Issues Fixed in Cloudera Manager 5

The following sections describe issues fixed in each Cloudera Manager 5 release.

Issues Fixed in Cloudera Manager 5.11.1

All required fonts are now installed by Cloudera Manager

Fixed an issue where Cloudera Manager made requests to googleapi.com to download some of its required fonts, which fails if the browser does not have Internet access. Cloudera Manager now includes all of the necessary fonts.

Automated Cloudera Manager installer fails on Ubuntu 16.04

Fixed an issue where running the cloudera-manager-installer.bin installer file (as described in the documentation) fails on Ubuntu 16.04 LTS (Xenial).

Unable to connect to Oozie with curl

Fixed an issue where some Linux distributions could not connect to Oozie with curl through HTTPS when DHE-based ciphers are present.

getRoles filtering is not working with Cloudera Manager API version11 and higher

Fixed a bug that broke backwards compatibility since Cloudera Manager API version 11 (introduced with the Cloudera Manager 5.6 release) for the following endpoint:
/api//clusters/clusterName/services/serviceName/roles?filter=type==ROLE_TYPE

Fixed in Cloudera Manager 5.8.5, 5.11.1.

Cannot upload large diagnostic bundles

Fixed an issue where large diagnostic bundles, such as ones greater than 4 GB, fail to upload.

HBase configuration is supplied for Hive when HBase service is not selected

Fixed an issue where Cloudera Manager provided configuration for the hive-site.xml file even if the HBase Service setting in Hive is not selected, which could cause unnecessary errors when Hive-on-Spark attempts to connect to HBase. Cloudera Manager now correctly emits the HBase-related configuration in the hive-site.xml only when Hive is dependent on HBase.

Accessing Sqoop2 with Hue fails

Fixed an issue where accessing Sqoop2 with Hue fails with the following error: Sqoop error: Could not get connectors.

CDH 5.5.0 or higher clusters running a Hue Service require a restart of Hue services because of a new configuration file. This new configuration file is required for Hue's Sqoop Application functions in secure settings, but it will show up whether or not Sqoop or security settings are in use.

Exception when setting maintenanceOwners to null

Fixed how null values for the maintenanceOwners parameter are handled when creating clusters with the Cloudera Manager API.

Underscores in LDAP domain names not allowed

Fixed an issue where LDAP domain names could not contain underscores. This fix affects Cloudera Manager, Hue and Cloudera Navigator.

Host selection for Backup and Disaster Recovery Replication jobs

Fixed an issue where a host in a bad state or with a gateway role might be selected to run a replication job.

Hosts are selected based on the following criteria:
  • Has a HDFS/Hive Service role for HDFS/Hive replication
  • Is not a host with a gateway role
  • Is in good or concerning state. Hosts in good states are preferred.
  • Listed on the whitelist if configured.

CSD graceful service stop second step failure

Fixed an issue in the stop command execution for CSD services authored to use a service-level graceful shutdown. The stop command could be shown with the second step (forced kill) marked as failed when all roles were already stopped. This issue also affects shutdown of Kafka using Cloudera Manager 5.11.0 and can impact Kafaka upgrades.

Metric missing from Workload Summary for Kudu

Fixed an issue where the total_kudu_rows_upserted_rate_across_kudu_replicas metric was not included in the Workload Summary for Kudu.

Low watermark value for Memstore Flush default is incorrect

For CDH versions 5.8 and higher, the Low Watermark for Memstore Flush configuration parameter is associated with the HBase parameter hbase.regionserver.global.memstore.lowerLimit.

This value represents the fullness threshold of the memstore as a percentage of memstore capacity. The default value for this parameter was incorrectly set too low at .38. This can cause severe under utilization of the memstore.

The default has been corrected to be .95. When upgrading to a version of Cloudera Manager with this fix, if the value was previously set to the old default of .38, it will automatically be increased to the new default, which may cause Cloudera Manager to mark your HBase service as having a stale configuration, requiring a restart.

Additionally, if an existing Low Watermark for Memstore Flush configuration parameter has a value <= .9, it will be flagged as a configuration warning.

Fixed in Cloudera Manager 5.8.5, 5.11.1.

Failed health checks because of deprecated ntpc command

Fixed an issue where the ntpdc command is used in the host Clock Offset health test even if the command is deprecated for an operating system.

Drop-down options not visible when using Internet Explorer 11

Fixed an issue that prevents Internet Explorer from rendering the add/edit resource pool dialog box.

Import of Cluster Template with HA fails with invalid HDFS configuration error

Fixed the issue "Cluster Template" where role level configs were not getting exported. This was causing cluster setup failure when user try to import cluster template exported from a cluster where HDFS HA was enabled.

Graceful shutdown of Kafka brokers does not work as expected

Fixed an issue where the new Graceful Shutdown Timeout configuration property does not work as expected. As a result, Kafka takes an additional 30 seconds (by default) to shut down, but will still only have 30 seconds to complete its controlled shutdown, before Cloudera Manager forcibly shuts down Kafka brokers regardless of the configured timeout.

Fixed in Cloudera Manager 5.11.1.

Issues Fixed in Cloudera Manager 5.11.0

The cloudera-server-db fast_stop fails on Debian-based systems

Fixed an issue where the cloudera-server-db fast_stop command fails on non-sytemd Debian systems like Debian 7 with a command not found error.

Cluster template export exports Autoconfiguration settings

Fixed an issue where the API to export cluster templates exported settings that were auto-configured. Auto-configured settings should not be exported in the cluster template.

Pauses in Cloudera Manager after adding peer

Fixed an issue that caused pauses and slow performance of the Cloudera Manager Admin Console occur after creating a peer.

Fixed in Cloudera Manager 5.11

Max heap is wrong for ZooKeeper

Fixed an issue where the JVM Heap Memory Usage chart for ZooKeeper displayed the wrong value for maximum memory.

Error starting the NodeManager when the /tmp directory is mounted as noexec

Fixed an issue where an error occurs when starting the NodeManager because the /tmp directory is mounted as noexec.

Cloudera Manager cannot delete principals from AD when regenerating principals

Fixed an issue where generating Kerberos credentials failed when Active Directory properties like OU have a space in them or are too long to fit in a line.

The Cloudera Manager Python API may experience connection errors

Python 2.7 and later enables certificate chain validation by default, and specifying a custom SSL context with an CA certificate may be required to prevent connection errors. The ApiResource constructor in the Cloudera Manager Python API now takes an optional "ssl_context" argument where a custom SSL context can be provided. This allow clients to specify the CA certificate of the API endpoint's certificate.

The service cloudera-scm-server force_start command fails with Postgres SQL

Fixed an issue where a force start of the Cloudera Manager server failed if Cloudera Manager used PostgreSQL.

Parcels cannot be removed from Cloudera Manager

Fixed an issue where parcels could not be removed from the Cloudera Manager database when the manifest.json file is not available in the remote repository or removed from the remote location.

Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled

Fixed an issue where the Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled for Navigator Metadata Server.

Fixed in 5.11, 5.10.1, ,5.9.2, 5.7.6

Warning about suspicious non-ASCII punctuation character in KMS ACLs

When setting up the KMS ACLs for HDFS encryption, the warning "Suspicious non-ASCII punctuation character "’" at character position 9118" displays. This warning can be safely ignored, and editing any KMS ACL in Cloudera Manager will make the warning disappear. This bug fix removes this warning.

