloudera Manager 5.5.2, and are using LDAP user authorization:
  1. Before upgrading, resolve any conflicting user authorization permissions between LDAP and Cloudera Manager local permissions.
  2. Upgrade to Cloudera Manager 5.5.3 or higher.

Issues Fixed in Cloudera Manager 5.5.2

Oozie and HttpFS keystore passwords are no longer presented in clear text

Because of Tomcat restrictions, the Oozie and HttpFS keystore passwords were sent as clear text on the machines running the services. They are now hidden.

Cloudera Bug: OPSAPS-25522

Cross-site scripting vulnerability using malformed strings in the Parcel Remote URLs list

An attacker could set a malformed string in the Parcel Remote URLs list in the database and trigger the attack when a user accesses the Administration Settings page. This attack is now prevented.

Cloudera Bug: OPSAPS-30590

Starting/stopping roles for Flume instance succeeds but displays nothing in popup

In Cloudera Manager 5.5.0, running a Flume start/stop service command would succeed, but display an empty popup. This is now fixed.

Cloudera Bug: OPSAPS-31075

Role process commands missing stderr and stdout in command details

In Cloudera Manager 5.5, certain commands did not show links to stderr or stdout in the Cloudera Manager UI even if they were executed recently. These could still be found in /var/run/cloudera-scm-agent/process/ on that host. In Cloudera Manager 5.5.2 stderr and stdout should appear as they did before.

Note that links to stderr and stdout for commands may disappear if another command is run on that role. This is expected. The logs can still be found in /var/run/cloudera-scm-agent/process/ on that host.

Cloudera Bug: OPSAPS-30671

Updating the Hive NameNode location multiple times could lead to data corruption

Multiple updates to the Hive NameNode location could cause Hive Metastore database corruption. Issuing the same command multiple times no longer produces problems.

Cloudera Bug: OPSAPS-30155

Cloudera Manager skips NameNode logs in the diagnostic bundle

Scheduled diagnostic bundles did not include recent role logs. Diagnostic bundles collected manually (not scheduled) worked as expected. Now, scheduled diagnostic bundles include the latest NameNode logs.

Cloudera Bug: OPSAPS-30787

Kafka 2.0 fails to deploy on large clusters as reserved.broker.max.id defaults to 1000

Large Kafka clusters would not start when Cloudera Manager-generated broker IDs exceeded the value set by reserved.broker.max.id. The default value of broker.id.generation.enable has now been set to false to disable the reserved.broker.max.id configuration property and avoid collisions.

Cloudera Bug: OPSAPS-31128

Cloudera Manager fails to propagate HBase coprocessors to the gateway nodes

Cloudera Manager does not propagate HBase coprocessors to the gateway nodes. As a result, tools that depend on the HBase security subsystem, such as the loadIncrementalHFiles tool, do not use security features, even in secure environments.

Cloudera Bug: OPSAPS-28196

Workaround: Add the following properties to the HBase Client Advanced Configuration Snippet (Safety Valve) for hbase-site.xml and restart all HBase clients:
<property>
  <name>hbase.coprocessor.region.classes</name>
  <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint</value>
</property> 

HDFS nameservices API call returns incorrect HA role status

The HDFS nameservices API returned incorrect active/standby status information for HA roles. API calls made about roles that were active might return standby status and roles that were in standby status might return active status. Information about host statuses is now accurate.

Cloudera Bug: OPSAPS-29337

Hive requires the hive principal for HiveServer2 host as well as load balancer

An issue with HiveServer2 missing its principal and keytab when Hive is load-balanced has been fixed.

Cloudera Bug: OPSAPS-29881

More descriptive error message for service trying to start on a decommissioned host

Cloudera Manager now displays a more descriptive error message when it skips the "Start" command because all roles are started or decommissioned or on a decommissioned host.

Cloudera Bug: OPSAPS-25549

UI shows repeated errors when loading replications page

Issue fixed with loading the replication page when a previous replication command fails without launching a MapReduce job.

Cloudera Bug: OPSAPS-28789

Allow option for external users to be assigned roles in the local database

In Cloudera Manager 5.5, role assignments for external users was disabled, which caused upgrade issues. The fix rolls back the change but instead of using a union approach, implements the following precedence rules:
  • If a user is assigned a role in Cloudera Manager, this local role is used.
  • Otherwise, a user's LDAP group association determines the user role.

Cloudera Bug: OPSAPS-31181

Clean up usercache directories on migration from unsecure to secure mode

Fixes an issue that led to YARN jobs failing after migration from unsecure to secure mode.

Cloudera Bug: OPSAPS-28378

Spark REST API does not work when parcels are used

The REST API for retrieving data from a live Spark UI or from the Spark History Server has been fixed.

Cloudera Bug: OPSAPS-30919

In secure clusters, DataNode fails to start when dfs.data.transfer.protection is set and DataNode ports are changed to unprivileged ports

Before this fix, the only way to run the DataNode on unprivileged ports (port number > 1024) in a Kerberized cluster with DataNode Data Transfer Protection enabled, was to use single-user mode. Now this configuration works for both regular and single-user mode installs.

Both Hadoop SSL and DataNode Data Transfer Protection are still required for unprivileged DataNode ports to work in a Kerberized cluster. This configuration is supported only in CDH 5.2 and higher.

Cloudera Bug: OPSAPS-30819

New validation warning for non-recommended secure DataNode configurations in CDH 5.2 and higher

On a Kerberos-enabled cluster running CDH 5.2 and higher, there are two recommended DataNode configurations. Use SASL/TLS with DataNode Data Transfer Protection enabled to encrypt the connection, or use only privileged ports to communicate. The supported combinations of HDFS configuration properties follow:
  • Security through SASL/TLS (preferred):
    • DataNode Data Transfer Protection - Enabled
    • Hadoop TLS/SSL - Enabled
    • DataNode Transceiver Port - Non-privileged (that is, port number >= 1024)
    • Secure DataNode Web UI Port (TLS/SSL) - Non-privileged (that is, port number >= 1024)
  • Security through privileged ports:
    • DataNode Data Transfer Protection - Disabled
    • Hadoop TLS/SSL - Disabled
    • DataNode Transceiver Port - Privileged (that is, port number < 1024)
    • DataNode HTTP Web UI Port - Privileged (that is, port number < 1024)

    Any configuration other than these results in a validation warning or error from Cloudera Manager. In particular, the following configuration, which is allowed by HDFS but is not recommended, results in a (dismissible) validation warning:

  • (Not Recommended) Security without enabling DataNode Data Transfer Protection:
    • DataNode Data Transfer Protection - Disabled
    • Hadoop TLS/SSL - Enabled
    • DataNode Transceiver Port - Privileged (that is, port number < 1024)
    • Secure DataNode Web UI Port (TLS/SSL) - Non-privileged (that is, port number >= 1024)

All configurations other than the three listed result in Cloudera Manager displaying a validation error.

Cloudera Bug: OPSAPS-31266

Sensitive environment parameters not redacted for CSDs

Passwords in environment variables for CSDs are now redacted.

Cloudera Bug: OPSAPS-29915

Update Apache Commons Collections library in Cloudera Manager due to major security vulnerability

The Apache Commons Collections library has been upgraded to 3.2.2 to fix a critical security vulnerability.

Cloudera Bug: OPSAPS-30428

Remove plaintext keystore password from /api/v6/cm/config

With the addition of the JVM parameter, \-Dcom.cloudera.api.redaction=true, sensitive configuration values are redacted from the API.

Cloudera Bug: OPSAPS-26677

JVM parameter to redact passwords now redacts the password salt and hash

When API redaction is turned on using the JVM argument -Dcom.cloudera.api.redaction=true, it also redacts the user's pwHash and pwSalt values. Passwords for Cloudera Manager Peers are also redacted.

Cloudera Bug: OPSAPS-31194

Oozie keystore and truststore passwords now redacted

Oozie's Java keystore and truststore passwords are no longer sent in clear text on the command line.

Cloudera Bug: OPSAPS-25523

Several Replication UI fixes

  • The Replication UI Last Run column now sorts correctly based on dates.
  • Collecting diagnostic data for failed Hive Replication commands no longer fails.
  • Finished schedules are no longer shown as running when the user is watching the page.
  • Scheduled time now accurately translates between browser time and server time.
  • Actions menu is now enabled for replication schedules with commands running. Previously, it would be disabled while a replication schedule was running, which blocked changing the configuration for future runs.

Cloudera Bug: OPSAPS-29750

Fix Java detection

Java detection in the "Components" view for a host was fixed to account for Java versions installed using symlinks in /usr/java (such as /usr/java/default). A similar fix was made to the host inspector's Java detection logic.

Cloudera Bug: OPSAPS-31105

When Host Monitor is stopped, cluster/services status in Cloudera Manager API returns Good instead of N/A or Unknown

If the Host Monitor is down, the service details page will still be able to present non-host related health status.

Cloudera Bug: OPSAPS-30337

Issues Fixed in Cloudera Manager 5.5.1

Apache Commons Collections deserialization vulnerability

Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.

In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.

The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.

Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.

Users affected: All

Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.

Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.

Issues Fixed in Cloudera Manager 5.5.0

Setting the HBase WAL provider to the default in Cloudera Manager causes the RegionServer process to fail to start

Setting the HBase WAL provider to the default using Cloudera manager erroneously sets the value of hbase.wal.provider to default, when it should be set to defaultProvider. This causes the RegionServer process to fail to start.

Cloudera Bug: OPSAPS-29598

Workaround: Do not use Cloudera Manager to set the WAL provider to the default. Instead, add the following properties to the RegionServer Advanced Configuration Snippet (Safety Valve) for hbase-site.xml and restart all HBase clients.
<property>
  <name>hbase.wal.provider</name>
  <value>defaultProvider</value>
</property> 

Incorrect path format causes access permission failure

The file path format used in sequence file `ing was incorrect. In replications involving a large number of files and when the Delete Policy for the replication is set to Delete to trash or Delete Permanently, distcp uses the local file system to save the intermediate result of sequence file sorting. An incorrect path format causes access permission failure.

Cloudera Bug: OPSAPS-28859

Out-of-memory exception for Hive replication

Hive replication throws an out-of-memory exception when exporting a table with a large number of partitions.

Cloudera Bug: OPSAPS-29598

Incorrect value emitted into hbase-site.xml

When configuring an HBase WAL provider with the "HBase Default" option, Cloudera Manager emits an incorrect value into hbase-site.xml and HBase reports an error.

Cloudera Bug: OPSAPS-29598

Failed replication no longer fail silently

When a replication is attempted between secure and insecure clusters, the replication reports an error and fails silently.

Cloudera Bug: OPSAPS-28380

The Replication Schedules page displays error after failed replication

A dialog box that shows a Java exception displays in the Replication Schedules page after a failed replication and the page is inaccessible.

Cloudera Bug: OPSAPS-28465

Cloudera Manager now allows you to use '/' in cluster names

In previous versions, this resulted in problems during replication because '/' was treated as an URL path.

Cloudera Bug: OPSAPS-26138

HDFS replication fails because of improper snapshot directory handling

Replications fail when converting a snapshot path to a regular path when the grandparent of the source directory is snapshottable.

Cloudera Bug: OPSAPS-27232

Renewal time limits and lifetime limits are removed for Kerberos tickets

Snapshots that take longer than 30 minutes failed because the Kerberos tickets for the snapshots expired too soon . The renewal and lifetime limits have been replaced with the system default lifetime and renewal limits, instead of 30 minutes.

Cloudera Bug: OPSAPS-28189

Replication schedules fails to catch configuration errors during creation

The schedule configuration is not validated when it is created, which causes errors during replication.

Cloudera Bug: OPSAPS-11047

Audit events now include the schedule ID

The replication ID has been added to the schedule creation, update, and deletion audit events.

Cloudera Bug: OPSAPS-11534

OutOfMemory error when running HDFS replication

HDFS replication fails with an OutOfMemory exception (in stderr.log) when an HDFS replication job replicates a large number of files.

Cloudera Bug: OPSAPS-28858

Hive replication does not preserve user and group names for the database directory

File permissions of the database directory that maps to a Hive database are not preserved.

Cloudera Bug: OPSAPS-24742

Exception in configuration history after changing host configuration

An IllegalStateException is reported in the History and Rollback page after changing host configuration.

Cloudera Bug: OPSAPS-28795

Host Inspector no longer expects the impala user to be in the hdfs group

To conform to security best practices, the impala user should not be in the hdfs group.

Cloudera Bug: OPSAPS-28129

The DataNode Refresh Data Directories command fails on secure clusters

DataNode refresh failed on Kerberized clusters.

Cloudera Bug: OPSAPS-27068

Topology should only include hosts with Hadoop daemons

A topology map is created for the services HDFS, YARN, and MapReduce. In releases earlier than 5.5.0, hosts with only gateway roles for these services were also added to the topology map. This might erroneously mark many configurations as stale, requiring restarts or refreshes to resolve the staleness.

Cloudera Bug: OPSAPS-24109

Agent host_id property is erroneously set to hostname

Previously, attempting to set the listening_hostname property in the Agent config.ini file (which is not normally necessary) changed the Agent's host ID to use this hostname, instead of the normal value.

Cloudera Bug: OPSAPS-27991

JAVA_HOME override setting does not affect component list

The component list for a host is not affected by a custom JAVA_HOME setting.

Cloudera Bug: OPSAPS-19290

Monitoring performance issues on large, busy clusters

A number of fixes have been made to improve Service Monitor and Host Monitor performance, particularly problems manifesting as large, regular garbage-collection pauses, on large, busy clusters.

Cloudera Bug: OPSAPS-26703

JAVA_HOME does not get passed to Agents

Client configuration deployment fails to locate Java in the custom JAVA_HOME environment variable, if that is specified via host configuration.

Cloudera Bug: OPSAPS-27048

Job History Server Retaining Logs in Secure Clusters

The Job History Server fails to delete old logs from HDFS on secure clusters, with the error "Failed to specify server's Kerberos principal name."

Cloudera Bug: OPSAPS-30157

On Kerberized clusters, incorrect values reported for DataNode process metrics

The DataNode process is incorrectly monitored on Kerberized clusters.

Cloudera Bug: OPSAPS-28676

During kt_renewer kinit call authentication may fail

On Kerberized clusters, Cloudera Manager might periodically report monitoring failures due to authentication errors when attempting to communicate with various role web servers to collect metrics. This is due to synchronization issues between the Agent's calls to kinit and attempts to perform Kerberos authentication with the role web servers. This has been fixed by adding logic to retry requests for metrics in the Agent a number of times on authentication failures. These retries will be logged but should not result in health failures and alerts.

Cloudera Bug: OPSAPS-28469

Client configurations are incorrectly marked as stale when a host is rebooted

Rebooting a host can causes the client configurations for gateway roles on that host to be marked as stale even though they are up to date.

