Fixed Issues in Cloudera Manager 6.0.0

The following sections describes issue fixed in Cloudera Manager 6.0.0 releases:

Open Redirect and XSS in Cloudera Manager

Technical Service Bulletin 2018-321 (TSB)

One type of page in Cloudera Manager uses a returnUrl parameter to redirect the user to another page in Cloudera Manager once a wizard is completed. The validity of this parameter was not checked. As a result, the user could be automatically redirected to an attacker’s external site or perform a malicious JavaScript function that results in cross-site scripting (XSS).

With this fix, Cloudera Manager no longer allows any value in the returnUrl parameter with patterns such as http://, https://, //, or javascript. The only exceptions to this rule are the SAML login/logout URLs, since they are explicitly configured and are not passed via the returnUrl parameter.

Products affected: Cloudera Manager

Releases affected:

  • 5.15.0 and all earlier releases

Users affected: The following Cloudera Manager roles: “cluster administrator”, “full administrators”, and “configurators”.

Date/time of detection: June 20, 2018

Detected by: Mohit Rawat & Ekta Mittal

Severity (Low/Medium/High): 8.8 High (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Impact: Open redirects can silently redirect a victim to an attacker’s site. XSS vulnerabilities can be used to steal credentials or to perform arbitrary actions as the targeted user.

CVE: CVE-2018-15913

Immediate action required: Upgrade to Cloudera Manager 5.15.1 or higher

Addressed in release/refresh/patch:

  • Cloudera Manager 5.15.1 and higher
  • Cloudera Manager 6.0.0

Hard Restart of Cloudera Manager Agents May Cause Subsequent Service Errors

If a “hard restart” or “hard stop” operation is performed on a Cloudera Manager Agent, the restarted agent will erroneously restart roles that existed prior to the restart and, subsequently, 60 days later, these roles may experience errors or be killed.

Affected Versions: All versions of Cloudera Manager 5.x

Cloudera Issue: OPSAPS-43550, TSB-308

Knowledge base: For the latest update on this issue, see the corresponding Knowledge article: TSB 2018-308: Hard Restart of Cloudera Manager Agents May Cause Subsequent Service Errors

Logging issue slows down Backup and Disaster Recovery Hive and HDFS Replication jobs

Fixed the issue described in TSB-289. For more information, see the TSB.

Cloudera Issue: OPSAPS-44160

Cloudera Manager upgrade workflow incorrectly requires deploying some optional management roles

Fixed the issue described in TSB-290 where you could not proceed through the upgrade process without adding certain optional management roles. For more information, see TSB-290.

Cloudera Issue: OPSAPS-44629

Microsoft Azure Credentials in Log Files

Fixed an issue where Microsoft Azure credentials might appear in Hive audit logs.

Cloudera Issue: CDH-56241

Non-production installation of Cloudera Manager on SLES 12 does not work

Fixed an issue where the non-production installation of Cloudera Manager did not work on SLES 12.

Impala and Kudu logs missing from diagnostic bundle

Fixed an issue where Impala and Kudu logs were missing from the diagnostic bundle if their log directories have broken symlinks.

Cloudera Issue: OPSAPS-41194

Services die due to HDFS taking too long to start

Fixed an issue where HDFS takes a long time to come up after a restart, causing some dependent services to fail to start.

Cloudera Issue: CDH-54889

Instances and Hosts page refresh when a command dialog is closed

Fixed an issue where the Instances and All Hosts pages reloads reload when a command finishes.

Cloudera Issue: OPSAPS-45761

Spark cross-realm authentication fails

Spark now correctly respects auth_to_local name rules for HDFS services with cross-realm trust configured.

Cloudera Issue: OPSAPS-46103

Error "Mismatched input PATTERN expecting EOF" the detailUsage page for the Resource Manager

Fixed the issue where a user sees an error message about Mismatched input PATTERN.

Cloudera Issue: OPSAPS-42437

Upgrading a license finishes on the wrong page

The Enable Trial workflow previously ended up on the upgrade page. Now it goes to the Home page upon completion.

Cloudera Issue: OPSAPS-45444

Open Redirect in Cloudera Manager Add Service

Fixed an issue where Cloudera Manager redirected to arbitrary URLs upon the completion of a workflow. Cloudera Manager now limits it to paths on the same host/port

Cloudera Issue: OPSAPS-46681

Kafka broker and MirrorMaker should only listen on the loopback interface for JMX connections

Kafka broker and MirrorMaker processes now listen on only the loopback interface for JMX connections. The fix causes Kafka brokers and MirrorMaker to be marked as stale after upgrading to Cloudera Manager 6.0.0 or later.

Perform a rolling restart of Kafka brokers and MirrorMaker.

Cloudera Issue: OPSAPS-46633

Remove the IMPALA_ASSIGNMENT_LOCALITY Impala check

This check was removed.

Cloudera Issue: OPSAPS-46807

Inconsistent handling of case sensitivity for cluster names in URLs

Fixed an issue where cases sensitivity for cluster names was not handled consistently with the API, mainly related to the cluster name. For examp.e, the end point "/api/v6/clusters/cluster 1/services" and "/api/v6/clusters/Cluster 1/services" are equivalent.

Cloudera Issue: OPSAPS-43691

HBase Indexer can possibly emit sentry client configs even if sentry isn't directly configured

On a KeyValue Store Indexer service, Sentry was enabled if the Solr dependency was using Sentry, even if the KeyValue Store Indexer was set to none in its Sentry dependency configuration. This is now corrected for CDH 5.14 or higher clusters.