Fixed in Cloudera Manager 5.11.0, 5.10.1

Kafka fails when configured with Sentry and an old Kafka version

Fixed an issue that occurred when Kafka was configured to use Sentry for authorization, and Kafka was not version 2.1 or higher, which caused Kafka to fail with the following exception: java.lang.ClassNotFoundException: org.apache.sentry.kafka.authorizer.SentryKafkaAuthorizer.

Fixed in: Cloudera Manager 5.11.0, 5.10.1

Invalid regex needs agent hard_restarted

Fixed Cloudera Manager agent problem that requires hard restart when an invalid regular expression is used to specify tables in Hive replication.

Fixed in: Cloudera Manager 5.11.0, 5.10.1, 5.9.2

Issue with views after BDR Hive Replication

Fixed an issue where a change to a Hive view on a source cluster was not reflected in the target cluster after Hive Replication with the Force Overwrite option selected.

Sentry Database upgrades

During a CDH upgrade, the Sentry Database Upgrade step will be performed only when necessary. Previously, the Sentry Database Upgrade step always ran.

Hive Replication fails when Impala is SSL enabled but Hadoop services are not

Fixed an issue where a NullPointerException is thrown when using Hive Replication with SSL enabled on an Impala service but not on other Hadoop services.

Fixed in Cloudera Manager 5.11, 5.10.1, 5.9.2

Issues Fixed in Cloudera Manager 5.10.1

Warning about suspicious non-ASCII punctuation character in KMS ACLs

When setting up the KMS ACLs for HDFS encryption, the warning "Suspicious non-ASCII punctuation character "’" at character position 9118" displays. This warning can be safely ignored, and editing any KMS ACL in Cloudera Manager will make the warning disappear. This bug fix removes this warning.

Fixed in Cloudera Manager 5.11.0, 5.10.1

Hive Replication fails when Impala is SSL enabled but Hadoop services are not

Fixes a bug where some Hadoop services did not recognize the Impala SSL configuration, which caused Hive replications to fail when SSL is enabled. To enable SSL, see: Configuring TLS/SSL for HDFS, YARN and MapReduce.

This support also ensures that connection to Impala is successful when SSL is enabled even if Kerberos is not enabled.

Fixed in: Cloudera Manager 5.10.1, 5.9.2, 5.8.4

Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled

Fixed an issue where the Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled for Navigator Metadata Server.

Fixed in 5.11, 5.10.1, ,5.9.2, 5.7.6

Spark CSD may cause issues in yarn-cluster mode

Spark client configuration has been fixed to avoid application failures in certain cases when launching applications in YARN cluster mode.

Fixed in Cloudera Manager 5.10.1, 5.9.2

Invalid regex needs agent hard_restarted

Fixed Cloudera Manager agent problem that requires hard restart when an invalid regular expression is used to specify tables in Hive replication.

Fixed in: Cloudera Manager 5.11.0, 5.10.1, 5.9.2

Kafka fails when configured with Sentry and an old Kafka version

Fixed an issue that occurred when Kafka was configured to use Sentry for authorization, and Kafka was not version 2.1 or higher, which caused Kafka to fail with the following exception: java.lang.ClassNotFoundException: org.apache.sentry.kafka.authorizer.SentryKafkaAuthorizer.

Fixed in: Cloudera Manager 5.11.0, 5.10.1

Hive Replication fails when Impala is SSL enabled but Hadoop services are not

Fixed an issue where a NullPointerException is thrown when using Hive Replication with SSL enabled on an Impala service but not on other Hadoop services.

Fixed in Cloudera Manager 5.11, 5.10.1, 5.9.2

Issues Fixed in Cloudera Manager 5.10.0

Importing cluster templates fails

Fixes an issue where the Cluster Import command fails after updating parcel repositories and when the parameter addRepositories=true is included in the command and there are no pre-configured repositories in the cluster.

DB Oracle client libraries cannot be found on host due to missing libaio1

On a parcels install, Hue can be set up with an Oracle Database. This requires placing required Oracle packages in a specific location. See Hue Custom Databases.

CM - error connecting to an Oracle DB with a Package install for HUE's DB

On a packages install, Hue can be set up with an Oracle Database and proceed past the Test Connection page in the setup wizard. This requires placing required Oracle packages in a specific location. See Hue Custom Databases.

Support non-public schemas with PostgreSQL

Cloudera Manager used to work with only 'public' schema in PostgreSQL. With this change, Cloudera Manager now supports custom schema names. Cloudera Manager relies on the schema search path in PostgreSQL, which can be set for a user or database. For more information, see https://www.postgresql.org/docs/current/static/ddl-schemas.html.

Truststore password shouldn't be required

Trust store passwords are not required. This fixes a bug where some Cloudera components erroneously reported that a password was required.

Server error deleting a host - Cannot delete or update a parent row: a foreign key constraint fails

Fixes a database constraint violation that occurs when you use Cloudera Manager to delete a host that has cluster-wide configurations. (Kerberos configurations, for example.)

Hide unlicensed configurations instead of disabling them

Cloudera Express no longer shows configurations that requires a license to manage.

Various improvements in the Pools page

Many small usability issues have been fixed in the resource pools page:
  • You can now click on an input row and go directly to that input field in the edit dialog.
  • The columns where you enter minimum and maximum values for Virtual cores and Memory now appear under headings Min Resources and Max Resources
  • On the Create Resource Pool page, the Configuration Sets tab has been renamed to Resource Limits.

Override the SMON client configuration so the MapReduce job does not produce compressed output

This fixes an issue where YARN utilization report may not work when MapReduce job output is specified as "Compressed" and a compression codec is used for it.

Excess load on Cloudera Manager database

Fixed an issue where the load on the Cloudera Manager database increases significantly on clusters with 100-200 nodes or more and when there are host-level configuration overrides. This has been resolved by using a smaller default value for the default_batch_fetch_size property in the hibernate configuration.

Fixed in: Cloudera Manager 5.10.0, 5.9.2, 5.8.4, 5.7.6

Dollar sign '$' character in password results in an IllegalArgumentException

Fixed an issue where CSD-based services could not use certain special characters like '$' without getting an exception. This is most frequently an issue for passwords.

Incorrect Scheduling Policy of Resource Pool Configuration in YARN

If a user did not make any resource policy change on an existing cluster, the default scheduling policy used is FAIR, but the Cloudera Manager Admin console incorrectly displays the policy as DRF. This is now fixed to show FAIR. When the user creates new clusters, the default scheduling policy will be DRF.

Cannot select time period in custom charts in C5.9

The quick time selection (30m, 1h, etc) on custom dashboards now work correctly.