Cloudera Bug: OPSAPS-28568

Rolling restart fails when inheriting inappropriate JVM properties

Rolling restart inherits custom HBase RegionServer JVM properties and can fail when those properties are inappropriate for non-daemon JVMs.

Cloudera Bug: OPSAPS-28353

Clusters can fail if Java 1.6 is installed

JAVA_HOME is set to Java 1.6 if installed, even if version 1.8 is also installed.

Cloudera Bug: OPSAPS-28888

Start should clearly indicate when it fails due to a missing parcel

Previously a missing parcel was logged only in the Agent log. The Cloudera Manager Admin Console now indicates that a required parcel is missing when starting a role or deploying client configurations.

Cloudera Bug: OPSAPS-25589

Client configuration deployment timeout set too large for large number of hosts

The deploy client configuration timeout value was set to according to the number of hosts. This caused a problem when there are large number of hosts. The tasks to deploy client configurations are run concurrently so there was no need to wait that long. The timeout value was changed to a fixed value.

Cloudera Bug: OPSAPS-29464

Two HBase metrics charts display "No Data"

HBase IPC metrics were not collected on CDH 5.4 and higher HBase due to a metric name change.

Cloudera Bug: OPSAPS-28171

Agent operating system detection logic fixed on updated Oracle Enterprise Linux 6.x

An Oracle Enterprise Linux 6.x update to its python-libs unexpectedly changed the output of the Agent's operating system detection logic, which caused problems with parcel distribution and other issues.

Cloudera Bug: OPSAPS-28193

ZooKeeper jute.maxbuffer emitted into configuration instead of JVM arguments

The ZooKeeper jute.maxbuffer property was emitted into zoo.cfg instead of in the JVM arguments. It is now passed to the JVM through the process environment variable ZOOKEEPER_SERVER_OPTS and takes effect correctly.

Cloudera Bug: OPSAPS-28244

High -Xms set for Hive clients

-Xms is set equal to -Xmx for all Hive clients which causes the Java runtime to reserve -Xms memory even if the client does not need it. This particularly affects machines with low resources. The -Xms setting has been removed so that the Java runtime does not assign -Xmx memory at the start. Instead, it starts with a much lower Java heap and increases it if needed.

Cloudera Bug: OPSAPS-28972

Service autoconfiguration set Kafka memory to 0

The Kafka service was initially configured with 0 memory because the autoconfiguration rules did not respect specified units. This is now correctly set to a value between 50 and 1024 MiB depending on available memory on the host. This issue affected any third-party CSD-based services using memory parameters with units other than "bytes".

Cloudera Bug: OPSAPS-27869

Topics with a period not reporting metrics

Topics with a period (".") in the name would not show metrics in Cloudera Manager.

Sensitive information in Cloudera Manager diagnostic support bundles

Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions: (1) Modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) Modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data-handling policies.

Users affected:
  • Users storing sensitive data in advanced configuration snippets

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

Immediate Action Required:
  • Upgrade Cloudera Manager to one of the following releases: Cloudera Manager 5.5.0, 5.4.6, 5.3.7, 5.2.7, 5.1.6, 5.0.7, 4.8.6

Cloudera Management Service can fail with a large Flume configuration file

When a Flume configuration file is large, calling its Kerberos credentials with regex can cause the Cloudera Management Service to time out and fail. In addition, the Cloudera Manager Server uses 100% of the CPU and the UI hangs.

Cloudera Bug: OPSAPS-29685

Charts built on simple select statements can return partial results

Charts built on queries in the form <select metric> for service or role metrics might not filter entities properly and might report hitting the stream limit.

Cloudera Bug: OPSAPS-28716

Issues Fixed in Cloudera Manager 5.4.10

Scheme and location not filled in consistently during Hive replication import

In previous releases, Hive replication import phase did not consistently fill in scheme and location information. This information is now filled in as expected.

Cloudera Bug: OPSAPS-31522

Having hive.compute.query.using.stats enabled by default produced incorrect results for some queries that used stats only

By default, hive.compute.query.using.stats was enabled. This produced incorrect results for some queries that used stats only. This setting is now disabled by default.

Cloudera Bug: OPSAPS-32332

YARN jobs fail after enabling Kerberos authentication or selecting Always Use Container Executor

After Kerberos security is enabled on a cluster or Always Use Container Executor is selected, YARN jobs failed. This occurred because the contents of any previously existing YARN User Cache directory could not be overridden after security was enabled. YARN jobs now complete as expected after a change in Kerberos security or usage of Container Executor.

Cloudera Bug: OPSAPS-32050

Scheduled diagnostic bundles do not include recent role logs

Diagnostic bundles collected manually included all expected logs, but bundles collected on a schedule did not include role logs. Scheduled diagnostic bundles now include all expected logs.

Cloudera Bug: OPSAPS-30787

Issues Fixed in Cloudera Manager 5.4.9

Apache Commons Collections deserialization vulnerability

Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.

In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.

The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.

Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.

Users affected: All

Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.

Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.

Cross-site scripting vulnerability using malformed strings in the parcel remote URL list

An attacker could set a malformed string in parameters that consist of a list of strings and trigger the attack when a user accessed the corresponding configuration page in classic layout mode. This attack is now prevented.

Cloudera Bug: OPSAPS-30590

Cross-site scripting vulnerability using malformed host template name

An attacker could set a malformed host template name in the backend database and trigger the attack when a user applies the host template. This attack is now prevented.

Cloudera Bug: OPSAPS-30443

Snapshot policies with names with special characters not handled as expected

Snapshot policies with names containing special characters such as #, $, ?, or % were not handled as expected. These snapshot policies were not consistently found because the special characters in their names were parsed incorrectly. Snapshot policies with names containing special characters are now handled as expected.

Cloudera Bug: OPSAPS-30426

Kafka MirrorMaker fails to find messages if ZooKeeper root directory is changed

When the ZooKeeper root directory is changed, the corresponding value in ZK_QUORUM that is passed to Kafka MirrorMaker processes is not updated. In that case, MirrorMaker fails to find messages. Changes to ZooKeeper root are now propagated properly, resulting in MirrorMaker finding messages.

Cloudera Bug: OPSAPS-30197

Updating the Hive NameNode location multiple times could lead to data corruption

Multiple updates to the Hive NameNode location could cause Hive metastore database corruption. Issuing the same command multiple times no longer produces problems.

Cloudera Bug: OPSAPS-30155

Cloudera Manager monitors subject to excessive garbage-collection workload

The Cloudera Manager Service Monitor and Cloudera Manager Host Monitor wrote aggregate timeseries data in a way that resulted in significant garbage-collection workloads. Writes are now split based on metric threshold counts, resulting in lower garbage-collection loads.

Cloudera Bug: OPSAPS-30058

Kafka MirrorMaker fails to start because of missing settings

Kafka MirrorMaker provided no defaults for Destination Broker List, Topic Whitelist, and Topic Blacklist, and no way to set these values in the wizard. These values can now be set in the wizard when adding a new instance.

Cloudera Bug: OPSAPS-29415

Cloudera Manager dry-run replication history shows unexpected values

BDR replication in dry-run mode should show the number of files that would be copied and the number of bytes those files would comprise if the same job were executed without the dry-run option. Dry-run mode showed the number of replicable files accessed up to a maximum of 1024 files and showed the total number of bytes those files comprise, up to 512 bytes per file.

The results of dry-runs now show the actual number of source files and their composite bytes that would be covered in the replication schedule. These categories are labeled replicable files and replicable bytes.

Cloudera Bug: OPSAPS-30387

Issues Fixed in Cloudera Manager 5.4.8

Clusters can fail if Java 1.6 is installed

JAVA_HOME is set to Java 1.6 if installed even if 1.8 is also installed.

Cloudera Bug: OPSAPS-28888

OutOfMemory error when running HDFS replication

HDFS replication fails with an OutOfMemory exception (in stderr.log) when an HDFS replication job replicates a large number of files.

Cloudera Bug: OPSAPS-28858

Cloudera Management Service can fail with a large Flume configuration file

When a Flume configuration file is large, calling its Kerberos credentials with regex can cause the Cloudera Management Service to timeout and fail. In addition, the Cloudera Manager Server uses too much CPU (100%) and the UI hangs.

Cloudera Bug: OPSAPS-29685

Client configurations are incorrectly marked as stale when a host is rebooted

Rebooting a host can cause the client configurations for gateway roles on that host to be marked as stale even though they are actually up to date.

Cloudera Bug: OPSAPS-28568

Issues Fixed in Cloudera Manager 5.4.7

Operating system detection logic for Oracle Enterprise Linux 6 breaks parcel distribution

Fixes the operating system detection logic on updated Oracle Enterprise Linux 6 systems. An Oracle update to its python-libs logic unexpectedly changed the output of the Agent's operating system detection logic, which caused problems with parcel distribution and other issues.

Cloudera Bug: OPSAPS-28193

ZooKeeper jute.maxbuffer property emitted into the wrong file

The ZooKeeper jute.maxbuffer property is emitted into zoo.cfg instead of in the JVM arguments. It is now passed to the JVM through the process environment variable ZOOKEEPER_SERVER_OPTS and takes effect correctly.

Cloudera Bug: OPSAPS-28244

Create user API call is allowed for user with insufficient permissions

Using the "create a user" API call, a user who normally could not create users is able to create a read-only user account. The API call now respects the permissions.

Cloudera Bug: OPSAPS-27539

Spark Authentication property is propagated to the wrong client configuration

Beginning with Cloudera Manager 5.4.6, the Spark Authentication configuration property is correctly propagated to client configurations.

Cloudera Bug: OPSAPS-27912

Agent hostname in config.ini is changed to wrong value

Attempting to set the listening_hostname property in the Agent's config.ini file (which is not normally necessary) changes the Agent's host ID to use this hostname, instead of the normal value. The host ID is now left unchanged, as expected.

Cloudera Bug: OPSAPS-27991

Cloudera Manager monitors the incorrect process for DataNode

On Kerberized clusters, Cloudera Manager monitors the wrong process as the DataNode. That has been fixed. For customers using Kerberized HDFS, Cloudera Manager reports incorrect statistics in some areas (memory, file descriptor, CPU usage, I/O, and networking, but not HDFS statistics). There is a small impact to health monitoring because of this issue. For customers using the stacks collection feature on a Kerberized DataNode and where jstack collection was enabled, this issue kills the parent jsvc process of the DataNode and leaves the DataNode up, but causes Cloudera Manager to report the process as dead.

Cloudera Bug: OPSAPS-28677

Issues Fixed in Cloudera Manager 5.4.6

Sensitive Information in Cloudera Manager Diagnostic Support Bundles

Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.

Users affected:
  • Users storing sensitive data in advanced configuration snippets

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

Immediate Action Required:
  • Upgrade Cloudera Manager to one of the following releases: Cloudera Manager 5.4.6, 5.3.7, 5.2.7, 5.1.6, 5.0.7, 4.8.6

Issues Fixed in Cloudera Manager 5.4.5

Cancel Impala Query attempts to connect via TLS/SSL despite TLS/SSL being disabled

In Impala queries, if you select Cancel for any query, you see a small "internal error" at the top of the query list. This occurs because an attempt to connect via TLS/SSL is performed even though Impala does not have TLS/SSL enabled.

Cloudera Bug: OPSAPS-27146;

Cloudera Manager displays a spurious validation warning about the Cloudera Management Service truststore

Cloudera Manager incorrectly warns that Cloudera Management Service daemons will use HTTPS for communication with either Cloudera Manager or CDH services, even if no Cloudera Management Service truststore is in use.

Cloudera Bug: OPSAPS-27473;

Aggregation of Work attributes

Cloudera Manager now correctly aggregates Work attributes such as YARN applications or Impala query duration.

Cloudera Bug: OPSAPS-26493

Hue Solr Indexer

Cloudera Manager now creates the correct configuration required to create a collection.

Cloudera Bug: OPSAPS-22975

Cloudera Manager incorrectly reports “Not finalized” status for rolling upgrade

When performing a rolling upgrade from a version of CDH lower than 5.4 to CDH 5.4, and the HDFS rolling upgrade is finalized, Cloudera Manager incorrectly reports the status as not finalized. This is an error in reporting only and does not affect HDFS functionality.

Cloudera Bug: OPSAPS-27379

Validation errors not visible from service-level configuration pages

Validation errors and warnings were only visible when accessing the individual instance-level configuration pages. This has been fixed.

Cloudera Bug: OPSAPS-27066

Add Role Instances wizard does not work when initialized using the Cloudera Manager search box

You can now start the Add Role Instances wizard by searching for "<service name> Add Role" in the Cloudera Manager Admin Console search box.

Cloudera Bug: OPSAPS-27604

Cloudera Manager now allows you to use '/' in cluster names

In previous versions, this resulted in problems during replication because '/' was treated as an URL path.

Cloudera Bug: OPSAPS-26138

Expose HBase multi-WAL configuration properties in Cloudera Manager

The properties were added and are now being written to the hbase-site.xcml file.

Cloudera Bug: OPSAPS-27139

Custom Kerberos principals now handled correctly during Solr startup

The Solr custom Kerberos principal is now initialized properly during Solr server startup.

Cloudera Bug: OPSAPS-27320

Added a check in the Upgrade and Kerberos wizards to make sure Spark-standalone is not enabled

Spark Standalone does not work in clusters with Kerberos authentication. Spark on YARN supports Kerberos and is recommended over Spark Standalone. Either disable Kerberos or remove Spark Standalone before upgrading.

Cloudera Bug: OPSAPS-26151

Fixed link for Reports when YARN high availability is enabled

The Reports link in HA mode would result in a 404 error.

Cloudera Bug: OPSAPS-27089

Removed bogus failure when deploying client configuration

Deploying client configuration would sometimes fail because Cloudera Manager could not locate JAVA_HOME. This is not a valid failure because deploying client configuration does not require Java.

Cloudera Bug: OPSAPS-27650

Added core-site.xml to Sentry's classpath

Previously, core-site.xml was only added to Sentry's configuration folder, but not the classpath.

Cloudera Bug: OPSAPS-26617

Improved memory usage in serializing objects and writing them to support bundles

Performance improvements that require less memory were made for the creation of bundles.

Cloudera Bug: OPSAPS-27405

New property to enable suppressing INFO-level log messages from NameNode

You can now use the NameNode Block State Change Logging Threshold property to suppress INFO-level block state change log messages from the NameNode.

Cloudera Bug: OPSAPS-26437

Improved advice for clock offset health test

The way the health of the host's NTP daemon is determined was changed recently, which caused some cases where the related health test (host clock offset) failed without a warning. Information on this change was added to Cloudera Manager.