After upgrading Cloudera Manager, clusters on CDH 5.14 or higher will be marked as stale if you have Sentry enabled for Solr but not enabled for KeyValue Store Indexer. If you are affected by this issue, restart the stale services to apply the fix.

Cloudera Issue: OPSAPS-43695

GenerateHostCerts command doesn't use passphrase for SSH key auth

When using the generateHostCerts command API, the password field was being used instead of the passphrase field for SSH keypair-based authentication. This is now fixed so that the userName and password fields are used for username/password authentication, and the privateKey and passphrase fields are used for keypair-based authentication.

Cloudera Issue: OPSAPS-45514

dfs.client.block.write.replace-datanode-on-failure.enable property

HBase will respect HDFS settings for dfs.client.block.write.replace-datanode-on-failure.

Cloudera Issue: OPSAPS-36611

API names

The following API names have changed to fix typos:
  • hiverserver2_load_balancer has been changed to hiveserver2_load_balancer
  • hbase_client_java_opts has been changed to hdfs_client_java_opts
  • hbase_active_master_detecton_window has been changed to hbase_active_master_detection_window
  • hdfs_active_namenode_detecton_window has been changed to hdfs_active_namenode_detection_window
  • mapreduce_active_jobtracker_detecton_window has been changed to mapreduce_active_jobtracker_detection_window
  • yarn_active_resourcemanager_detecton_window has been changed to yarn_active_resourcemanager_detection_window

The hiverserver2_load_balancer change affects Hive services when HiveServer 2 is configured for High Availability.

The hdfs_client_java_opts parameter configures the Client Java Configuration Options, found under the HDFS Gateway role configuration.

The other parameters tune the behavior of health test checking for the HBase Master, HDFS NameNode, MapReduce JobTracker, and YARN ResourceManager respectively.

Any API scripts or cluster templates referencing the old names will need to be updated to use the new names.

Cloudera Issue: OPSAPS-33266, OPSAPS-39223, and OPSAPS-24569

Cloudera Manager fails to enable Kerberos if TLS is configured

Fixed an issue where the wizard for Kerberos fails if TLS is enabled. When enabling Kerberos to a cluster running TLS, the system cannot use the privileged ports ( <1024). Instead, the wizard will prompt the user to use the appropriate port values.

Cloudera Issue: OPSAPS-33345

Cloudera Manager Agent install or upgrade hangs

During Cloudera Manager agent installs or upgrades, Cloudera Manager accesses both Cloudera and non-Cloudera repositories. Fixed an issue where the installation or upgrade could hang due to a misconfigured or problematic third party repository.

Cloudera Issue: OPSAPS-45576

CDH did not install Kudu when using packages

Fixes an issue where Cloudera Manager did not install Kudu packages when CDH was installed using packages instead of parcels.

Cloudera Issue: OPSAPS-45692

"create" option in nestedUserQueue allocation rule is added to the wrong part of the allocation rules in the fair scheduler configuration

The Dynamic Resource Pools user interface now supports the following placement rules and pool creation policy can be separately configured for the parent group as well as the individual user group:
  • root.primaryGroup.username
  • root.secondaryExistingGroup.username
  • root.[pool name].username
Previously, only the create="true|false" flag could be added to the inner element of the nestedUserQueue element. This meant that a root.primaryGroup or root.secondaryExistingGroup pool could be created, which was not correct. Now, you can add the create="true|false" flag to the actual nestedUserQueue element as well as the inner element of the nestedUserQueue element. An additional restriction is that if root.<parent>.username should use an existing pool (create = false), then root.<parent> must also use an existing pool.

Cloudera Issue: OPSAPS-42803

Display steady fairshare that correspond to weight in YARN Dynamic Resource Pool Configuration

Two columns are added to the Dynamic Resources Pool Configuration 'Resource Pool' table - Fair Share Cpu and Memory. These display the resources allocated to each pool, based on the % of resources allocated via their fair share weights. If min resources are specified for pools, the fair share values will not accurately reflect resource allocation. These values are displayed only for pools that do not have any sub-pools.

Cloudera Issue: OPSAPS-45188

[oozie] Emit correct port in load balancer urls

The 'oozie_load_balancer' CM configuration parameter has been changed. Previously it was specified as '<hostname>:<port>' format. In CM 5.15 and later the format is simply '<hostname>'. As this format change is incompatible, please note that any client reading this value via API should also read as necessary the load balancer port configuration parameters ('oozie_load_balancer_http_port' and 'oozie_load_balancer_https_port'); the correct port parameter to use depends on whether SSL is enabled (value of 'oozie_use_ssl')

Cloudera Issue: OPSAPS-43846

Yarn NodeManager stale due to missing CCgroups

Fixed an issue when using YARN with CGroups. The YARN NodeManager may show as being stale due to System Resources even when it is not. The diff of it will show named-cpu as having changed even when it was not modified.

Cloudera Issue: OPSAPS-43973

Upgraded Jetty version

Jetty updated to version 9.4.6.v20170531 to fix CVE-2017-9735.

Cloudera Issue: OPSAPS-42317

Impala Dynamic Resource Pools wrongly gives everyone access to root pool (and all child pools)

Fixed an issue where all users had access to all Impala resource pools if no users or groups were specified in the root pool. Now, no users get access to a pool if no users or groups is specified.

Cloudera Issue: OPSAPS-45046

YARN Dynamic Resource Pools wrongly gives everyone access to root pool (and all child pools)

Fixed an issue where all users had access to all YARN resource pools if no users or groups were specified in the root pool. Now, no users get access to a pool if no users or groups is specified.

Cloudera Issue: OPSAPS-44949