Increase the default value of Safemode Minimum DataNodes property to 1

In Cloudera Manager 5.9 and lower, the HDFS property Safemode Minimum DataNodes has a default value of 0. This property configures the number of DataNodes that must register with the NameNode before the NameNode exits safe mode. This property now has a default value of 1 in CDH 5.9 and higher

In an empty cluster (that is, a cluster with no HDFS data) where the property is set to 0, this has the side effect of extending the duration of startup safe mode by about 30 seconds. For non-empty clusters, this change has no visible effect. This change only applies to new CDH 5.9 and higher clusters created with Cloudera Manager 5.10 or higher. Existing CDH 5.9 clusters are not affected; pre-CDH 5.9 clusters that are upgraded to CDH 5.9 or higher are also unaffected.

Turn off HSTS header in Hue Load Balancer

Only the Hue server now only generates the HSTS HTTP header. Previously, both the Hue server and Hue Load Balancer generated the HSTS HTTP header.

AWS ID being used for UUID, which can cause duplicate hosts

Prevent duplicate hosts from being reported in Cloudera Manager due to use of the AWS instance ID as a unique host identifier. Cloudera Manager now uses a random number as the host unique identifier instead. This prevents a duplicate host issue when host is running on a cloud service such as AWS and the host is added using the Cloudera Manager wizard and manually added later.

Cloudera Manager corrupts passwords and other attributes

Previously, some users found that '******' were inserted in the database literally. Cloudera Manager now performs a check on this special string prevents it from being stored in the Cloudera Manager database.

Database wizard error message when the database does not exist is misleading

Cloudera Manager now generates a proper error message when the database does not exist and the username and password do exist. Cloudera Manager now displays the message "Able to find the Database server, but not the specified database. Please check if the database name is correct and make sure that the user can access the database."

Hive Replication: Make parameters replication on by default

Parameters of databases, tables, partitions, and indexes are replicated by default during Hive replications. You can disable this replication. See Replication of Parameters.

NFS Gateway daemon in HDFS needs SSL server configs

The Web server of the HDFS NFS Gateway that is used to publish metrics and view configurations is now covered by SSL protection when enabled across the HDFS service. This fixes an issue that caused a failure when starting the Web interface for the NFS gateway.

CM server error - JsonMappingException

Fixed an issue where a race condition can happen when getting the log links for unhealthy roles and then causes a null pointer exception for the Cloudera Manager homepage.

"Restart needed" button doesn't appear after changing the server's private key password in the KeyTrustee Server service configuration

When passwords change, the stale configuration icons displays. When you click one of these icons, the Stale Configurations page displays but the page does not indicate which passwords have changed.

Issues Fixed in Cloudera Manager 5.9.2

Excess load on Cloudera Manager database

Fixed an issue where the load on the Cloudera Manager database increases significantly on clusters with 100-200 nodes or more and when there are host-level configuration overrides. This has been resolved by using a smaller default value for the default_batch_fetch_size property in the hibernate configuration.

Fixed in: Cloudera Manager 5.10.0, 5.9.2, 5.8.4, 5.7.6

Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled

Fixed an issue where the Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled for Navigator Metadata Server.

Fixed in 5.11, 5.10.1, ,5.9.2, 5.7.6

Invalid regex needs agent hard_restarted

Fixed Cloudera Manager agent problem that requires hard restart when an invalid regular expression is used to specify tables in Hive replication.

Fixed in: Cloudera Manager 5.11.0, 5.10.1, 5.9.2

Spark CSD may cause issues in yarn-cluster mode

Spark client configuration has been fixed to avoid application failures in certain cases when launching applications in YARN cluster mode.

Fixed in Cloudera Manager 5.10.1, 5.9.2

Dollar sign '$' character in password results in an IllegalArgumentException

Fixed an issue where CSD-based services could not use certain special characters like '$' without getting an exception. This is most frequently an issue for passwords.

Hive Replication fails when Impala is SSL enabled but Hadoop services are not

Fixed an issue where a NullPointerException is thrown when using Hive Replication with SSL enabled on an Impala service but not on other Hadoop services.

Fixed in Cloudera Manager 5.11, 5.10.1, 5.9.2

Issues Fixed in Cloudera Manager 5.9.1

Cannot select time period in custom charts in C5.9

The quick time selection (30m, 1h, and so on) on custom dashboards does not work in 5.9.x.

Hive table Views do not get restored from S3

When creating a Hive Replication schedule that copies Hive data from S3 and you select the Reference Data From Cloud option, Hive table Views are not restored correctly and result in a Null Pointer Exception when querying data from the view.

Cloudera Manager blocks from HS2 enabling both LDAP and Kerberos authorization

HS2 now supports LDAP and Kerberos authentication on the same instance for CDH 5.7.0 or higher. Previously, this was considered an error.

Support non-public schemas

Cloudera Manager used to work with only the public schema in Postgresql. With this change, Cloudera Manager now supports custom schema names. Cloudera Manager relies on the schema search path in postgresql, which can be set for a user, database, etc: See https://www.postgresql.org/docs/current/static/ddl-schemas.html

Alert Publisher throws "unsigned 32bit value" error after long uptime

Fixes an issue where the Alert Publisher throws "unsigned 32bit value" error after long uptime. TimeTick is an extension of UnsignedInteger32 type. TimeTick represents time in 1/100 seconds. Its value range is 0 to 4294967295. Activity Monitor's uptime is a Java long type that can exceed the range of TimeTicks. Before this fix, long uptime could cause the Alert Publisher to throw the "unsigned 32bit value" error.

Issues Fixed in Cloudera Manager 5.9

Impala load_catalog_in_background configuration should be set to false by default in Cloudera Manager

Changed default value for load_catalog_in_background to false. This fixes catalog scalability issues observed in Impala since v2.2.

Oozie first run fails with custom principals

Fixed an issue in Cloudera Manager 5.8.1 where the first time Oozie is run it fails if using Kerberos custom principals.

Cluster export fails when service configuration is invalid

Fixed an issue in the export cluster template code path where it was failing because of stale configuration settings in the Cloudera Manager database. This can occur when configurations are deprecated on older CDH releases.

Add gateway role to Kafka and move dependencies' client configs into Kafka's client configs

Cloudera recommends that you place your Kafka host in the same logical cluster as your Sentry host. However, if you deploy Kafka as a separate logical cluster, you can deploy a dummy Sentry service on Kafka's logical cluster with an override for Sentry-site.xml to point to the Sentry service on first logical cluster, and then it can be turned off. This is a workaround that allows Cloudera Manager to generate the appropriate Sentry client configurations for Kafka.

Sentry Upgrade command is not retriable

If the Sentry Upgrade command fails, you can now retry the command.

Impala Breakpad script does not convert exponentials into decimals and leads to errors

Fixed an issue where the Impala Breakpad script fails if you try to collect more than 10 MB of dumps from a single role.

HDFS-S3: Incremental backup support

HDFS-S3 replication supports incremental backups using snapshot diffs. HDFS-S3 replication does not support incremental restore using snapshot diff.

Fix css in navigation

Fixed several small issues:
  1. Do not show role link again on the role instances page.
  2. Do not bold the decommission state.
  3. Do not use long display name for hosts; use short display name.
  4. Show the role link on the role health test page.
  5. Show Today rather than the long time label.
  6. Show only month, date when the year is the same.
  7. Make the icons in navigation line up.
  8. Make the icons in navigation not so wide.
  9. Change all line-height settings to multiples of 4.
  10. Add back the border below the title.