Cloudera Bug: OPSAPS-27278

Cloudera Manager displays warning about using RHEL 6 with Transparent Huge Pages (THP)

The THP algorithm was broken in certain variants of RHEL 6.2 and above. Cloudera Manager now displays a warning if THP is enabled for all RHEL 6 and above.

Cloudera Bug: OPSAPS-27035

Agent gets no logs if the last log4j event is larger than the max-size specified

If the byte_limit (max-size) specified by Cloudera Manager during log retrieval was smaller than the last log4j event to be collected, the Agent skipped the complete event and return nothing. This behavior was modified so pick the first N bytes (N = max-size) are picked from the log4j event and return a partial log4j event.

Cloudera Bug: OPSAPS-26406

Agent log retrieval does not always honor timeouts

Cloudera Manager Agents no longer enter an infinite loop during log retrieval.

Cloudera Bug: OPSAPS-26404

Cloudera Manager Agent missing log messages

The default timeout for displaying log entries (../logs/search and ../logs/context) has been increased to 60 seconds.

Cloudera Bug: OPSAPS-27358

Fixed cross-site scripting vulnerability

A cross-site scripting vulnerability was discovered and fixed in Cloudera Manager.

Cloudera Bug: OPSAPS-27496

New property added for ResourceManager high availability failover

The ZooKeeper session timeout property yarn.resourcemanager.zk-timeout-ms was added, and its default value is 1 minute.

Cloudera Bug: OPSAPS-20852

Set maximum value for YARN mapreduce.jobhistory.max-age-ms to 10 years

Cloudera Manager would previously display a validation error when the value was greater than 60 days.

Cloudera Bug: OPSAPS-27182

Added warning in upgrade wizard regarding dropped support for symlinks in CDH 5

This fix added a warning about removing HDFS symlinks when upgrading from CDH 4 to CDH 5.

Cloudera Bug: OPSAPS-26665

Refresh Data Directories command no longer fails on secure clusters

The DataNodeRefreshCommand now sets SCM_KERBEROS_PRINCIPAL in the environment of the command process, which causes hdfs.sh to do a kinit. Before this change, a manual kinit was required.

Cloudera Bug: OPSAPS-27068

New Sentry Synchronization Path Prefixes added in NameNode configuration are not enforced correctly

Any new path prefixes added in the NameNode configuration are not correctly enforced by Sentry. The ACLs are initially set correctly, however they would be reset to the old default after some time interval.

Cloudera Bug: OPSAPS-26141

Workaround: Set the following property in Sentry Service Advanced Configuration Snippet (Safety Valve) and Hive Metastore Server Advanced Configuration Snippet (Safety Valve) for hive-site.xml:
<property>
<name>sentry.hdfs.integration.path.prefixes</name>
<value>/user/hive/warehouse, ADDITIONAL_DATA_PATHS</value>
</property>
where ADDITIONAL_DATA_PATHS is a comma-separated list of HDFS paths where Hive data will be stored. The value should be the same value as sentry.authorization-provider.hdfs-path-prefixes set in the hdfs-site.xml on the NameNode.

Fixed NullPointerException on health tests' Details page

The health tests Details page threw a NullPointerException because it was referring to a deprecated metric name.

Cloudera Bug: OPSAPS-27065

Improved Service Monitor Canary check to see if HTable is disabled

Without this check, Service Monitor would fail due to too many ZooKeeper connection messages leaking into the Service Monitor log. This resulted in resource and allocation pressures on the Service Monitor.

Cloudera Bug: OPSAPS-27318

Cloudera Manager no longer retains unnecessary references to HTables

Retaining too many unnecessary references to HTable was using up too much memory, especially when working with a large number of tables.

Cloudera Bug: OPSAPS-27319

Sqoop 2 failure in Kerberized clusters fixed

Cloudera Manager was using the wrong authentication package and picking up the wrong configuration properties for Sqoop 2 authentication with Kerberos.

Cloudera Bug: OPSAPS-27297

Fixed Solr server startup error

The Solr server would not start due to insufficient space for the shared memory file.

Cloudera Bug: OPSAPS-27158

Added HBase Canary security configuration properties

Enabling the HBase canary on a secure cluster would fail. The new properties now let Cloudera Manager specify the canary's Kerberos principal and keytab in the hbase-site.xml deployed at the RegionServers.

Cloudera Bug: OPSAPS-26468

Issues Fixed in Cloudera Manager 5.4.3

Improve Impala queries coordinator node metrics handling

For Impala queries that returned very few rows, Cloudera Manager could fail to report information such as HDFS I/O metrics on the Impala Query Monitoring and Query Detail pages. The discrepancy was typically relatively small because those queries often did very little work.

Cloudera Bug: OPSAPS-26531, OPSAPS-26533

Performance issues when changing configurations on HDFS

Fixed a performance issue where HDFS configuration pages responded slowly.

Cloudera Bug: OPSAPS-27171

Typo in Cloudera Manager metrics reference

The word “Concerning” was misspelled in many metrics reference pages.

Cloudera Bug: OPSAPS-26957

Issues with Navigator field audit_log_max_file_size

The log4j appender changed from RollingFileAppender to RollingFileWithoutDeleteAppender.

Cloudera Bug: OPSAPS-26978

The Isilon client configuration core-site.xml file does not contain proxy users

The parameters are available in the Cloudera Manager Admin Console, but the configurations are not emitted in the core-site.xml file.

Cloudera bug: OPSAPS-26816

Solr gateway role should not have a log4j.properties advanced configuration snippet

The Solr gateway role does not have a log4j.properties file.

Cloudera bug: OPSAPS-26858

The Cloudera Manager Agent force_start's hard stop commands did not set all invariants

This resulted in NPE being reported in Cloudera Manager logs when accessing active and recent command operations.

Cloudera bug: OPSAPS-26864

Configuration staleness icons appear to be enabled for users in read-only role

When moused over, the icons change to a hand indicating that they are active. However, users in the read-only role cannot act on changed configurations.

Cloudera bug: OPSAPS-26897

Setting yarn.resourcemanager.am.max-retries throws error

Observed when setting the Maximum Number of Attempts for MapReduce Jobs and then setting ApplicationMaster Maximum Attempts, which also sets yarn.resourcemanager.am.max-retries.

Cloudera bug: OPSAPS-26936

Cloudera Manager reports the wrong value for Impala bytes read from cache

Instead of cached bytes it reported the value of short circuit bytes.

Cloudera bug: OPSAPS-26938

Fixed cross-site scripting vulnerabilities

A variety of possible cross-site scripting vulnerabilities have been fixed.

Cloudera bugs: OPSAPS-26765, OPSAPS-26798, OPSAPS-26835, OPSAPS-26836, OPSAPS-26878, OPSAPS-26880, OPSAPS-25959

Location of Number of rows drop-down changed

On pages where multiple rows display, the drop-down menu where users select the number of rows to display on a page now appears at the bottom of all lists.

Cloudera bug: OPSAPS-26956

Minimum allowed value change for YARN property

The Max Shuffle Connections property now allows a value of 0, which indicates no limit on the number of connections.

Cloudera bug: OPSAPS-26953

Upgrade error

A bug was fixed that prevented upgrades from CDH 4.7.1 to CDH 5.4.3.

Cloudera bug: OPSAPS-27119

Change to Parcels page

On the Parcels page, the first cluster in the list is now automatically selected by default.

Cloudera bug: OPSAPS-27045

All Password Input Fields do not allow auto complete

All password input fields in Cloudera Manager do not allow auto complete.

Cloudera bug: OPSAPS-26927

TLS Keystore Configuration Error

It is no longer possible to delete the values of the Path to TLS Keystore File and Keystore Password properties and save them while the Use TLS Encryption for Admin Console property is enabled.

Cloudera bug: OPSAPS-26888

Host configuration properties and Agent restart messages

Some host configuration properties no longer incorrectly state that an Agent restart is required.

Cloudera bug: OPSAPS-26808

More detailed error messages for failed role migration

If there is a failure validating the NameNode or JournalNode data directories while migrating roles, Cloudera Manager now displays detailed error information, including error codes.

Cloudera bug: OPSAPS-26803

New property to configure Oozie shared library upload timeout

To prevent timeouts due to slow disks or networks, a new Oozie property, Oozie Upload ShareLib Command Timeout, has been added to set the timeout.

Cloudera bug: OPSAPS-26782

New Cluster-Wide Configuration Pages

The following new Cluster-Wide configuration pages have been added:
  • Databases
  • Local Data Directories
  • Local Data Files
  • Navigator Settings
  • Service Dependencies

To access these pages in Cloudera Manager, select Cluster > Cluster Name > Configuration.

Cloudera bug: OPSAPS-26730

Naming of Health Tests

The names of some Health Tests have changed to use consistent capitalization.

Cloudera bug: OPSAPS-26690

Impala Monitoring Queries for Per-node peak memory

Impala queries that report per-node peak memory were incorrect when the value is zero.

Cloudera bug: OPSAPS-26721

Enable Hive on Spark Property

The description of the Enable Hive on Spark property has been updated to remind the user that the Enable Spark on YARN property must also be selected.

Cloudera bug: OPSAPS-26560

Role Trigger property in Flume

Setting a value for the Flume Role Triggers property no longer causes validation warnings.

Cloudera bug: OPSAPS-26743

Restart of Service Monitor leaves files that can fill the disk

Restarts of the Service Monitor no longer leave extraneous copies of files that unnecessarily take up disk space.

Cloudera bug: OPSAPS-26660

HiveServer 2 properties omit Java options

Setting any of the following properties no longer causes Java options to be omitted:
  • Allow URIs in Database Policy File
  • HiveServer2 TLS/SSL Certificate Trust Store File
  • HiveServer2 TLS/SSL Certificate Trust Store Password

Cloudera bug: OPSAPS-26657

CDH Parcel distribution reports HTTP 503 errors

Cloudera Manager no longer displays HTTP 503 errors during distribution of the CDH parcel to a large cluster.

Cloudera bug: OPSAPS-26627

Diagnostic bundle reports incorrect status for SELinux

Diagnostic bundles sometimes reported SELinux as disabled when it was enabled. The bundle now reports the correct status.

Cloudera bug: OPSAPS-26608

Hue configuration warnings do not link to correct page

On the Cloudera Manager page that displays Hue configuration issues, the links now take the user to the correct page where the user can correct the configuration.

Cloudera bug: OPSAPS-26600

Date display in Cloudera Manager log viewer

The month and date have been added before the time value in logs displayed in Cloudera Manager.

Cloudera bug: OPSAPS-26599

Disabling Hive Metastore Canary Test

When you disable the Hive Metastore health test by deselecting the Hive Metastore Canary Health property, the Hive Canary is now also disabled.

Cloudera bug: OPSAPS-26588

Agent failure when TLS 1.0 is disabled

If TLS 1.0 is disabled, the Agent now tries to negotiate the connection using TLS 1.1 or TLS 1.2.

Cloudera bug: OPSAPS-26584

Slowness when displaying details of a stale configuration

The details page now displays more quickly when a user clicks on the Stale Configuration icon.

Cloudera bug: OPSAPS-26537

Slowness observed when accessing replication page in Cloudera Manager

When you access the replication page in Cloudera Manager, the page responds slowly due to a large number of replication history records. The number of displayed historical records has been changed from 100 to 20.

Cloudera Bug: OPSAPS-26529;

Log Searches for Cloudera Manager Server

Searching the Cloudera Manager Server logs now works as expected.

Cloudera bug: OPSAPS-26470

Failed TLS Configuration and Cloudera Manager Restart

If the TLS configuration has errors, Cloudera Manager now falls back to non-TLS operation when restarting.

Cloudera bug: OPSAPS-27104

New headers added

New headers have been added to Cloudera Manager HTTP response headers to protect against vulnerabilities.

Cloudera bug: OPSAPS-25847

Hive Logging property restored

The Enable Explain Logging (hive.log.explain.output) property was removed in an earlier release and is now included in the configurations.

Cloudera bug: OPSAPS-25857

Hive Metastore Update NameNodes Command

A 150 second timeout was removed from the Update Hive Metastore NameNodes command to prevent timeouts on deployments that use Hive extensively.

Cloudera bug: OPSAPS-26056

Kafka Parcel Installation

Cloudera Manager now correctly detects the Kafka version for parcel installation.

Cloudera bug: OPSAPS-26071

Agent restart failure

In a condition where an Agent restart was required due to a Hive configuration change and a subsequent disk failure, the Agent now restarts as expected.

Cloudera bug: OPSAPS-26172

Error message wording

Some Cloudera Manager error messages referred to Cloudera Manager as “CM”. These messages now use the full name “Cloudera Manager”.

Cloudera bug: OPSAPS-26191

Oozie metrics failures

Retrieval of Oozie metrics sometimes fails due to timeout issues which are now resolved.

Cloudera bug: OPSAPS-26242

NameNode Role Migration Failures

When a NameNode role migration fails due to the destination role data directories being non-empty or having incorrect permissions, you no longer need to complete the migration manually. An error message displays and you can now correct the problem and re-run the command.

Cloudera bug: OPSAPS-26265

AWS S3 HBase configuration property renamed to Amazon S3

Several configuration properties for HBase have been renamed from AWS S3 to Amazon S3, in order to use the correct product name.

Cloudera bug: OPSAPS-23343

NodeManager Host Resources page display for the NodeManager Recovery Directory

The NodeManager Recovery Directory now displays on the NodeManager host resources page.

Cloudera bug: OPSAPS-23916

Host Inspector page now includes link to Show Inspector Results

The Host Inspector page now displays a link to a page that displays detailed results.

Cloudera bug: OPSAPS-24642

Initialization Script Improvements

The Cloudera Manager Agent initialization script now checks correctly for running processes.

Cloudera bug: OPSAPS-24941

Default Value for Hue parameter changed

The default value for the Hue cherrypy_server_threads property has been changed from 10 to 50.

Cloudera bug: OPSAPS-25030

Express Installation Wizard Package Installation Page CDH Version

The Express Installation Wizard Package installation page no longer allows the user to proceed without selecting a CDH version.

Cloudera bug: OPSAPS-25722

Host Component page display

The Host Component page now displays the package version for the KMS Trustee Key Provider.

Cloudera bug: OPSAPS-25692

Installation Wizard hangs during package installation

The Installation Wizard hangs during a CDH package installation and the status displays as “Acquiring Installation Lock”. A bug was fixed where the Agent incorrectly failed to release a lock until the Agent is restarted.

Cloudera bug: OPSAPS-22894

Minimum allocation violation not caught by Cloudera Manager

NodeManager did not start because Cloudera Manager did not correctly validate memory and CPU settings against their minimum values.

Cloudera bug: OPSAPS-17157

Impala core dump directories are now configurable

Three new properties that specify the location of core dump directories have been added to the Impala configurations:
  • Catalog Server Core Dump Directory
  • Impala Daemon Core Dump Directory
  • StateStore Core Dump Directory

Cloudera bug: OPSAPS-21743

Typo in Sqoop DB path suffix (SqoopParams.DERBY_SUFFIX)

Sqoop 2 appears to lose data when upgrading to CDH 5.4. This is due to Cloudera Manager erroneously configuring the Derby path with "repositoy" instead of "repository". The correct path name is now used.

Cloudera Bug: OPSAPS-26649.

Agent fails when retrieving log files with very long messages

When searching or retrieving large log files using the Agent, the Agent no longer consumes near 100% CPU until it is restarted. This can also happen then the collect host statistics command is issued.

Cloudera bug: OPSAPS-25854

Automated Solr TLS/SSL configuration may fail silently

Cloudera Manager 5.4.1 offers simplified TLS/SSL configuration for Solr. This process uses a solrctl command to configure the urlSchemeSolr cluster property. The solrctl command produces the same results as the Solr REST API call /solr/admin/collections?action=CLUSTERPROP&name=urlScheme&val=https. For example, the call might appear as: https://example.com:8983/solr/admin/collections?action=CLUSTERPROP&name=urlScheme&val=https

Cloudera Manager automatically executes this command during Solr service startup. If this command fails, the Solr service startup now reports an error.

Cloudera Bug: OPSAPS-26563

Removing the default value of a property fails

For example, when you access the Automatically Downloaded Parcels property on the following page: Home > Administration > Settings and remove the default CDH value, the following error message displays: "Could not find config to delete with template name: parcel_autodownload_products". This error has been fixed.

Cloudera bug: OPSAPS-26591

Issues Fixed in Cloudera Manager 5.4.1

distcp default configuration memory settings overwrite MapReduce settings

Replication used for backup and disaster recovery does not correctly set the MapReduce Java options, and you cannot configure them. In release 5.4.1, Cloudera Manager uses the MapReduce gateway configuration to determine the Java options for replication jobs. Replication job settings cannot be configured independently of MapReduce gateway configuration. See Backup and disaster recovery replication does not set MapReduce Java options.

Oozie high availability plug-in is now configured by Cloudera Manager

In CDH 5.4.0, Oozie added a new HA plugin that allows all of the Oozie servers to synchronize their Job ID assignments and prevent collisions. Cloudera Manager 5.4.0 did not configure this new plugin; Cloudera Manager 5.4.1 now does so.

Cloudera Bug: OPSAPS-25778

HDFS read throughput Impala query monitoring property is misleading

The hbase_bytes_read_per_second and hdfs_bytes_read_per_second Impala query properties have been renamed to hbase_scanner_average_bytes_read_per_second and hdfs_scanner_average_bytes_read_per_second to more accurately reflect that these properties return the average throughput of the query's HBase and HDFS scanner threads, respectively. The previous names and descriptions indicated that these properties were the query's total HBase and HDFS throughput, which was not accurate.

Cloudera Bug: OPSAPS-26140

Enabling wildcarding in a secure environment causes NameNode to fail to start

In a secure cluster, if you use a wildcard for the NameNode's RPC or HTTP bind address, the NameNode fails to start. For example, dfs.namenode.http-address must be a real, routable address and port, not 0.0.0.0.port. In Cloudera Manager, the "Bind NameNode to Wildcard Address" property must not be enabled. This should affect you only if you are running a secure cluster and your NameNode needs to bind to multiple local addresses.

Cloudera Bug: CDH-9991, OPSAPS-14577

Bug: HDFS-4448

Workaround: Disable the "Bind NameNode to Wildcard Address" property found on the Configuration tab for the NameNode role group.

Support for adding Hue with high availability

The Express and Add Service wizards now allow users to define multiple Hue service roles. If Kerberos is enabled, a co-located KT Renewer role is automatically added for each Hue server row.

Cloudera Bug: OPSAPS-21639

Parameter validation fails with more than one Hue role

When you add a second Hue role to a cluster, the error message "Failed parameter validation" displays.

Cloudera Bug: OPSAPS-25336

Cross-site scripting vulnerabilities

Various cross-site scripting vulnerabilities were fixed.

Cloudera Bug: OPSAPS-25809

Clicking the "Revert to default" icon stores the default value as a user-defined value in the new configuration pages

Cloudera Manager 5.4.1 fixes an issue in which saving an empty configuration value causes the value to be replaced by the default value. The empty value is now saved instead of the default value.

Cloudera Bug: OPSAPS-26340

Spurious validation warning and missing validations when multiple Hue Server roles are present

When multiple Hue Server roles are created for a single Hue Service, Cloudera Manager displays a spurious validation warning for Hue with the label "Failed parameter validation." The Cloudera Manager Server log may also contain exception messages of the form:
2015-03-30 17:15:45,077 WARN ActionablesProvider-0:com.cloudera.cmf.service.ServiceModelValidatorImpl:
Parameter validation failed java.lang.IllegalArgumentException: There is more than one role with roletype: HUE_SERVER [...] {
These messages do not correspond to actual validation warnings and can be ignored. However, some validations normally performed are skipped when this spurious warning is generated, and should be done manually. Specifically, if Hue's authentication mechanism is set to LDAP, the following configuration should be validated:
  1. The Hue LDAP URL property must be set.
  2. For CDH 4.4 and lower, set one (but not both) of the following two Hue properties: NT Domain or LDAP Username Pattern.
  3. For CDH 4.5 and higher, if the Hue property Use Search Bind Authentication is selected, exactly one of the two Hue properties NT Domain and LDAP Username Pattern must be set, as described in step 2 above.

Cloudera Bug: OPSAPS-25336

Logging of command unavailable message improved

When a command is unavailable, the error messages are now more descriptive.

Cloudera Bug: OPSAPS-26384

Client configuration logs no longer deleted by the Agent

If the Agent fails to deploy a new client configuration, the client log file is no longer deleted by the agent. The Agent saves the log file and appends new log entries to the saved log file.

Cloudera Bug: OPSAPS-26148

HDFS role migration requires certain HDFS roles to be running

Before using the Migrate Roles wizard to migrate HDFS roles, you must ensure that the following HDFS roles are running as described:

  • A majority of the JournalNodes in the JournalNode quorum must be running. With a quorum size of three JournalNodes, for example, at least two JournalNodes must be running. The JournalNode on the source host need not be running, as long as a majority of all JournalNodes are running.
  • When migrating a NameNode and co-located Failover Controller, the other Failover Controller (that is, the one that is not on the source host) must be running. This is true whether or not a co-located JournalNode is being migrated as well, in addition to the NameNode and Failover Controller.
  • When migrating a JournalNode by itself, at least one NameNode / Failover Controller co-located pair must be running.

Cloudera Bug: OPSAPS-25870, OPSAPS-25878

HDFS role migration requires automatic failover to be enabled

Migration of HDFS NameNode, JournalNode, and Failover Controller roles through the Migrate Roles wizard is only supported when HDFS automatic failover is enabled. Otherwise, it causes a state in which both NameNodes are in standby mode.

Cloudera Bug: OPSAPS-25806, OPSAPS-25822

HDFS/Hive replication fails when replicating to target cluster that runs CDH 4 and has Kerberos enabled

Cloudera Bug: OPSAPS-25945

Workaround: None.

Issues Fixed in Cloudera Manager 5.4.0

Proxy Configuration in Single User Mode is Fixed

In single user mode, all services are using the same user to proxy other users in an unsecure cluster, which is the user that is running all the CDH processes on the cluster. To restrict that user so that it can proxy other users from only certain hosts and only certain groups, configure the YARN Proxy User Hosts and YARN Proxy User Groups properties in the HDFS service. The setting here supersedes all other proxy user configurations in single user mode.

Cloudera Bug: OPSAPS-25518

The Parcels page allows access to the patch release notes

Clicking the icon with an "i" in a blue circle next to a parcel shows the release notes.

Cloudera Bug: OPSAPS-25481

Monitoring Fails on Impala Catalog Server with TLS/SSL Enabled

When enabling TLS/SSL for Impala web servers (webserver_certificate_file), Cloudera Manager does not emit use_ssl in the cloudera-monitor.properties file for the Catalog Server. Other services (Impala Daemon and StateStore) are configured correctly. This causes monitoring to fail for the Catalog Server even though it is working as expected.

Cloudera Bug: OPSAPS-25469

Default Value Changed for hive.exec.reducers.bytes.per.reducer

To improve performance, the default value for the hive.exec.reducers.bytes.per.reducer property has been changed from 1 GB to 64 MB. If this value has been customized, the customized value is retained during an upgrade. If the old default of 1 GB was not changed, the value will be updated to 64MB during an upgrade.

Cloudera Bug: OPSAPS-24883

Issues Fixed in Cloudera Manager 5.3.10

Scheme and location not filled in consistently during Hive replication import

In previous releases, Hive replication import phase did not consistently fill in scheme and location information. This information is now filled in as expected.

Cloudera Bug: OPSAPS-31522

YARN jobs fail after enabling Kerberos authentication or selecting Always Use Container Executor

After Kerberos security is enabled on a cluster or Always Use Container Executor is selected, YARN jobs failed. This occurred because the contents of any previously existing YARN User Cache directory could not be overridden after security was enabled. YARN jobs now complete as expected after a change in Kerberos security or usage of Container Executor.

Cloudera Bug: OPSAPS-32050

Issues Fixed in Cloudera Manager 5.3.9

Apache Commons Collections deserialization vulnerability

Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.

In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.

The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.

Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.

Users affected: All

Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.

Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.

Cloudera Manager monitors subject to excessive garbage-collection workload

The Cloudera Manager Service Monitor and Cloudera Manager Host Monitor wrote aggregate timeseries data in a way that resulted in significant garbage-collection workloads. Writes are now split based on metric threshold counts, resulting in lower garbage-collection loads.

Cloudera Bug: OPSAPS-30058

Cloudera Manager dry-run replication history shows unexpected values

BDR replication in dry-run mode should show the number of files that would be copied and the number of bytes those files would comprise if the same job were executed without the dry-run option. Dry-run mode showed the number of replicable files accessed up to a maximum of 1024 files and showed the total number of bytes those files comprise, up to 512 bytes per file.

The results of dry-runs now show the actual number of source files and their composite bytes that would be covered in the replication schedule. These categories are labeled replicable files and replicable bytes.

Cloudera Bug: OPSAPS-30387

Updating the Hive NameNode location multiple times could lead to data corruption

Multiple updates to the Hive NameNode location could cause Hive metastore database corruption. Issuing the same command multiple times no longer produces problems.

Cloudera Bug: OPSAPS-30155

Issues Fixed in Cloudera Manager 5.3.8

Rolling Restart fails when inheriting inappropriate JVM properties

Rolling Restart inherits custom HBase RegionServer JVM properties and can fail when those properties are inappropriate for non-daemon JVMs.

Cloudera Bug: OPSAPS-28353

Exception thrown when viewing host configuration change

When ConfigContext is initialized to both cluster and host, it defaults to cluster. If the context is a host, this can cause the ConfigTableUtil class to throw an IllegalStateException.

Cloudera Bug: OPSAPS-28795

Issues Fixed in Cloudera Manager 5.3.7

Sensitive Information in Cloudera Manager Diagnostic Support Bundles

Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.

Users affected:
  • Users storing sensitive data in advanced configuration snippets

Severity: High

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

Immediate Action Required:
  • Upgrade Cloudera Manager to one of the following releases: Cloudera Manager 5.4.6, 5.3.7, 5.2.7, 5.1.6, 5.0.7, 4.8.6

Issues Fixed in Cloudera Manager 5.3.6

Cloudera Manager reports the wrong value for Impala bytes read from cache

Instead of cached bytes, it reported the value of short-circuit bytes.

Cloudera Bug: OPSAPS-26938

Cancel Impala Query attempts to connect via TLS/SSL despite TLS/SSL being disabled

In Impala queries, if you select Cancel for any query, you get a small "internal error" at the top of the query list. This is because an attempt to connect via TLS/SSL is done even though Impala does not have TLS/SSL enabled.

Cloudera Bug: OPSAPS-27146

The Cloudera Manager displays a spurious validation warning about the Cloudera Management Service truststore

Cloudera Manager incorrectly warns that Cloudera Management Service daemons will use HTTPS for communication with either Cloudera Manager or CDH services even if no Cloudera Management Service truststore is in use.

Cloudera Bug: OPSAPS-27473

Issues Fixed in Cloudera Manager 5.3.4

Slowness observed when accessing replication page in Cloudera Manager

When you access the replication page in Cloudera Manager, the page responds slowly due to a large number of replication history records. The number of displayed historical records has been changed from 100 to 20.

Cloudera Bug: OPSAPS-26529

Cloudera Manager overwrites the krb5.conf file after disabling management by Cloudera Manager

When a cluster has been configured to enable Kerberos by clicking the Manage krb5.conf through Cloudera Manager button, Cloudera Manager writes out a krb5.conf file. If a user subsequently disables this feature by disabling the Manage krb5.conf through Cloudera Manager option and then restarting Cloudera Manager and the Agent, Cloudera Manager overwrites the existing krb5.conf file.

Cloudera Bug: OPSAPS-25282

Header injection vulnerability in internal logging call

An internal call to a servlet with a malformed logger name created information that could be used in a cross-site scripting attack.

Cloudera Bug: OPSAPS-26487

Graph for "Total Containers Running Across NodeManagers" displays high values

The graph Total Containers Running Across NodeManagers, which displays on the YARN status page, displayed incorrect high values.

Cloudera Bug: OPSAPS-26247

Clicking the "Revert to default" icon stores the default value as a user-defined value in the new configuration pages

Saving an empty configuration value causes the value to be replaced by the default value. The empty value is now saved instead of the default value.

Cloudera Bug: OPSAPS-26340

Some Operational Reports do not return results

The following reports do not return results:
  • Overpopulated Directories
  • Large Directories
  • Custom Reports where the Replication parameter is set to 0.

Cloudera Bug: OPSAPS-26178

Xalan has been upgraded to version 2.7.2

To address a vulnerability identified by CVE-2014-0107, Xalan has been updated to version 2.7.2.

Cloudera Bug: OPSAPS-26408

Setting threshold values of -1 or -2 not accepted in new configuration layout pages

When you set threshold values in various properties, you could not select Specify and then enter -1 to indicate "Any" or -2 to indicate "Never". You can now enter -1 or -2.

Cloudera Bug: OPSAPS-26066

Rolling upgrade arguments are reversed

The following arguments for rolling upgrade are reversed:
  • Sleep seconds
  • Failure threshold

Cloudera Bug: OPSAPS-26158

Issues Fixed in Cloudera Manager 5.3.3

hive.metastore.client.socket.timeout default value changed to 60

The default value of the hive.metastore.client.socket.timeout property has changed to 60 seconds.