Fix sorting on the instances page

Fixed the initial sort order on the instances page.

Nightly Charts are broken due to gridster refactoring

There is a permission issue on the Cluster Status page where the grid is never enabled, and on the View Page where the grid is always enabled for all users. The former change allows the user to customize the Cluster status page. The latter change ensures that users do not get errors when customizing specific view pages.

Redact s3 credential properties in MR by default.

AWS S3 credentials, if specified in the job configuration by setting fs.s3a.access.key and fs.s3a.secret.key, were shown as clear text in MapReduce UIs. The credentials are now redacted by default in all MapReduce UIs.

Latest Cloudera Manager Java client does not work on older Cloudera Manager

Fixed an issue in Cloudera Manager client versions 5.8, 5.8.1, and 5.8.2 where ApiCollectDiagnosticDataArguments was incompatible with Cloudera Manager versions lower than 5.8.

Comment for command retry in the cm_api Python github needs to be updated

Fixed the API command documentation to include the canRetry attribute. Added a new method, ApiCommand.getCanRetry() and deprecated the method ApiCommand.isCanRetry().

Defaults to 1st Impala service in the cluster when there are multiple Impalas

Fixed an issue that prevented the display of Impala usage on the Cluster Utilization page when there are two Impala services in the same cluster. The UI shows usage for the first Impala service only.

Staleness check page popped up 30s ~ 60s after clicking the icon.

Fixed an issue where a stale configuration page would take a lot of time to load for a large cluster.

Oozie points to older sharelib even after running sharelib install command

Fixed the Install Oozie Share Lib action so that the Oozie service is informed that there is a new shared library installed. This eliminates the need for a separate manual restart.

HDFS File Browser exposes contents to all users

HDFS File browser can now only be viewed by users with the roles BDR Admin, Cluster Admin, or Full Admin. Previously, any Cloudera Manager user, including read-only users, could browse the file names in HDFS.

Cloudera Manager set catalogd default jvm memory to 4G can cause out of memory error on upgrade to Cloudera Manager 5.7+

After upgrading to 5.7 or later, you might see a reduced Java heap maximum on Impala Catalog Server due to a change in its default value. Upgrading from Cloudera Manager lower than 5.7 to Cloudera Manager 5.8.2 no longer causes any effective change in the Impala Catalog Server Java Heap size.

When upgrading from Cloudera Manager 5.7 or later to Cloudera Manager 5.8.2, if the Impala Catalog Server Java Heap Size is set at the default (4GB), it is automatically changed to either 1/4 of the physical RAM on that host, or 32GB, whichever is lower. This can result in a higher or a lower heap, which could cause additional resource contention or out of memory errors, respectively.

Agent uses USER env var to run everything if it is set

Cloudera Manager Server now runs services using the user ID with which that single-user mode is configured. If single-user mode is configured on the agents to use the user cloudera-scm, then an attempt to run Hive as the user hive fails.

In LZO enabled clusters, the cluster utilization feature fails

YARN usage aggregation job now runs successfully on clusters where LZO compression is being used.

HDFS Snapshot policy is selecting unhealthy host to run on

When selecting a role to run HDFS Snapshot command, Cloudera Manager selects a non-decommissioned host in Active status. Also, hosts in maintenance mode have a lower priority than the ones in active state.

Discourage CSDs from producing client config files that pollute the root dir

For CSD development, there are now deprecation warnings in the CLI validation tool and the Maven validation plugin. These indications provide guidance for future behavior changes in the support of CSD services in Cloudera Manager. A deprecation warning is shown when applicable, but does not affect the outcome of the validation.

Ensure that one-off processes cannot re-execute.

One-off requests, such as "Inspect Hosts," do not re-execute.

Hive Replication Command should update copy the Serde properties correctly

Hive Replication now replicates the Serde Properties and also copies the corresponding HDFS file.

Cloudera Manager complains "Unable to parse the input XML" when you enter an working XML for the "Fair Scheduler XML Advanced Configuration Snippet (Safety Valve)"

Passing a legal XML value to Fair Scheduler XML Advanced Configuration Snippet (Safety Valve) no longer causes a parsing error.

If files excluded by exclusion filters are renamed, they are not replicated

Customers using Incremental HDFS replication had an issue where if an excluded file (through exclusion filters) is renamed to an included file, the new file was not copied to the destination cluster. This issue is resolved as part of this fix.

Proper fix to handle parcel activation falsely succeeding when host health is failing

Fixed an issue related to the first run failing when some of the hosts are in bad health. This fix involves adding an extra stop to wait for hosts to report correct the parcel version before proceeding.

Deferred cgroup removal might not be waiting at all

This fix provides some wait time before the SCM agent attempts to remove control groups (cgroups) again after initial failure.

SMON should only fall back to Oozie's instrumentation endpoint if the metrics endpoint gives a 503

SMON blindly fell back to Oozie's instrumentation endpoint if it had any problems with the metrics endpoint. Now, SMON falls back only if the metrics endpoint returns a 503 error code, which is the only case it could possibly have success with instrumentation endpoint.

Support bundle missing client configuration deployment logs

Client configuration deployment logs are now collected as a part of diagnostics support bundle, which were unintentionally removed in Cloudera Manager 5.3.

Use concurrency option when uploading the sharelib to be faster

You can increase the number of threads used to upload the Oozie sharelib to HDFS. This significantly reduces the time it takes for this operation. This feature is available starting in CDH 5.9.0.

Host inspector incorrectly warns about kernel version "2.6.32-504.16.2"

Before this fix, the host inspector incorrectly warned about kernel version "2.6.32-504.16.2" as "non-recommended"

Agent orphan cleanup removes process dir from in flight process

With this fix, the preventative steps in TSB-181 are no longer required.

Rolling upgrade fails if services stopped

Rolling upgrade will no longer fail if services are stopped.

Redact Content from Flume configuration

Enabled redaction of sensitive information from Flume configuration.

Redaction of sensitive information from diagnostic bundles at creation time

Cloudera Manager is designed to transmit certain diagnostic data (or bundles) to Cloudera. The Cloudera Support team uses diagnostic bundles to reproduce, debug, and address technical issues for customers. Cloudera support discovered that potentially sensitive data might be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose. Cloudera has taken the following actions:
  • Modified Cloudera Manager so that known sensitive data is redacted from the bundles before transmission to Cloudera.
  • Updated Cloudera CDH components to remove logging and output of known potentially sensitive properties and configurations.

See Redaction of Sensitive Information from Diagnostic Bundles.

Huge memory leak if the HDFS File Browser UI remains open for an extended time

If the HDFS File Browser were kept open for long periods of time, it could cause a memory leak that would cause Cloudera Manager to crash. This fix addresses the issue.

Evaluate impact of disabling second-level cache on performance at scale

Disabled second level hibernate cache, which was causing the cache to become "stale" under load. There is no significant difference in Cloudera Manager performance after disabling the cache.

Express wizard failing to install ZooKeeper

Installing CDH using Packages on Debian 8.2 through the Cloudera Manager wizard could install the incorrect CDH binaries, leading to failures in starting the cluster. Certain packages are available in both the default repository and the Cloudera repository, which could result in the wizard using the wrong one. The Cloudera Manager wizard now ensures the correct binaries are selected. Workaround: Use the parcels format or manually install the correct packages.