Cloudera Bug: OPSAPS-25270

TLS/SSL Enablement property name changes

The property hadoop.ssl.enabled is deprecated. Cloudera Manager has been updated to use either dfs.http.policy or yarn.http.policy properties instead.

Cloudera Bug: OPSAPS-24985

Changing the Service Monitor Client Config Overrides property requires restart

Cloudera Manager no longer requires you to restart your cluster after changing the Service Monitor Client Config Overrides property for a service.

Cloudera Bug: OPSAPS-25272

Cluster name changed from specified name to "cluster" after upgrade

After updating to a new release, Cloudera Manager replaces the specified cluster name with cluster. Cloudera Manager now uses the correct cluster name.

Cloudera Bug: OPSAPS-25279

Configuration without host_id in upgrade DDL causes upgrade problems

A client configuration row in the database DDL did not set host_id, causing upgrade problems. Cloudera Manager now catches this condition before upgrading.

Cloudera Bug: OPSAPS-25321

hive.log.explain.output property is hidden

The property hive.log.explain.output is known to create instability of Cloudera Manager Agents in some specific circumstances, especially when the hive queries generate extremely large EXPLAIN outputs. Therefore, the property has been hidden from the Cloudera Manager configuration screens. You can still configure the property through the use of advanced configuration snippets.

Cloudera Bug: OPSAPS-25852

Slow staleness calculation can lead to ZooKeeper data loss when new servers are added

In Cloudera Manager 5.x, starting new ZooKeeper Servers shortly after adding them can cause ZooKeeper data loss when the number of new servers exceeds the number of old servers.

Cloudera Bug: OPSAPS-25966

Spark and Spark (standalone) services fail to start if you upgrade to CDH 5.2.x parcels from an older CDH package

Spark and Spark standalone services fail to start if you upgrade to CDH 5.2.x parcels from an older CDH package.

Workaround: After upgrading rest of the services, uninstall the old CDH packages, and then start the Spark service.

Cloudera Bug: OPSAPS-24005

Deploy client configuration across cluster after upgrade from Cloudera Manager 4.x to 5.3

Following a 4.x -> 5.3 upgrade, you must deploy client configuration across the entire cluster before deleting any gateway roles, any services, or any hosts. Otherwise the existing 4.x client configurations may be left registered and orphaned on the hosts where they were deployed, requiring you to manually intervene to delete them.

Cloudera Bug: OPSAPS-24279

Oozie health bad when Oozie is HA, cluster is kerberized, and Cloudera Manager and CDH are upgraded

Oozie health will go bad if high availability is enabled in a kerberized cluster with Cloudera Manager 5.0 and CDH 5.0 and Cloudera Manager and CDH are then upgraded to 5.1 or higher.

Cloudera Bug: OPSAPS-23872

Workaround: Disable Oozie HA and then re-enable HA again.

HDFS/Hive replication fails when replicating to target cluster that runs CDH 4.0 and has Kerberos enabled

Cloudera Bug: OPSAPS-25945

Workaround: None.

Issues Fixed in Cloudera Manager 5.3.2

The Review Changes page sometimes hangs

The Review Changes page hangs due to the inability to handle the "File missing" scenario.

Cloudera Bug: OPSAPS-24872

High volume of TGT events against AD server with "bad token" messages

A fix has been made to how Kerberos credential caching is handled by management services, resulting in a reduction in the number of Kerberos Ticket Granting Ticket (TGT) requests from the cluster to a KDC. This would have been noticed as "Bad Token" messages being seen in high volume in KDC logging and unnecessarily causing re-authentication by management services.

Cloudera Bug: OPSAPS-24800

Accumulo missing kinit when running with Kerberos

Cloudera Manager is unable to run Accumulo when hostname command does not return FQDN of hosts.

Cloudera Bug: OPSAPS-24792

HiveServer2 leaks threads when using impersonation

For CDH 5.3 and higher, Cloudera Manager will configure HiveServer2 to use the HDFS cache even when impersonation is on. For earlier CDH, there were bugs with the cache when impersonation was in use, so it is still disabled.

Cloudera Bug: OPSAPS-24751

Deploying client configurations fails if there are dead hosts present in the cluster

If there are hosts in the cluster where the Cloudera Manager agent heartbeat is not working, then deploying client configurations does not work. Starting with Cloudera Manager 5.3.2, such hosts are ignored while deploying client configurations. When the issues with the host are fixed, Cloudera Manager will show those hosts as having stale client configurations, at which point you can redeploy them.

Cloudera Bug: OPSAPS-24748

Health test monitors free space available on the wrong filesystem

The Cloudera Manager Health Test to monitor free space available for the Cloudera Manager Agent's process directory monitors space on the wrong filesystem. It should monitor the tmpfs that the Cloudera Manager Agent creates, but instead monitors the Cloudera Manager Agent working directory.

Cloudera Bug: OPSAPS-24733

Starting ZooKeeper Servers from Service or Instance page fails

Stopped ZooKeeper servers cannot be started from the Service or Instance page, but only from the Role page of the server using the start action for the role.

Cloudera Bug: OPSAPS-24725

Flume Metrics page does not render agent metrics

Starting in Cloudera Manager 5.3, some or all Flume component data was missing from the Flume Metrics Details page.

Cloudera Bug: OPSAPS-24525

Broken link to help pages on Chart Builder page

The help icon (question mark) on the Chart Builder page returns a 404 error.

Cloudera Bug: OPSAPS-24424

Import MapReduce configurations to YARN now handles NodeManager vcores and memory

Running the wizard to import MapReduce configurations to YARN will now populate yarn.nodemanager.resource.cpu-vcores and yarn.nodemanager.resource.memory-mb correctly based on equivalent MapReduce configuration.

Cloudera Bug: OPSAPS-21540; KI added Cloudera Manager5.1.0

Issues Fixed in Cloudera Manager 5.3.1

Deploy client configuration across cluster after upgrade from Cloudera Manager 4.x to 5.3

Following a 4.x -> 5.3 upgrade, you must deploy client configuration across the entire cluster before deleting any gateway roles, any services, or any hosts. Otherwise the existing 4.x client configurations may be left registered and orphaned on the hosts where they were deployed, requiring you to manually intervene to delete them.

Cloudera Bug: OPSAPS-24279

Deploy client configuration across cluster after upgrade from Cloudera Manager 4.x to 5.3

Following a 4.x -> 5.3 upgrade, you must deploy client configuration across the entire cluster before deleting any gateway roles, any services, or any hosts. Otherwise the existing 4.x client configurations may be left registered and orphaned on the hosts where they were deployed, requiring you to manually intervene to delete them.

Cloudera Bug: OPSAPS-24279

Oozie health bad when Oozie is HA, cluster is kerberized, and Cloudera Manager and CDH are upgraded

Oozie health will go bad if high availability is enabled in a kerberized cluster with Cloudera Manager 5.0 and CDH 5.0 and Cloudera Manager and CDH are then upgraded to 5.1 or higher.

Cloudera Bug: OPSAPS-2387

Workaround: Disable Oozie HA and then re-enable HA again.

Deploy client configuration no longer fails after 60 seconds

When configuring a gateway role on a host that already contains a role of the same type—for example, an HDFS gateway on a DataNode—the deploy client configuration command no longer fails after 60 seconds.

Cloudera Bug: OPSAPS-24426

service cloudera-scm-server force_start now works

Cloudera Bug: OPSAPS-24489

After deleting services, the Cloudera Manager Server log no longer contains foreign key constraint failure exceptions

Cloudera Bug: OPSAPS-24377

When using Isilon, Cloudera Manager now sets mapred_submit_replication correctly

When EMC Isilon storage is used, there is no DataNode, so you cannot set mapred_submit_replication to a number smaller than or equal to the number of DataNodes in the network. Cloudera Manager now does the following when setting mapred_submit_replication:

  • If using HDFS, sets to a minimum of 1 and issues a warning when greater than the number of DataNodes
  • If using Isilon, sets to 1 and does not check against the number of DataNodes

Cloudera Bug: OPSAPS-24391

The Cloudera Manager Agent now sets the file descriptor ulimit correctly on Ubuntu

Cloudera Bug: OPSAPS-24416

During upgrade, bootstrapping the standby NameNode step no longer fails with standby NameNode connection refused when connecting to active NameNode

Cloudera Bug: OPSAPS-24074

Deploy krb5.conf now also deploys it on hosts with Cloudera Management Service roles

Cloudera Bug: OPSAPS-21329

Cloudera Manager allows upgrades to unknown CDH maintenance releases

Cloudera Manager 5.3.0 supports any CDH release less than or equal to 5.3, even if the release did not exist when Cloudera Manager 5.3.0 was released. For packages, you cannot currently use the upgrade wizard to upgrade to such a release. This release adds a custom CDH field for the package case, where you can type in a version that did not exist at the time of the Cloudera Manager release.

Cloudera Bug: OPSAPS-24355

impalad memory limit units error in EnableLlamaRMCommand

The EnableLlamaRMCommand sets the value of the impalad memory limit to equal the NM container memory value. But the latter is in MB, and the former is in bytes. Previously, the command did not perform the conversion; this has been fixed.

Running MapReduce v2 jobs are now visible using the Application Master view

In the Application view, selecting Application Master for a MRv2 job previously resulted in no action.

Deleting services no longer results in foreign key constraint exceptions

The Cloudera Manager Server log previously showed several foreign key constraint exceptions that were associated with deleted services. This has been fixed.

HiveServer2 keystore and LDAP group mapping passwords are no longer exposed in client configuration files

The HiveServer2 keystore password and LDAP group mapping passwords were emitted into the client configuration files. This exposed the passwords in plain text in a world-readable file. This has been fixed.

Cloudera Bug: OPSAPS-24442, OPSAPS-24469

A cross-site scripting vulnerability in Cloudera Management Service web UIs fixed

Cloudera Bug: OPSAPS-24080

The high availability wizard now sets the HDFS dependency on ZooKeeper

Cloudera Bug: OPSAPS-24420

Workaround: Before enabling high availability, do the following:
  1. Create and start a ZooKeeper service if one does not exist.
  2. Go to the HDFS service.
  3. Click the Configuration tab.
  4. Select HDFS Service-Wide.
  5. Select Category > Main.
  6. Locate the ZooKeeper Service property or search for it by typing its name in the Search box. Select the ZooKeeper service you created.

    To apply this configuration property to other role groups as needed, edit the value for the appropriate role group. See Modifying Configuration Properties Using Cloudera Manager.

  7. Click Save Changes to commit the changes.

BDR no longer assumes superuser is common if clusters have the same realm

If source and destination clusters are in the same Kerberos realm, Cloudera Manager assumed that superuser of the destination is also the superuser on the source cluster. However, HDFS can be configured so that this is not the case.

Cloudera Bug: OPSAPS-24417

Issues Fixed in Cloudera Manager 5.3.0

Setting the default umask in HDFS fails in new configuration layout

Setting the default umask in the HDFS configuration section to 002 in the new configuration layout displays an error:"Could not parse: Default Umask : Could not parse parameter 'dfs_umaskmode'. Was expecting an octal value with a leading 0. Input: 2", preventing the change from being submitted.

Cloudera Bug: OPSAPS-24340

Workaround: Submit the change using the classic configuration layout.

Spark and Spark (standalone) services fail to start if you upgrade to CDH 5.2.x parcels from an older CDH package

Spark and Spark standalone services fail to start if you upgrade to CDH 5.2.x parcels from an older CDH package.

Workaround: After upgrading rest of the services, uninstall the old CDH packages, and then start the Spark service.

Cloudera Bug: OPSAPS-24005

Fixed MapReduce Usage by User reports when using an Oracle database backend

Setting the default umask in HDFS fails in new configuration layout

Setting the default umask in the HDFS configuration section to 002 in the new configuration layout displays an error:"Could not parse: Default Umask : Could not parse parameter 'dfs_umaskmode'. Was expecting an octal value with a leading 0. Input: 2", preventing the change from being submitted.

Workaround: Submit the change using the classic configuration layout.

Cloudera Bug: OPSAPS-24340

Enabling Integrated Resource Management for Impala sets Impala Daemon Memory Limit Incorrectly

The Enable Integrated Resource Management command for Impala (available from the Actions pull-down menu on the Impala service page) sets the Impala Daemon Memory Limit to an unusably small value. This can cause Impala queries to fail.

Workaround 1: Upgrade to Cloudera Manager 5.3.

Workaround 2:
  1. Run the Enable Integrated Resource Management wizard up to the Restart Cluster step. Do not click Restart Now.
  2. Click on the leave this wizard link to exit the wizard without restarting the cluster.
  3. Go to the YARN service page. Click Configuration, expand the category NodeManager Default Group, and click Resource Management.
  4. Note the value of the Container Memory property.
  5. Go to the Impala service page and click Configuration. Type impala daemon memory limit into the search box.
  6. Set the value of the Impala Daemon Memory Limit property to the value noted in step 4 above.
  7. Restart the cluster.

Cloudera Bug: OPSAPS-24255

Rolling restart and upgrade of Oozie fails if there is a single Oozie server

Rolling restart and upgrade of Oozie fails if there is only a single Oozie server. Cloudera Manager will show the error message "There is already a pending command on this role."

Workaround: If you have a single Oozie server, do a normal restart.

Cloudera Bug: OPSAPS-23954

Allow "Started but crashed" processes to be restarted by a Start command

In Cloudera Manager 5.3, it is now possible to restart a crashed process with the Start command and not just the Restart command.

Cloudera Bug: OPSAPS-23567

Add dependency from Agent to Daemons package to yum

In Cloudera Manager 5.3, an explicit dependency has been added from the Agent package to the Daemons package so that upgrading Cloudera Manager 5.2.0 or later to Cloudera Manager 5.3 causes the agent to be upgraded as well. Previously, the Cloudera Manager installer always installed both packages, but this is now enforced at the package dependency level as well.

Cloudera Bug: OPSAPS-24079

Issues Fixed in Cloudera Manager 5.2.8

Apache Commons Collections deserialization vulnerability

Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.

In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.

The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.

Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.

Users affected: All

Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.

Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.

Issues Fixed in Cloudera Manager 5.2.7

Sensitive Information in Cloudera Manager Diagnostic Support Bundles

Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.

Users affected:
  • Users storing sensitive data in advanced configuration snippets

Severity: High

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

Immediate Action Required:
  • Upgrade Cloudera Manager to one of the following releases: Cloudera Manager 5.4.6, 5.3.7, 5.2.7, 5.1.6, 5.0.7, 4.8.6

Issues Fixed in Cloudera Manager 5.2.6

Cloudera Manager Agent may become slow or get stuck when responding to commands and when sending heartbeats to Cloudera Manager Server

This issue can occur when Cloudera Navigator auditing is turned on. The auditing code reads audit logs and sends them to the Audit Server. It acquires a lock to protect the list of roles being audited. The same list is also modified by the Cloudera Manager Agent's main thread when a role is started or stopped. If the Audit thread takes too much time to send audits to the Audit Server (which can happen if there is backlog of audit logs), it starves the main Agent thread. This causes the main Agent thread to not send heartbeats and to not respond to commands from the Cloudera Manager Server.

Cloudera Bug: TSB-60

Problems restarting the NameNode

The NameNode would not restart due to a blocked thread that was processing audit events.

Cloudera Bug: OPSAPS-26129

Cloudera Manager reports the wrong value for Impala bytes read from cache

Instead of cached bytes, it reported the value of short-circuit bytes.

Cloudera Bug: OPSAPS-26938

Directory operational reports do not return results

The following reports now return results:
  • Overpopulated Directories
  • Large Directories
  • Custom reports where Replication= 0

Cloudera Bug: OPSAPS-26178

Cloudera Manager uses Xalan 2.7.2

The version of Xalan used in Cloudera Manager has been upgraded to version 2.7.2 to address a possible vulnerability.

Cloudera Bug: CDH-27059

Cluster name changed to "cluster" after upgrade

After upgrading CDH, the display name of the cluster no longer changes to “cluster”.

Cloudera Bug: OPSAPS-25279

Cloudera Manager monitors the wrong directory for space threshold warnings

Cloudera Manager was monitoring the disk space thresholds using the /var/run/cloudera-scm-agent directory. Cloudera Manager now monitors the correct directory: /var/run/cloudera-scm-agent/process.

Cloudera Bug: OPSAPS-24529

Default timeout value for the Hive MetaStore changed to 60 seconds

The default value in the Hive Service Monitor Client Config Overrides property for the hive.metastore.client.socket.timeout property is now 60.

Cloudera Bug: OPSAPS-24346

Changing client configuration overrides

Changes made to client configuration overrides did not take effect until the service was restarted.

Cloudera Bug: OPSAPS-25194

Issues Fixed in Cloudera Manager 5.2.5

Slow staleness calculation can lead to ZooKeeper data loss when new servers are added

In Cloudera Manager 5, starting new ZooKeeper Servers shortly after adding them can cause ZooKeeper data loss when the number of new servers exceeds the number of old servers.

Cloudera Bug: OPSAPS-25966

Permissions set incorrectly on YARN Keytab files

Permissions on YARN Keytab files for NodeManager were set incorrectly to allow read access to any user.

Cloudera Bug: OPSAPS-25390, TSB-48

Issues Fixed in Cloudera Manager 5.2.2

Impalad memory limit units error in EnableLlamaRMCommand has been fixed

The EnableLlamaRMCommand sets the value of the impalad memory limit to equal the NM container memory value. But the latter is in MB, and the former is in bytes. Previously, the command did not perform the conversion; this has been fixed.

Fixed MapReduce Usage by User reports when using an Oracle database backend

HiveServer2 keystore and LDAP group mapping passwords are no longer exposed in client configuration files

The HiveServer2 keystore password and LDAP group mapping passwords were emitted into the client configuration files. This exposed the passwords in plain text in a world-readable file. This has been fixed.

Cloudera Bug: OPSAPS-24442, OPSAPS-24469

Running MapReduce v2 jobs are now visible using the Application Master view

In the Application view, selecting Application Master for a MRv2 job previously resulted in no action.

Deleting services no longer results in foreign key constraint exceptions

The Cloudera Manager Server log previously showed several foreign key constraint exceptions that were associated with deleted services. This has been fixed.

Issues Fixed in Cloudera Manager 5.2.1

“POODLE” vulnerability on TLS/SSL enabled ports

The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack takes advantage of a cryptographic flaw in the obsolete TLS/SSLv3 protocol, after first forcing the use of that protocol. The only solution is to disable TLS/SSLv3 entirely. This requires changes across a wide variety of components of CDH and Cloudera Manager in 5.2.0 and all earlier versions. Cloudera Manager 5.2.1 provides these changes for Cloudera Manager 5.2.0 deployments. All Cloudera Manager 5.2.0 users should upgrade to 5.2.1 as soon as possible. For more information, see the Cloudera Security Bulletin.

Can use the log4j advanced configuration snippet to override the default audit logging configuration even if not using Navigator

In Cloudera Manager 5.2.0 only, it was not possible to use the log4j advanced configuration snippet to override the default audit logging configuration when Navigator was not being used.

Cloudera Bug: OPSAPS-23864

Cloudera Manager now collects metrics for CDH 5.0 DataNodes and NameNodes

A number of NameNode and DataNode charts show no data and a number of NameNode and DataNode health checks show unknown results. Metric collection for CDH 5.1 roles is unaffected.

Cloudera Bug: OPSAPS-23363

Workaround: None.

The Reports Manager and Event Server Thrift servers no longer crash on HTTP requests

HTTP queries against the Reports Manager and Event Server Thrift server would earlier cause it to crash with out-of-memory exception.

Cloudera Bug: OPSAPS-23160

Replication commands now use the correct JAVA_HOME if an override has been provided for it

ZooKeeper connection leaks from HBase clients in Service Monitor have been fixed

When a parcel is activated, user home directories are now created with umask 022 instead of using the "useradd" default 077

Cloudera Bug: OPSAPS-23680

Issues Fixed in Cloudera Manager 5.2.0

Bug in openssl-1.0.1e-15 disrupts TLS/SSL communication between Cloudera Manager Agents and CDH services

This issue was observed in TLS/SSL-enabled clusters running CentOS 6.4 and 6.5, where the Cloudera Manager Agent failed when trying to communicate with CDH services. You can see the bug report here.

Cloudera Bug: OPSAPS-23324

Workaround: Upgrade to openssl-1.0.1e-16.el6_5.7.x86_64.

Alternatives database points to client configurations of deleted service

In the past, if you created a service, deployed its client configurations, and then deleted that service, the client configurations lived in the alternative database, with a possibly high priority, until cleaned up manually. Now, for a given "alternatives path" (for example /etc/hadoop/conf) if there exist both "live" client configurations (ones that would be pushed out with deploy client configurations for active services) and ones that have been "orphaned" client configurations (the service they correspond to has been deleted), the orphaned ones will be removed from the alternatives database. In other words, to trigger cleanup of client configurations associated with a deleted service you must create a service to replace it.

Cloudera Bug: OPSAPS-13336

The YARN property ApplicationMaster Max Retries has no effect in CDH 5

The issue arises because yarn.resourcemanager.am.max-retries was replaced with yarn.resourcemanager.am.max-attempts.

Cloudera Bug: OPSAPS-21797

Workaround:
  1. Add the following to ResourceManager Advanced Configuration Snippet for yarn-site.xml, replacing MAX_ATTEMPTS with the desired maximum number of attempts:
    <property>
    <name>yarn.resourcemanager.am.max-attempts</name><value>MAX_ATTEMPTS</value>
    </property>
  2. Restart the ResourceManager(s) to pick up the change.

The Spark History Server does not start when Kerberos authentication is enabled.

The Spark History Server does not start when managed by a Cloudera Manager 5.1 instance when Kerberos authentication is enabled.

Workaround:
  1. Go to the Spark service.
  2. Expand the Service-Wide > Advanced category.
  3. Add the following configuration to the History Server Environment Advanced Configuration Snippet property:
    SPARK_HISTORY_OPTS=-Dspark.history.kerberos.enabled=true \
    -Dspark.history.kerberos.principal=principal \
    -Dspark.history.kerberos.keytab=keytab
where principal is the name of the Kerberos principal to use for the History Server, and keytab is the path to the principal's keytab file on the local filesystem of the host running the History Server.

Cloudera Bug: CDH-19867

Hive replication issue with TLS enabled

Hive replication will fail when the source Cloudera Manager instance has TLS enabled, even though the required certificates have been added to the target Cloudera Manager's trust store.

Cloudera Bug: OPSAPS-22159

Workaround: Add the required Certificate Authority or self-signed certificates to the default Java trust store, which is typically a copy of the cacerts file named jssecacerts in the $JAVA_HOME/jre/lib/security/ path of your installed JDK. Use keytool to import your private CA certificates into the jssecacert file.

The Spark Upload Jar command fails in a secure cluster

The Spark Upload Jar command fails in a secure cluster.

Cloudera Bug: OPSAPS-19856

Workaround: To run Spark on YARN, manually upload the Spark assembly jar to HDFS /user/spark/share/lib. The Spark assembly jar is located on the local filesystem, typically in /usr/lib/spark/assembly/lib or /opt/cloudera/parcels/CDH/lib/spark/assembly/lib.

Clients of the JobHistory Server Admin Interface Require Advanced Configuration Snippet

Clients of the JobHistory server administrative interface, such as the mapred hsadmin tool, may fail to connect to the server when run on hosts other than the one where the JobHistory server is running.

Cloudera Bug: OPSAPS-20347

Workaround: Add the following to both the MapReduce Client Advanced Configuration Snippet for mapred-site.xml and the Cluster-wide Advanced Configuration Snippet for core-site.xml, replacing JOBHISTORY_SERVER_HOST with the hostname of your JobHistory server:
<property>
<name>mapreduce.history.admin.address</name>
<value>JOBHISTORY_SERVER_HOST:10033</value>
</property>

Issues Fixed in Cloudera Manager 5.1.7

Apache Commons Collections deserialization vulnerability

Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.

In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.

The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.

Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.

Users affected: All

Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.

Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.

Issues Fixed in Cloudera Manager 5.1.6

Sensitive Information in Cloudera Manager Diagnostic Support Bundles

Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.

Users affected:
  • Users storing sensitive data in advanced configuration snippets

Severity: High

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

Immediate Action Required:
  • Upgrade Cloudera Manager to one of the following releases: Cloudera Manager 5.4.6, 5.3.7, 5.2.7, 5.1.6, 5.0.7, 4.8.6

Cloudera Manager Agent may become slow or get stuck when responding to commands and when sending heartbeats to Cloudera Manager Server

This issue can occur when Cloudera Navigator auditing is turned on. The auditing code reads audit logs and sends them to the Audit Server. It acquires a lock to protect the list of roles being audited. The same list is also modified by the Cloudera Manager Agent's main thread when a role is started or stopped. If the Audit thread takes too much time to send audits to the Audit Server (which can happen if there is backlog of audit logs), it starves the main Agent thread. This causes the main Agent thread to not send heartbeats and to not respond to commands from the Cloudera Manager Server.

Fixed Issues in Cloudera Manager 5.1.5

Slow staleness calculation can lead to ZooKeeper data loss when new servers are added

In Cloudera Manager 5, starting new ZooKeeper Servers shortly after adding them can cause ZooKeeper data loss when the number of new servers exceeds the number of old servers.

Cloudera Bug: OPSAPS-25966

Permissions set incorrectly on YARN Keytab files

Permissions on YARN Keytab files for NodeManager were set incorrectly to allow read access to any user.

Cloudera Bug: OPSAPS-25390, TSB-48

Fixed Issues in Cloudera Manager 5.1.4

“POODLE” vulnerability on TLS/SSL enabled ports

The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack takes advantage of a cryptographic flaw in the obsolete TLS/SSLv3 protocol, after first forcing the use of that protocol. The only solution is to disable TLS/SSLv3 entirely. This requires changes across a wide variety of components of CDH and Cloudera Manager. Cloudera Manager 5.1.4 provides these changes for Cloudera Manager 5.1.x deployments. All Cloudera Manager 5.1.x users should upgrade to 5.1.4 as soon as possible. For more information, see the Cloudera Security Bulletin.

Issues Fixed in Cloudera Manager 5.1.3

Improved speed and heap usage when deleting hosts on cluster with long history

Speed and heap usage have been improved when deleting hosts on clusters that have been running for a long time.

When there are multiple clusters, each cluster's topology files and validation for legal topology is limited to hosts in that cluster

When there are multiple clusters, each cluster's topology files and validation for legal topology is limited to hosts in that cluster. Most commands will now fail up front if the cluster's topology is invalid.

The size of the statement cache has been reduced for Oracle databases

For users of Oracle databases, the size of the statement cache has been reduced to help with memory consumption.

Improvements to memory usage of "cluster diagnostics collection" for large clusters.

Memory usage of "cluster diagnostics collection" has been improved for large clusters.

Issues Fixed in Cloudera Manager 5.1.2

If a NodeManager that is used as ApplicationMaster is decommissioned, YARN jobs will hang

Cloudera Bug: OPSAPS-21797

Jobs can hang on NodeManager decommission due to a race condition when continuous scheduling is enabled.

Workaround:
  1. Go to the YARN service.
  2. Expand the ResourceManager Default Group > Resource Management category.
  3. Uncheck the Enable Fair Scheduler Continuous Scheduling checkbox.
  4. Click Save Changes to commit the changes.
  5. Restart the YARN service.

Could not find a healthy host with CDH 5 on it to create HiveServer2 error during upgrade

When upgrading from CDH 4 to CDH 5, if no parcel is active then the error message "Could not find a healthy host with CDH5 on it to create HiveServer2" displays. This can happen when transitioning from packages to parcels, or if you explicitly deactivate the CDH 4 parcel (which is not necessary) before upgrade.

Workaround: Wait 30 seconds and retry the upgrade.

Cloudera Bug: OPSAPS-21942

AWS installation wizard requires Java 7u45 to be installed on Cloudera Manager Server host

Cloudera Manager 5.1 installs Java 7u55 by default. However, the AWS installation wizard does not work with Java 7u55 due to a bug in the jClouds version packaged with Cloudera Manager.

Workaround:
  1. Stop the Cloudera Manager Server.
    sudo service cloudera-scm-server stop
  2. Uninstall Java 7u55 from the Cloudera Manager Server host.
  3. Install Java 7u45 (which you can download from http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html#jdk-7u45-oth-JPR) on the Cloudera Manager Server host.
  4. Start the Cloudera Manager Server.
    sudo service cloudera-scm-server start
  5. Run the AWS installation wizard.

Cloudera Bug: OPSAPS-21855

The YARN property ApplicationMaster Max Retries has no effect in CDH 5

The issue arises because yarn.resourcemanager.am.max-retries was replaced with yarn.resourcemanager.am.max-attempts.

Cloudera Bug: OPSAPS-21797; KI added Cloudera Manager 5.1.0

Workaround:
  1. Add the following to ResourceManager Advanced Configuration Snippet for yarn-site.xml, replacing MAX_ATTEMPTS with the desired maximum number of attempts:
    <property>
    <name>yarn.resourcemanager.am.max-attempts</name><value>MAX_ATTEMPTS</value>
    </property>
  2. Restart the ResourceManager(s) to pick up the change.

(BDR) Replications can be affected by other replications or commands running at the same time

Replications can be affected by other replications or commands running at the same time, causing replications to fail unexpectedly or even be silently skipped sometimes. When this occurs, a StaleObjectException is logged to the Cloudera Manager logs. This is known to occur even with as few as four replications starting at the same time.