Empty archive files should not be created for impala role diagnostics

Support Bundles started collecting Impala minidumps bundles in Cloudera Manager 5.8.0 and higher. It was generating an empty TAR file if no bundles were found. With this fix, no empty TAR files are generated.

Cloudera Manager no longer shows "this step is expected to fail" when enabling HDFS-HA

Cloudera Manager now shows the correct label when performing HA.

If total_space_bytes is very large, heartbeats fail

Fixed an issue where the heartbeat fails with a host that has a mount point backed by cloud storage, such as AWS.

Enabling cgroups requires "impala" group even if there is no Impala service

Fixed the presumption that any default-named group exists in hosts. YARN cgroup containers do not require the Impala user/group to be present in hosts.

OOMKiller script not works for Impala Catalog

Fixed a bug where OutOfMemory errors in the Catalog Server might lead to killing multiple Java processes, including other roles on the same host.

Issues Fixed in Cloudera Manager 5.8.5

Use whitelist to only check known good parcels before first run

During the execution of First-Run command, the command only waits for the Cloudera Manager Agent to detect CDH parcels and does not wait for any other activated parcels. Previously, it was waiting for agents to detect all the activated parcels.

HBase configuration is supplied for Hive when HBase service is not selected

Fixed an issue where Cloudera Manager provided configuration for the hive-site.xml file even if the HBase Service setting in Hive is not selected, which could cause unnecessary errors when Hive-on-Spark attempts to connect to HBase. Cloudera Manager now correctly emits the HBase-related configuration in the hive-site.xml only when Hive is dependent on HBase.

getRoles filtering is not working with Cloudera Manager API version11 and higher

Fixed a bug that broke backwards compatibility since Cloudera Manager API version 11 (introduced with the Cloudera Manager 5.6 release) for the following endpoint:
/api//clusters/clusterName/services/serviceName/roles?filter=type==ROLE_TYPE

Fixed in Cloudera Manager 5.8.5, 5.11.1.

Placement rules in DRP UI should provide option to not create sub-pools

Nested User Pools (except existingSecondaryGroup) now support create=true|false as a checkbox in the UI.

Low watermark value for Memstore Flush default is incorrect

For CDH versions 5.8 and higher, the Low Watermark for Memstore Flush configuration parameter is associated with the HBase parameter hbase.regionserver.global.memstore.lowerLimit.

This value represents the fullness threshold of the memstore as a percentage of memstore capacity. The default value for this parameter was incorrectly set too low at .38. This can cause severe under utilization of the memstore.

The default has been corrected to be .95. When upgrading to a version of Cloudera Manager with this fix, if the value was previously set to the old default of .38, it will automatically be increased to the new default, which may cause Cloudera Manager to mark your HBase service as having a stale configuration, requiring a restart.

Additionally, if an existing Low Watermark for Memstore Flush configuration parameter has a value <= .9, it will be flagged as a configuration warning.

Fixed in Cloudera Manager 5.8.5, 5.11.1.

Issues Fixed in Cloudera Manager 5.8.4

CM server error - JsonMappingException

Fixed an issue where a race condition can happen when getting the log links for unhealthy roles and then causes a null pointer exception for the Cloudera Manager homepage.

Dollar sign ($) char in password results in IllegalArgumentException

Using special characters such as the dollar sign ($) for passwords and other user-supplied values with CSD-based services (those added to Cloudera Manager with custom service descriptors) raised exceptions. This has been resolved.

Error when distributing parcels : No such torrent

Parcel distribution can fail, returning the error message:
Error when distributing to host: No such torrent:parcel_name.torrent

Workaround: Remove the file /opt/cloudera/parcel-cache/parcel_name.torrent from the host.

Hive Replication Command should update copy the Serde properties correctly

Hive Replication now replicates the Serde Properties and also copies the corresponding HDFS file.

Hive Replication fails when Impala is SSL enabled but Hadoop services are not

Fixes a bug where some Hadoop services did not recognize the Impala SSL configuration, which caused Hive replications to fail when SSL is enabled. To enable SSL, see: Configuring TLS/SSL for HDFS, YARN and MapReduce.

This support also ensures that connection to Impala is successful when SSL is enabled even if Kerberos is not enabled.

Fixed in: Cloudera Manager 5.10.1, 5.9.2, 5.8.4

Excess load on Cloudera Manager database

Fixed an issue where the load on the Cloudera Manager database increases significantly on clusters with 100-200 nodes or more and when there are host-level configuration overrides. This has been resolved by using a smaller default value for the default_batch_fetch_size property in the hibernate configuration.

Fixed in: Cloudera Manager 5.10.0, 5.9.2, 5.8.4, 5.7.6

Ability to configure the length of Impala queries that SMON keeps in memory

Lengthy queries (such as Impala DDLs) sometimes overloaded the SMON (service monitor) heap, resulting in out-of-memory exceptions (OOME). With this release, queries are limited to 10k characters by default. This setting can be adjusted using the safety valve mechanism (Advanced Configuration Snippet) in Cloudera Manager.

Issues Fixed in Cloudera Manager 5.8.3

YARN historical reports by user shows pool-user entity

When Cloudera Manager manages multiple clusters, there is no per user tracking for historical applications and queries across clusters. Instead, Historical Applications by User and Historical Queries by User show applications and queries per user and pool. (A pool is associated with a specific cluster.)

If total_space_bytes is very large, heartbeats fail

Fixes heartbeat failure with a host that has a mount point backed by cloud storage, such as AWS.

OPSAPS-29327 Add config for hive.metastore.server.max.message.size

You can configure hive.meetastore.max.message.size using Max Message Size for Hive MetaStore. The default setting is 100MB. This can cause staleness during a Cloudera Manager upgrade.

CM blocks from HS2 enabling both LDAP and Kerberos authentication

HS2 now supports LDAP and Kerberos authentication on the same instance for CDH 5.7.0 and higher.

Backport OPSAPS-36100 Debian 8.2 packages cdh install fix to C5.8

Installing CDH using Packages on Debian 8.2 through the Cloudera Manager wizard could install the incorrect CDH binaries, leading to failures in starting the cluster. Certain packages are available in both the default repository and the Cloudera repository, which caused the installer to get confused and pick the wrong one. Cloudera Manager's wizard now ensures the correct binaries are selected.

Impala load_catalog_in_background config should set to "false" by default in CM

Changed default value for load_catalog_in_background to false. This fixes catalog scalability issues observed in Impala since v2.2.

[api] Latest CM Java client does not work on older CM

Fixed an issue in Cloudera Manager client versions 5.8, 5.8.1, and 5.8.2 where ApiCollectDiagnosticDataArguments was incompatible with Cloudera Manager versions lower than 5.8.

Empty archive files should not be created for Impala role diagnostics

Support Bundles started collecting Impala minidump bundles with Cloudera Manager 5.8 and higher. If no bundles were found, Cloudera Manager generated an empty TAR file. With this fix, no empty TAR files are generated.

OOMKiller script not works for Impala Catalog

Fixed a bug where OutOfMemory errors in the Catalog Server could lead to killing multiple java processes including other roles on the same host.