Cloudera Bug: OPSAPS-21918

Issues Fixed in Cloudera Manager 5.1.1

Checking "Install Java Unlimited Strength Encryption Policy Files" During Add Cluster or Add/Upgrade Host Wizard on RPM based distributions if JDK 7 or above is pre-installed will cause Cloudera Manager and CDH to fail

If you have manually installed Oracle's official JDK 7 or 8 rpm on a host (or hosts), and check the Install Java Unlimited Strength Encryption Policy Files checkbox in the Add Cluster or Add Host wizard when installing Cloudera Manager on that host (or hosts), or when upgrading Cloudera Manager to 5.1, Cloudera Manager installs JDK 6 policy files, which will prevent any Java programs from running against that JDK. Additionally, if this situation does apply, Cloudera Manager/CDH will also choose that particular Java as the default to run against, meaning that Cloudera Manager/CDH fail to start, throwing the following message in logs: Caused by: java.lang.SecurityException: The jurisdiction policy files are not signed by a trusted signer!.

Workaround: Do not select the Install Java Unlimited Strength Encryption Policy Files checkbox during the aforementioned wizards. Instead download and install them manually, following the instructions on Oracle's website.

Cloudera Bug: OPSAPS-21914

Issues Fixed in Cloudera Manager 5.1.0

Changes to property for yarn.nodemanager.remote-app-log-dir are not included in the JobHistory Server yarn-site.xml and Gateway yarn-site.xml

When "Remote App Log Directory" is changed in YARN configuration, the property yarn.nodemanager.remote-app-log-dir are not included in the JobHistory Server yarn-site.xml and Gateway yarn-site.xml.

Cloudera Bug: OPSAPS-20906; KI added Cloudera Manager 5.0.1

Workaround: Set JobHistory Server Advanced Configuration Snippet (Safety Valve) for yarn-site.xml and YARN Client Advanced Configuration Snippet (Safety Valve) for yarn-site.xml to:
<property>
<name>yarn.nodemanager.remote-app-log-dir</name>
<value>/path/to/logs</value>
</property>

Secure CDH 4.1 clusters have Hue and Impala share the same Hive

In a secure CDH 4.1 cluster, Hue and Impala cannot share the same Hive instance. If "Bypass Hive Metastore Server" is disabled on the Hive service, then Hue will not be able to talk to Hive. Conversely, if "Bypass Hive Metastore" enabled on the Hive service, then Impala will have a validation error.

Cloudera Bug: OPSAPS-20482

Severity: High

Workaround: Upgrade to CDH 4.2.

The command history has an option to select the number of commands, but does not always return the number you request

Cloudera Bug: OPSAPS-17243

Workaround: None.

Hue does not support YARN ResourceManager High Availability

Cloudera Bug: OPSAPS-18473

Workaround: Configure the Hue Server to point to the active ResourceManager:
  1. Go to the Hue service.
  2. Click the Configuration tab.
  3. Select Scope > Hue or Hue Service-Wide.
  4. Select Category > Advanced.
  5. Locate the Hue Server Advanced Configuration Snippet (Safety Valve) for hue_safety_valve_server.ini property or search for it by typing its name in the Search box.
  6. In the Hue Server Advanced Configuration Snippet for hue_safety_valve_server.ini field, add the following:
    [hadoop]
    [[ yarn_clusters ]]
    [[[default]]]
    resourcemanager_host=<hostname of active ResourceManager>
    resourcemanager_api_url=http://<hostname of active resource manager>:<web port of active resource manager>
    proxy_api_url=http://<hostname of active resource manager>:<web port of active resource manager>
    The default web port of Resource Manager is 8088.
  7. Click Save Changes to have these configurations take effect.
  8. Restart the Hue service.

Cloudera Manager does not support encrypted shuffle.

Encrypted shuffle has been introduced in CDH 4.1, but it is not currently possible to enable it through Cloudera Manager.

Cloudera Bug: OPSAPS-8480

Severity: Medium

Workaround: None.

Hive CLI does not work in CDH 4 when "Bypass Hive Metastore Server" is enabled

Hive CLI does not work in CDH 4 when "Bypass Hive Metastore Server" is enabled.

Cloudera Bug: OPSAPS-20721

Workaround: Configure Hive and disable the "Bypass Hive Metastore Server" option.

Alternatively, an approach can be taken that will cause the "Hive Auxiliary JARs Directory" to not work, but will enable basic Hive commands to work. Add the following to "Gateway Client Environment Advanced Configuration Snippet for hive-env.sh," then re-deploy the Hive client configuration:

HIVE_AUX_JARS_PATH="
AUX_CLASSPATH=/usr/share/java/mysql-connector-java.jar:/usr/share/java/oracle-connector-java.jar:$(find /usr/share/cmf/lib/postgresql-jdbc.jar 2> /dev/null | tail -n 1)

Incorrect Absolute Path to topology.py in Downloaded YARN Client Configuration

The downloaded client configuration for YARN includes the topology.py script. The location of this script is given by the net.topology.script.file.name property in core-site.xml. But the core-site.xml file downloaded with the client configuration has an incorrect absolute path to /etc/hadoop/... for topology.py. This can cause clients that run against this configuration to fail (including Spark clients run in yarn-client mode, as well as YARN clients).

Cloudera Bug: OPSAPS-20337

Workaround: Edit core-site.xml to change the value of the net.topology.script.file.name property to the path where the downloaded copy of topology.py is located. This property must be set to an absolute path.

search_bind_authentication for Hue is not included in .ini file

When search_bind_authentication is set to false, Cloudera Manager does not include it in hue.ini.

Cloudera Bug: OPSAPS-20926

Workaround: Add the following to the Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini:
[desktop]
[[ldap]]
search_bind_authentication=false

Erroneous warning displayed on the HBase configuration page on CDH 4.1 in Cloudera Manager 5.0.0

An erroneous "Failed parameter validation" warning is displayed on the HBase configuration page on CDH 4.1 in Cloudera Manager 5.0.0

Severity: Low

Cloudera Bug: OPSAPS-20310

Workaround: Use CDH4.2 or higher, or ignore the warning.

Host recommissioning and decommissioning should occur independently

In large clusters, when problems appear with a host or role, administrators may choose to decommission the host or role to fix it and then recommission the host or role to put it back in production. Decommissioning, especially host decommissioning, is slow, hence the importance of parallelization, so that host recommissioning can be initiated before decommissioning is done.

Cloudera Bug: OPSAPS-19055

Fixed Issues in Cloudera Manager 5.0.8

Apache Commons Collections deserialization vulnerability

Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.

In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.

The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.

Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.

Users affected: All

Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.

Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.

Fixed Issues in Cloudera Manager 5.0.7

Sensitive Information in Cloudera Manager Diagnostic Support Bundles

Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.

Users affected:
  • Users storing sensitive data in advanced configuration snippets

Severity: High

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

Immediate Action Required:
  • Upgrade Cloudera Manager to one of the following releases: Cloudera Manager 5.4.6, 5.3.7, 5.2.7, 5.1.6, 5.0.7, 4.8.6

Cloudera Manager Agent may become slow or get stuck when responding to commands and when sending heartbeats to Cloudera Manager Server

This issue can occur when Cloudera Navigator auditing is turned on. The auditing code reads audit logs and sends them to the Audit Server. It acquires a lock to protect the list of roles being audited. The same list is also modified by the Cloudera Manager Agent's main thread when a role is started or stopped. If the Audit thread takes too much time to send audits to the Audit Server (which can happen if there is backlog of audit logs), it starves the main Agent thread. This causes the main Agent thread to not send heartbeats and to not respond to commands from the Cloudera Manager Server.

Fixed Issues in Cloudera Manager 5.0.6

Slow staleness calculation can lead to ZooKeeper data loss when new servers are added

In Cloudera Manager 5, starting new ZooKeeper Servers shortly after adding them can cause ZooKeeper data loss when the number of new servers exceeds the number of old servers.

Cloudera Bug: OPSAPS-25966

Fixed Issues in Cloudera Manager 5.0.5

“POODLE” vulnerability on TLS/SSL enabled ports

The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack takes advantage of a cryptographic flaw in the obsolete TLS/SSLv3 protocol, after first forcing the use of that protocol. The only solution is to disable TLS/SSLv3 entirely. This requires changes across a wide variety of components of CDH and Cloudera Manager. Cloudera Manager 5.0.5 provides these changes for Cloudera Manager 5.0.x deployments. All Cloudera Manager 5.0.x users should upgrade to 5.0.5 as soon as possible. For more information, see the Cloudera Security Bulletin.

Issues Fixed in Cloudera Manager 5.0.2

Cloudera Manager Impala Query Monitoring does not work with Impala 1.3.1

Impala 1.3.1 contains changes to the runtime profile format that break the Cloudera Manager Query Monitoring feature. This leads to exceptions in the Cloudera Manager Service Monitor logs, and Impala queries no longer appear in the Cloudera Manager UI or API. The issue affects Cloudera Manager 5.0 and 4.6 - 4.8.2.

Cloudera Bug: OPSAPS-20744; KI added Cloudera Manager 5.0.1

Workaround: None. The issue will be fixed in Cloudera Manager 4.8.3 and Cloudera Manager 5.0.1. To avoid the Service Monitor exceptions, turn off the Cloudera Manager Query Monitoring feature by going to Impala Daemon > Monitoring and setting the Query Monitoring Period to 0 seconds. Note that the Impala Daemons must be restarted when changing this setting, and the setting must be restored once the fix is deployed to turn the query monitoring feature back on. Impala queries will then appear again in Cloudera Manager’s Impala query monitoring feature.

Issues Fixed in Cloudera Manager 5.0.1

Upgrade from Cloudera Manager 5.0.0 beta 1 or beta 2 to Cloudera Manager 5.0.0 requires assistance from Cloudera Support

Contact Cloudera Support before upgrading from Cloudera Manager 5.0.0 beta 1 or beta 2 to Cloudera Manager 5.0.0.

Cloudera Bug: OPSAPS-19894

Workaround: Contact Cloudera Support.

Failure of HDFS Replication between clusters with YARN

HDFS replication between clusters in different Kerberos realms fails when using YARN if the target cluster is CDH 5.

Cloudera Bug: OPSAPS-19930

Workaround: Use MapReduce (MRv1) instead of YARN.

If installing CDH 4 packages, the Impala 1.3.0 option does not work because Impala 1.3 is not yet released for CDH 4.

If installing CDH 4 packages, the Impala 1.3.0 option listed in the install wizard does not work because Impala 1.3.0 is not yet released for CDH 4.

Cloudera Bug: OPSAPS-20406

Workaround: Install using parcels (where the unreleased version of Impala does not appear), or select a different version of Impala when installing with packages.

When updating dynamic resource pools, Cloudera Manager updates roles but may fail to update role information displayed in the UI

When updating dynamic resource pools, Cloudera Manager automatically refreshes the affected roles, but they sometimes get marked incorrectly as running with outdated configurations and requiring a refresh.

Cloudera Bug: OPSAPS-19863

Workaround: Invoke the Refresh Cluster command from the cluster actions drop-down menu.

Upgrade of secure cluster requires installation of JCE policy files

When upgrading a secure cluster via Cloudera Manager, the upgrade initially fails due to the JDK not having Java Cryptography Extension (JCE) unlimited strength policy files. This is because Cloudera Manager installs a copy of the Java 7 JDK during the upgrade, which does not include the unlimited strength policy files. To ensure that unlimited strength functionality continues to work, install the unlimited strength JCE policy files immediately after completing the Cloudera Manager Upgrade Wizard and before taking any other actions in Cloudera Manager.

Cloudera Bug: OPSAPS-18641

Workaround: Install the unlimited strength JCE policy files immediately after completing the Cloudera Manager Upgrade Wizard and before taking any other action in Cloudera Manager.

The Details page for MapReduce jobs displays the wrong id for YARN-based replications

The Details link for MapReduce jobs is wrong for YARN-based replications.

Cloudera Bug: OPSAPS-19874

Workaround: Find the job id in the link and then go to the YARN Applications page and look for the job there.

Reset non-default HDFS File Block Storage Location Timeout value after upgrade from CDH 4 to CDH 5

During an upgrade from CDH 4 to CDH 5, if the HDFS File Block Storage Locations Timeout was previously set to a custom value, it will now be set to 10 seconds or the custom value, whichever is higher. This is required for Impala to start in CDH 5, and any value under 10 seconds is now a validation error. This configuration is only emitted for Impala and no services should be adversely impacted.

Cloudera Bug: OPSAPS-20515

Workaround: None.

HDFS NFS gateway works only on RHEL and similar systems

HDFS NFS gateway works as shipped ("out of the box") only on RHEL-compatible systems, but not on SLES, Ubuntu, or Debian. Because of a bug in native versions of portmap/rpcbind, the HDFS NFS gateway does not work out of the box on SLES, Ubuntu, or Debian systems when CDH has been installed from the command-line, using packages. It does work on supported versions of RHEL-compatible systems on which rpcbind-0.2.0-10.el6 or later is installed, and it does work if you use Cloudera Manager to install CDH, or if you start the gateway as root. For more information, see supported versions.

Bug: 731542 (Red Hat), 823364 (SLES), 594880 (Debian)

Workarounds and caveats:
  • On Red Hat and similar systems, make sure rpcbind-0.2.0-10.el6 or later is installed.
  • On SLES, Debian, and Ubuntu systems, do one of the following:
    • Install CDH using Cloudera Manager; or
    • As of CDH 5.1, start the NFS gateway as root; or
    • Start the NFS gateway without using packages; or
    • You can use the gateway by running rpcbind in insecure mode, using the -i option, but keep in mind that this allows anyone from a remote host to bind to the portmap.

Sensitive configuration values exposed in Cloudera Manager

Certain configuration values that are stored in Cloudera Manager are considered sensitive, such as database passwords. These configuration values should be inaccessible to non-administrator users, and this is enforced in the Cloudera Manager Administration Console. However, these configuration values are not redacted when they are read through the API, possibly making them accessible to users who should not have such access.

Cloudera Bug: OPSAPS-20782

Gateway role configurations not respected when deploying client configurations

Gateway configurations set for gateway role groups other than the default one or at the role level were not being respected.

Cloudera Bug: OPSAPS-9853

Documentation reflects requirement to enable at least Level 1 encryption before enabling Kerberos authentication

Cloudera Security documentation now indicates that before enabling Kerberos authentication you should first enable at least Level 1 encryption. For more information see Cloudera Security.

HDFS NFS gateway does not work on all Cloudera-supported platforms

The NFS gateway cannot be started on some Cloudera-supported platforms.

Cloudera Bug: OPSAPS-19957

Workaround: None. Fixed in Cloudera Manager 5.0.1.