Sentry Upgrade command is not retriable

If the Sentry Upgrade command fails, you can now retry the command.

Support non-public schemas

Cloudera Manager used to work with only 'public' schema in PostgreSQL. With this change, Cloudera Manager supports custom schema names. Cloudera Manager relies on the schema search path in PostgreSQL, which can be set for a user, database, and so on. https://www.postgresql.org/docs/current/static/ddl-schemas.html

Issues Fixed in Cloudera Manager 5.8.2

Improve advanced configuration snippet redaction to encompass cloud provider credentials and other access tokens

The redaction of potentially sensitive parameters in advanced configuration snippets is extended to those commonly used by the Azure Data Lake.

If files excluded by exclusion filters are renamed, they are not replicated

Customers using Incremental HDFS replication had an issue where if an excluded file (through exclusion filters) is renamed to an 'included' file, the new file is still not copied to the destination cluster. This issue is resolved as part of this fix.

Hive Replication Command should update copy the Serde properties correctly

Hive Replication now replicates the Serde Properties and also copies the corresponding HDFS file.

Increase default Solrd watchdog Timeout value

Solr server initialization can take up to 60 secs to complete. During this time interval, Solr server does not respond to the solrd watchdog requests. This can result in solrd watchdog terminating the Solr server process. The default timeout duration for watchdog is increased to 70 secs.

Add service changes YARN settings

In Cloudera Manager 5.7, adding any new service to your cluster can cause the YARN setting for mapreduce.job.reduces to change unexpectedly. Adding a service no longer causes this problem.

OPSAPS-29327 Add config for hive.metastore.server.max.message.size

Hive Metastore max message size can be configured now using Max Message Size for Hive MetaStore. It defaults to 100MB. It can cause staleness for customers on Cloudera Manager upgrade.

XSS in Kerberos activation

In lower releases, there was an XSS vulnerability on the Kerberos page. This is now fixed.

Upload deployment.json fails when it contains replication info

While trying to migrate Cloudera Manager using deployment.json file with existing Hive replication, schedules used to fail. This has been fixed in this release.

Cloudera Manager set cataloged default jvm memory to 4G may cause oom on upgrade to Cloudera Manager 5.7+

After upgrading to 5.7 or later, customers could see a reduced Java heap maximum on Impala Catalog Server, due to a change in its default value. Upgrading from Cloudera Manager < 5.7 to Cloudera Manager 5.8.2 no longer sees any effective change in the Impala Catalog Server Java Heap size.

Oozie first run fails with custom principals

In 5.8.1, Oozie first run fails if using kerberos custom principals. This is now fixed.

Hive Replication shows "Dry Run" incorrectly

The earlier known issue that running Hive Replication shows "Dry Run" in status message is fixed now.

HDFS Snapshot policy is selecting unhealthy host to run on

Policy for selecting a role to run HDFS Snapshot command: We select a non-decommissioned host that is in Active status. Also, hosts in maintenance mode have a lower priority than hosts in active state.

Cluster export fails when service configuration is invalid

The export cluster template code path was failing because of stale configuration in the Cloudera Manager database. Having a stale configuration in the database is possible. This could happen when configurations are deprecated on older CDH releases.

Agent orphan cleanup removes process dir from in flight process

With this fix, the preventative steps in TSB-181 are no longer required.

Fix CatalogServiceClient to handle TLS connections to catalogd for UDF replication

When Impala uses SSL, Cloudera supports TLS Connection to Catalog Server. Customers are able to enable replication for any Impala UDFs/Metadata (in Hive Replication).

Redact Content from Flume config

Enabled redacting sensitive information from Flume configuration.

Host inspector incorrectly warns about kernel version "2.6.32-504.16.2"

Host inspector incorrectly warns about kernel version "2.6.32-504.16.2" as "non-recommended."

Impala Breakpad script does not convert exponentials into decimals and leads to errors

Impala Breakpad script failure that happens when trying to collect more than 10 MB of dumps from a single role is fixed.

Oozie points to older sharelib even after running sharelib install command

After an "Install Oozie Share Lib" action, the Oozie service is informed that that there is a new shared lib installed. This eliminates the need for a separate manual restart.

Issues Fixed in Cloudera Manager 5.8.1

CDH upgrade from 5.7.x to 5.8.x fails when Sentry gateway role is enabled

If the Sentry Gateway role is configured on any hosts of a CDH 5.7.x cluster, the upgrade process to CDH 5.8.x fails.

Upgrades to CDH 5.8.x now complete successfully.

Issues Fixed in Cloudera Manager 5.8.0

Kafka MirrorMaker unable to start due to KAFKA_HOME not being set

Kafka MirrorMaker would not start when Kafka is installed using packages. This occurred because KAFKA_HOME was not set to the correct default when starting MirrorMaker. This issue affected Cloudera Manager 5.4.0 and higher with Kafka 1.4.0 and higher.

Kafka unable to start due to misconfigured security.inter.broker.protocol when Kerberos is enabled

Kafka would not start when Kerberos is enabled and the default value of security.inter.broker.protocol was not changed. This occurred because Kafka tried to use the same port for SASL_PLAINTEXT and PLAINTEXT. By default, Cloudera Manager now infers the protocol based on the security settings.

This issue affected Cloudera Manager 5.5.2 and higher with Kafka 2.0.0 and higher.

Upgrading to Cloudera Manager 5.7.1 or higher upgrades currently configured values to INFERRED unless SSL/TLS is enabled and the values are currently either PLAINTEXT or SASL_PLAINTEXT. This does not cause any change in behavior.

Child commands for deleting or adding a nameservice show stack trace

In an existing HDFS deployment with high availability, when you try to add or delete a nameservice and attempt to view the progress of the child commands, a stack trace is triggered if some of the child commands have not yet run. This fix eliminates the stack trace and informs you that the child commands have not yet been run.

Setting owner of a file in Isilon fails

On Isilon systems, the owner that the file is being changed to must be present on the system. In general cases, the user is not present, so this command fails with an error message suggesting that the user is not part of the supergroup. This fix addresses the issue by not failing the command.

Handle drop-recreate partition efficiently

With this change, properties of entities (database, table, partition, index) are not updated by default. You can choose to update properties by setting REPLICATE_PARAMETERS=true in Hive Replication Environment Advanced Configuration Snippet (Safety Valve).

HiveReplicationCmdArgs.update is not accessible using Cloudera Manager

In Hive replication, you can choose to update one or more of the entities INDICES, PARAMETERS, PARTITIONS, and PRIVILEGES adding the following instruction in Hive Replication Environment Advanced Configuration Snippet (Safety Valve).
PROPERTIES_TO_UPDATE=INDICES,PARAMETERS,PARTITIONS,PRIVILEGES 

Operation log directory should be configurable and monitored in Cloudera Manager

HiveServer has two new properties for configuration of operation logging.
Property Default
Enable HiveServer2 Operations Logging true
HiverServer2 Operations Log Directory /var/logs/hive/operation_logs

Kerberos should use non-person objects when creating principals in Active Directory

You can now configure Active Directory account properties. You can use custom values for objectClasses to configure accounts, including non-person objects.