Replace YARN_HOME with HADOOP_YARN_HOME during upgrade

If yarn.application.classpath was set to a non-default value on a CDH 4 cluster, and that cluster is upgraded to CDH 5, the classpath is not updated to reflect that $YARN_HOME was replaced with $HADOOP_YARN_HOME. This will cause YARN jobs to fail.

Cloudera Bug: OPSAPS-20348

Workaround: Reset yarn.application.classpath to the default, then re-apply your classpath customizations if needed.

Insufficient password hashing in Cloudera Manager

In versions of Cloudera Manager earlier than 4.8.3 and earlier than 5.0.1, user passwords are only hashed once. Passwords should be hashed multiple times to increase the cost of dictionary based attacks, where an attacker tries many candidate passwords to find a match. The issue only affects user accounts that are stored in the Cloudera Manager database. User accounts that are managed externally (for example, with LDAP or Active Directory) are not affected.

In addition, because of this issue, Cloudera Manager 4.8.3 cannot be upgraded to Cloudera Manager 5.0.0. Cloudera Manager 4.8.3 must be upgraded to 5.0.1 or later.

Cloudera Bug: OPSAPS-20537

Workaround: Upgrade to Cloudera Manager 5.0.1.

Upgrade to Cloudera Manager 5.0.0 from SLES older than Service Pack 3 with PostgreSQL older than 8.4 fails

Upgrading to Cloudera Manager 5.0.0 from SUSE Linux Enterprise Server (SLES) older than Service Pack 3 will fail if the embedded PostgreSQL database is in use and the installed version of PostgreSQL is less than 8.4.

Cloudera Bug: OPSAPS-20696

Workaround: Either migrate away from the embedded PostgreSQL database (use MySQL or Oracle) or upgrade PostgreSQL to 8.4 or greater.

MR1 to MR2 import fails on a secure cluster

When running the MR1 to MR2 import on a secure cluster, YARN jobs will fail to find container-executor.cfg.

Cloudera Bug: OPSAPS-18657

Workaround: Restart YARN after the import.

After upgrade from CDH 4 to CDH 5, Oozie is missing workflow extension schemas

After an upgrade from CDH 4 to CDH 5, Oozie does not pick up the new workflow extension schemas automatically. User will need to update oozie.service.SchemaService.wf.ext.schemas manually and add the schemas added in CDH 5: shell-action-0.3.xsd, sqoop-action-0.4.xsd, distcp-action-0.2.xsd, oozie-sla-0.1.xsd, oozie-sla-0.2.xsd. Note: None of the existing jobs will be affected by this bug, only new workflows that require new schemas.

Cloudera Bug: OPSAPS-20246

Workaround: Add the new workflow extension schemas to Oozie manually by editing oozie.service.SchemaService.wf.ext.schemas.

Issues Fixed in Cloudera Manager 5.0.0

HDFS replication does not work from CDH 5 to CDH 4 with different realms

HDFS replication does not work from CDH 5 to CDH 4 with different realms. This is because authentication fails for services in a non-default realm via the WebHdfs API due to a JDK bug. This has been fixed in JDK6-u34 (b03)) and in JDK7.

Cloudera Bug: OPSAPS-2017

Workaround: Use JDK 7 or upgrade JDK6 to at least version u34.

The Sqoop Upgrade command in Cloudera Manager may report success even when the upgrade fails

Cloudera Bug: CDH-17316

Workaround: Do one of the following:
    1. Click the Sqoop service and then the Instances tab.
    2. Click the Sqoop server role then the Commands tab.
    3. Click the stdout link and scan for the Sqoop Upgrade command.
  • In the All Recent Commands page, select the stdout link for latest Sqoop Upgrade command.
Verify that the upgrade did not fail.

Cannot restore a snapshot of a deleted HBase table

If you take a snapshot of an HBase table, and then delete that table in HBase, you will not be able to restore the snapshot.

Cloudera Bug: OPSAPS-16881

Severity: Med

Workaround: Use the "Restore As" command to recreate the table in HBase.

Stop dependent HBase services before enabling HDFS Automatic Failover.

When enabling HDFS Automatic Failover, you need to first stop any dependent HBase services. The Automatic Failover configuration workflow restarts both NameNodes, which could cause HBase to become unavailable.

Cloudera Bug: OPSAPS-9645

Severity: Medium

New schema extensions have been introduced for Oozie in CDH 4.1

In CDH 4.1, Oozie introduced new versions for Hive, Sqoop and workflow schema. To use them, you must add the new schema extensions to the Oozie SchemaService Workflow Extension Schemas configuration property in Cloudera Manager.

Cloudera Bug: OPSAPS-10021

Severity: Low

Workaround: In Cloudera Manager, do the following:

  1. Go to the CDH 4 Oozie service page.
  2. Go to the Configuration tab, View and Edit.
  3. Search for "Oozie Schema". This should show the Oozie SchemaService Workflow Extension Schemas property.
  4. Add the following to the Oozie SchemaService Workflow Extension Schemas property:
    shell-action-0.2.xsd 
    hive-action-0.3.xsd 
    sqoop-action-0.3.xsd
  5. Save these changes.

YARN Resource Scheduler user FairScheduler rather than FIFO.

Cloudera Manager 5.0.0 sets the default YARN Resource Scheduler to FairScheduler. If a cluster was previously running YARN with the FIFO scheduler, it will be changed to FairScheduler next time YARN restarts. The FairScheduler is only supported with CDH4.2.1 and later, and older clusters may hit failures and need to manually change the scheduler to FIFO or CapacityScheduler.

Cloudera Bug: OPSAPS-13335

Severity: Medium

Workaround: For clusters running CDH 4 prior to CDH 4.2.1:
  1. Go the YARN service Configuration page
  2. Search for "scheduler.class"
  3. Click in the Value field and select the schedule you want to use.
  4. Save your changes and restart YARN to update your configurations.

Resource Pools Summary is incorrect if time range is too large.

The Resource Pools Summary does not show correct information if the Time Range selector is set to show 6 hours or more.

Cloudera Bug: OPSAPS-16018

Severity: Medium

Workaround: None.

When running the MR1 to MR2 import on a secure cluster, YARN jobs will fail to find container-executor.cfg

Cloudera Bug: OPSAPS-18657

Workaround: Restart YARN after the import steps finish. This causes the file to be created under the YARN configuration path, and the jobs now work.

When upgrading to Cloudera Manager 5.0.0, the "Dynamic Resource Pools" page is not accessible

When upgrading to Cloudera Manager 5.0.0, users will not be able to directly access the "Dynamic Resource Pools" page. Instead, they will be presented with a dialog saying that the Fair Scheduler XML Advanced Configuration Snippet is set.

Cloudera Bug: OPSAPS-18768

Workaround:
  1. Go to the YARN service.
  2. Click the Configuration tab.
  3. Select Scope > Resource Manager or YARN Service-Wide.
  4. Select Category > Advanced.
  5. Locate the Fair Scheduler XML Advanced Configuration Snippet property or search for it by typing its name in the Search box.
  6. Copy the value of the Fair Scheduler XML Advanced Configuration Snippet into a file.
  7. Clear the value of Fair Scheduler XML Advanced Configuration Snippet.
  8. Recreate the desired Fair Scheduler allocations in the Dynamic Resource Pools page, using the saved file for reference.

New Cloudera Enterprise licensing is not reflected in the wizard and license page

Cloudera Bug: OPSAPS-18241

Workaround: None.

The AWS Cloud wizard fails to install Spark due to missing roles

Cloudera Bug: OPSAPS-18937

Workaround: Do one of the following:
  • Use the Installation wizard.
  • Open a new window, click the Spark service, click on the Instances tab, click Add, add all required roles to Spark. Once the roles are successfully added, click the Retry button in the Installation wizard.

Spark on YARN requires manual configuration

Spark on YARN requires the following manual configuration to work correctly: modify the YARN Application Classpath by adding /etc/hadoop/conf, making it the very first entry.

Cloudera Bug: OPSAPS-19788

Workaround: Add /etc/hadoop/conf as the first entry in the YARN Application classpath.

Monitoring works with Solr and Sentry only after configuration updates

Cloudera Manager monitoring does not work out of the box with Solr and Sentry on Cloudera Manager 5. The Solr service is in Bad health, and all Solr Servers have a failing "Solr Server API Liveness" health check.

Cloudera Bug: OPSAPS-18152

Severity: Medium

Workaround: Complete the configuration steps below:

  1. Create "HTTP" user and group on all machines in the cluster (with useradd 'HTTP' on RHEL-type systems).
  2. The instructions that follow this step assume there is no existing Solr Sentry policy file in use. In that case, first create the policy file on /tmp and then copy it over to the appropriate location in HDFS that Solr Servers check. If there is already a Solr Sentry policy in use, it must be modified to add the following [group] / [role] entries for 'HTTP'. Create a file (for example, /tmp/cm-authz-solr-sentry-policy.ini) with the following contents:
    [groups]
    HTTP = HTTP
    [roles]
    HTTP = collection = admin->action=query
  3. Copy this file to the location for the "Sentry Global Policy File" for Solr. The associated config name for this location is sentry.solr.provider.resource, and you can see the current value by navigating to the Sentry sub-category in the Service Wide configuration editing workflow in the Cloudera Manager UI. The default value for this entry is /user/solr/sentry/sentry-provider.ini. This refers to a path in HDFS.
  4. Check if you have entries in HDFS for the parent(s) directory:
    sudo -u hdfs hadoop fs -ls /user
  5. You may need to create the appropriate parent directories if they are not present. For example:
    sudo -u hdfs hadoop fs -mkdir /user/solr/sentry
  6. After ensuring the parent directory is present, copy the file created in step 2 to this location, as follows:
    sudo -u hdfs hadoop fs -put /tmp/cm-authz-solr-sentry-policy.ini /user/solr/sentry/sentry-provider.ini
  7. Ensure that this file is owned/readable by the solr user (this is what the Solr Server runs as):
    sudo -u hdfs hadoop fs -chown solr /user/solr/sentry/sentry-provider.ini
  8. Restart the Solr service. If both Kerberos and Sentry are being enabled for Solr, the MGMT services also need to be restarted. The Solr Server liveness health checks should clear up once SMON has had a chance to contact the servers and retrieve metrics.

Out-of-memory errors may occur when using the Reports Manager

Out-of-memory errors may occur when using the Cloudera Manager Reports Manager.

Cloudera Bug: OPSAPS-19980

Workaround: Set the value of the "Java Heap Size of Reports Manager" property to at least the size of the HDFS filesystem image (fsimage) and restart the Reports Manager.

Applying license key using Internet Explorer 9 and Safari fails

Cloudera Manager is designed to work with IE 9 and above and Safari. However the file upload widget used to upload a license currently does not work with IE 9 or Safari. Therefore, installing an enterprise license does not work.

Cloudera Bug: OPSAPS-17223

Workaround: Use another supported browser.

Issues Fixed in Cloudera Manager 5.0.0 Beta 2

The Sqoop Upgrade command in Cloudera Manager may report success even when the upgrade fails

Cloudera Bug: OPSAPS-18924

Workaround: Do one of the following:
    1. Click the Sqoop service and then the Instances tab.
    2. Click the Sqoop server role then the Commands tab.
    3. Click the stdout link and scan for the Sqoop Upgrade command.
  • In the All Recent Commands page, select the stdout link for latest Sqoop Upgrade command.
Verify that the upgrade did not fail.

The HDFS Canary Test is disabled for secured CDH 5 services.

Due to a bug in Hadoop's handling of multiple RPC clients with distinct configurations within a single process with Kerberos security enabled, Cloudera Manager will disable the HDFS canary test when security is enabled so as to prevent interference with Cloudera Manager's MapReduce monitoring functionality.

Cloudera Bug: OPSAPS-16537

Severity: Medium

Workaround: None

Not all monitoring configurations are migrated from MR1 to MR2.

When MapReduce v1 configurations are imported for use by YARN (MR2), not all of the monitoring configuration values are currently migrated. Users may need to reconfigure custom values for properties such as thresholds.

Cloudera Bug: OPSAPS-16211

Severity: Medium

Workaround: Manually reconfigure any missing property values.

"Access Denied" may appear for some features after adding a license or starting a trial.

After starting a 60-day trial or installing a license for Enterprise Edition, you may see an "access denied" message when attempting to access certain Enterprise Edition-only features such as the Reports Manager. You need to log out of the Admin Console and log back in to access these features.

Cloudera Bug: OPSAPS-16686

Severity: Low

Workaround: Log out of the Admin Console and log in again.

Hue must set impersonation on when using Impala with impersonation.

When using Impala with impersonation, the impersonation_enabled flag must be present and configured in the hue.ini file. If impersonation is enabled in Impala (in other words, if Impala is using Sentry) then this flag must be set true. If Impala is not using impersonation, it should be set false (the default).

Cloudera Bug: OPSAPS-16011

Workaround: Set advanced configuration snippet value for hue.ini as follows:
  1. Go to the Hue Service Configuration Advanced Configuration Snippet for hue_safety_valve.ini under the Hue service Configuration settings, Service-Wide > Advanced category.
  2. Add the following, then uncomment the setting and set the value True or False as appropriate:
    #################################################################
    # Settings to configure Impala
    #################################################################
    
    [impala]
      ....
      # Turn on/off impersonation mechanism when talking to Impala
      ## impersonation_enabled=False

Cloudera Manager Server may fail to start when upgrading using a PostgreSQL database.

If you're upgrading to Cloudera Manager 5.0.0 beta 1 and you're using a PostgreSQL database, the Cloudera Manager Server may fail to start with a message similar to the following:
ERROR [main:dbutil.JavaRunner@57] Exception while executing
com.cloudera.cmf.model.migration.MigrateConfigRevisions 
java.lang.RuntimeException: java.sql.SQLException: Batch entry <xxx> insert into REVISIONS 
(REVISION_ID, OPTIMISTIC_LOCK_VERSION, USER_ID, TIMESTAMP, MESSAGE) values (...) 
was aborted. Call getNextException to see the cause.

Cloudera Bug: OPSAPS-16971

Workaround: Use psql to connect directly to the server's database and issue the following SQL command:
alter table REVISIONS alter column MESSAGE type varchar(1048576);
After that, your Cloudera Manager server should start up normally.

Issues Fixed in Cloudera Manager 5.0.0 Beta 1

After an upgrade from Cloudera Manager 4.6.3 to 4.7, Impala does not start.

After an upgrade from Cloudera Manager 4.6.3 to 4.7 when Navigator is used, Impala will fail to start because the Audit Log Directory property has not been set by the upgrade procedure.

Cloudera Bug: OPSAPS-15333; added with Cloudera Manager 4.7.0

Severity: Low.

Workaround: Manually set the property to /var/log/impalad/audit. See Configuring Service Auditing Properties for more information.