Changes to yarn.nodemanager.remote-app-log-dir not picked up from gateway

YARN log aggregation did not work when yarn.nodemanager.remote-app-log-dir was configured to a non-default location. Now this value is emitted in YARN client configuration, ensuring clients logs go to the proper location.

Key Trustee KMS should use round-robin configuration when Key Trustee server uses High Availability

If the Key Trustee server is configured with High Availability, the Key Management Service needs to use round-robin DNS.

AD_ACCOUNT_PREFIX should not be required

Active Directory Account Prefix was improperly implemented as a required configuration for Security/ Kerberos. The use of this configuration is now optional.

Proper fix to handle parcel activation falsely succeeding when host health is failing

Fixed an issue related to the first run failing when some of the hosts are in bad health. This fix involves adding an extra stop to wait for hosts to report the correct parcel version before proceeding.

Document Kerberos + Isilon support in Disaster Recovery

BDR is now supported on Isilon (including on clusters secured with Kerberos).

Separation of authentication and authorization coprocessor configs in HBase

HBase Secure Bulkload is now enabled for all CDH5.5 and higher clusters, regardless of whether Kerberos is enabled. Also fixed related issue where clusters with authentication (kerberos) but not authorization failed in Hbase-related MapReduce jobs.

Cloudera Manager - BDR UI - Generate replication diagnostics data. Failed due to java.lang.NullPointerException.

Trying to collect diagnostic data for a Hive replication schedule caused a Java stack trace to be shown on the page. This fix shows an error message instead of displaying a Java stack trace.

Diagnostic collection fails on a failed BDR job

Failed BDR jobs no longer report errors on "Collect diagnostic data" actions.

Redact Advanced Configuration Snippets in the UI that contain secrets

Cloudera Manager 5.8 supports redaction of Advanced Configuration Snippet parameters in UI configuration pages. Redaction is based on matching keywords defined as sensitive, and detected within the contents of the Advanced Configuration Snippet text. Users who can edit the parameter still see the sensitive words, but users without edit privileges see only the redacted contents.

Cloudera Manager - snapshot - take snapshot - needs reset of illegal character when fixed

Fixed an issue in the Take Snapshot dialog where the validation of the snapshot name could become "stuck" and prevent execution of the operation.

Spark standalone does not come up if HDFS is not available

The Spark standalone service now works without an HDFS service. This requires Spark services to show up as stale and require a restart after upgrade to Cloudera Manager 5.7.1 and higher.

Cloudera Manager - add hdfs nameservice - gets stack trace

In an existing HDFS High Availability setup, when the user tries to add or delete a nameservice and, in the process, attempts to get progress on the child commands, a stack trace is triggered if some of the child commands have not yet run. This fix eliminates the stack trace and informs the user that the child commands have not yet run.

BDR UI: Add Search back - It is difficult to find the desired replication schedule in the Cloudera Manager 5.5 UI

The Replications page provides enhanced search functionality to filter schedules by any specified text. Searches occur within any of these schedule fields: HDFS paths, database names and table names.

BDR Replication Schedule page is slow to load

Replication schedules page load performance is improved.

Replication DistCp - setOwner behavior on Isilon causing failures

On Isilon systems, the owner to which the file is being changed must be present on the system. In general cases, the user is not present, so this command tends to fail with an error message suggesting that the user is not part of the supergroup. This fix addresses the issue by not failing the command.

Unable to start Hue on cluster that's using Kerberos and Isilon

Hue service can now start with Isilon if Kerberos is enabled.

Enable database notifications from Hive

Hive now has the property Enable Stored Notifications in Database. When set, Hive logs DDL notifications in Hive Metastore.

The hbase user should be whitelisted by default in the list of allowed system users to launch YARN applications

YARN Allowed System Users now includes hbase by default. This is helpful when running certain tools for HBase that need to execute MapReduce jobs.

Allow HDFS Balancer to login with keytab

When running an HDFS rebalance command on a kerberized cluster with a large amount of data, it could would take enough time to complete that authentication would expire and cause an error. Leveraging a new capability in HDFS, the rebalance command is now able to use a keytab file to automatically renew authentication before it expires.

Add support for delete tables and databases deleted on the source

Cloudera Manager now supports deletion of entities from a target Hive database when those entities are deleted from source Hive database during Hive incremental replication.

Default MapReduce option should be YARN

The default MapReduce service for a new replication schedule is YARN.

BDR Administrator cannot enable snapshots though the role says it can

BDR Administrator authority message is now more accurate: Create replication schedules and snapshot policies.

Hive incremental replication enhancements

Cloudera Manager 5.8 includes Hive incremental replication support.

Cloudera Manager API allows users with read-only privileges to list all Cloudera Manager users

A security bug in the Cloudera Manager API allowed users with read-only permissions to view all the existing users in Cloudera Manager. This issue is now fixed.

Decide the value for TTL for DbNotifications

You can configure Time-to-live for Database Notifications in Hive for notifications present in the NOTIFICATION_LOG. The default is 2 days.

Make the cluster menu sticky

Previously, the Clusters Menu expanded the first cluster by default. As the user expanded or collapsed the accordion, it remembered the configuration for the current session. When the user goes to the services, roles, or host of another cluster, it maintained the configuration of the previously expanded cluster (which might or might not match). In Cloudera Manager 5.7.1 and higher, Cloudera Manager records the last relevant cluster when the user visits a cluster, service, role or host page, and expands that cluster in the Clusters menu by default.

NPE on Impala Admission Control page if Memory Limit is not set

In lower releases, if the configuration Impala Daemon Memory Limit is not set, the Impala Admission Control page throws a NullPointerException. This is now fixed.

Change Impala service configs for admission control

Enable Impala Admission Control and Enable Dynamic Resource Pools are now enabled by default. Customized configuration values are preserved during upgrade.

Disaster Recovery on Isilon breaks with Kerberos

BDR on Isilon storage is now supported with kerberized clusters.

Breakpad Crash Reporting for Impala

Support bundles now collect "minidumps" from Impala that help to debug Impala crash issues. As part of this functionality, Cloudera Manager exposes two properties for three roles (Impalad, Catalog Server, Statestore Server).

Property Description
Breakpad Dump Dir This determines where the "minidumps" are temporarily available.
Max Breakpad Dump Files This determines the maximum number of files stored in dump dir (this limits the amount of storage allocated to Impala dump files).

s3 protocol and scheme should not be pruned during Hive metadata export

With this change, the cloud HDFS path remains as it is after replication.

YARN mapreduce.shuffle.max.connections is a NodeManager setting and not a client setting

mapreduce.shuffle.max.connections was emitted to files of YARN clients instead of the NodeManager. It is now correctly emitted only for the NodeManager.

Kafka unable to start due to listener misconfiguration when Kerberos is enabled

Kafka would not start when Kerberos was enabled and the security.inter.broker.protocol default was not changed. This occurred because Kafka would try to use the same port for SASL_PLAINTEXT and PLAINTEXT. By default, Kafka now infers the protocol based on the security settings. This issue affected Cloudera Manager 5.5.2 and higher with Kafka 2.0.0 and higher. Upgrading to Cloudera Manager 5.7.1 and higher upgrades currently configured values to INFERRED unless SSL / TLS is enabled and the values are currently either PLAINTEXT or SASL_PLAINTEXT. This does not cause any change in behavior.

Chart Builder not showing graphs on IE9

In Cloudera Manager 5.7, charts would not render in the Chart Builder page on IE9. This issue is fixed in Cloudera Manager 5.8.

Deb 8.2 support for Cloudera Manager

Cloudera Manager is now supported on Debian 8.2.

ResourceManager would not start if NodeManager were down during the start phase of the restart cycle

All YARN roles are stopped and started together when the service stop or start command is issued with CDH 5.2 and higher. If CDH version is lower than 5.2, the previous behavior of stopping ResourceManagers before NodeManagers and starting them after NodeManagers stays the same.

Default TLS keystore location for HTTPFS is on non-persistent disk

The default location for the HTTPFS TLS / SSL keystore was /var/run/hadoop-httpfs/.keystore, which could be deleted upon machine reboot. Newly created clusters now have an empty default. When upgrading to Cloudera Manager 5.7.1 or higher, the old value is maintained. There should be no disruption on upgrade, but Cloudera Manager presents a warning that the keystore is in a dangerous location. To fix this problem, move the files to a safe path on the new host, then update the configuration in Cloudera Manager to point to the new path.

Active Directory principals created without AES 128/256 bit cause job failures if cluster is configured for AES

It is now possible to configure encryption types for Active Directory setups in Cloudera Manager, using a new property on the Kerberos configuration page, Kerberos Encryption Types. You can configure only the following 5 encryption types:
  • rc4-hmac
  • aes128-cts
  • aes256-cts
  • des-cbc-crc
  • des-cbc-md5
Using other values for the encryption type causes validation of this field to fail during upgrade to CDH 5.8.

MR2 counter limits in the Cloudera Manager YARN page should populate all MR2 config files

The MapReduce2 property mapreduce.job.counters.max was not included in the configuration for the JobHistory Server, which could cause jobs to fail if there were too many counters. This might happen despite increasing the limit configured in Cloudera Manager. The property is now included in the JobHistory Server configuration, in addition to the related property mapreduce.job.counters.groups.max.

BDR: support use of a custom principal

Cloudera Manager now supports custom Kerberos principals for BDR.

Add QueryMonitoring chart to Impala service charts

A new chart on the Impala service page shows query duration for completed Impala queries.

Add symbols to Cloudera Manager generated Active Directory passwords

Cloudera Manager now allows Active Directory password complexity to be configured using a new security configuration on the UI. The following table lists the default values.
Name Value
length 12
minLowerCaseLetters 2
minUpperCaseLetters 2
minDigits 2
minSpaces 0
minSpecialChars 0
specialChars ?.!$%^*()-_+=~
You can modify these values and regenerate Active Directory credentials to create new passwords.

Regenerate principals should delete from Active Directory, too

It is now possible to regenerate principals for Active Directory setups. This involves deletion of existing accounts and regeneration of new principals. Since some customers might not want to do this through Cloudera Manager, starting with Cloudera Manager 5.8 you can enable the new property Active Directory Delete Accounts on Credential Regeneration. Regenerating credentials with this setting enabled automatically deletes existing accounts and completes the regeneration. This setting is disabled by default. If disabled, regeneration of principals throws an error message saying that deletion of accounts is required. Cloudera Manager needs the new configuration to be set in order to delete accounts automatically.

XSS in Kerberos activation

In lower releases, there was an XSS vulnerability on the Kerberos page. This is now fixed.

XSS in host addition

In lower releases, there was an XSS vulnerability on the Add Hosts page. This is now fixed.

XSS in Host Templates

In lower releases, there was an XSS vulnerability on the Host Templates page. This is now fixed.

Make it more obvious when phone home is off

In lower releases, it was not obvious in the Send Diagnostics dialog whether data would be sent back to Cloudera. The dialog is enhanced to make this information more visible.

Allow ad hoc sub-pools to be created within existing pools

Cloudera Manager supports the nestedUserQueue feature in the UI. You no longer have to use the safety valve to specify nestedUserQueues. This means you can make all jobs without specified user queues go to root.<YOUR_POOL>.<username> or root.<YOUR_POOL>.<primaryGroup> from the UI.

Add an option to duplicate resource pool configs

Selecting Clone lets you create a new pool from the settings of an existing pool.

Impala Admission Control root pool should have configurable ACLs

Impala Admission Control now supports a global way of editing ACLs.

Do not create host templates when create cluster wizard is run

During cluster creation, host templates are no longer created automatically.

The modal height is not calculated correctly

In lower releases, the modal dialog is sometimes too tall. This is now fixed.

new required fields Key Management Server Proxy Group created if there is more than 1 KMS instance

When adding two Key Trustee KMS roles during the initial setup wizard, sometimes these roles were assigned to different groups. The required configuration was set for some but not all of these groups, causing errors. This is now fixed.

Links should not be shown on print out

When you print pages from Cloudera Manager, the printout no longer displays link URLs.

Allow customization of ldap account properties for AD-Kerberos setup

The Active Directory account properties objectClasses and accountExpires are now configurable from the Kerberos Configuration UI page.

Support bundle has no way to enforce that a certain time is guaranteed to be in bundle

Support bundles can now be collected for a certain time range. Users are also able to get an estimate of the bundle size before collecting the diagnostic data. Only role logs collected as a part of the support bundle are supported by this item in Cloudera Manager 5.8. This item is not available for scheduled support bundles.

Fix Spark CSD to keep client config files in subdir

The Spark CSD was modified to avoid conflicts with other CSDs that depend on it, and causes the Spark service to show up as stale on upgrade to Cloudera Manager 5.7.1 and higher.

Cloudera Manager Agent clears out JN data directories that leads to HDFS not restarting

On RHEL 7 class systems, certain configuration actions intended to be executed only once during enablement of HDFS HA might be re-executed when you request a system shutdown or reboot. This can result in data loss. This issue is fixed in Cloudera Manager 5.8, but a hard restart is required on RHEL 7-class systems (including Oracle and CentOS variants) for the fix to take effect. This can be performed after upgrade in a scheduled, rolling manner.

Hue should not use the embedded sqlite db by default when possible

Hue now has built-in support for PostgreSQL by taking advantage of the system library python-psycopg2. In addition to this library, Hue also includes the system libraries listed in the following table.

System Library
CentOS 5 Not supported
CentOS 6 and 7 postgresql-libs
Ubuntu 10.04 libpq5, python-egenix-mxdatetime and python-central
Ubuntu 12.04 and 14.04 libpq5
SLES 11 sp2 libpq5

Issues Fixed in Cloudera Manager 5.7.6

The following issues are fixed in Cloudera Manager 5.7.6.

Excess load on Cloudera Manager database

Fixed an issue where the load on the Cloudera Manager database increases significantly on clusters with 100-200 nodes or more and when there are host-level configuration overrides. This has been resolved by using a smaller default value for the default_batch_fetch_size property in the hibernate configuration.

Fixed in: Cloudera Manager 5.10.0, 5.9.2, 5.8.4, 5.7.6

Hive Replication Command should update copy the Serde properties correctly

Hive Replication now replicates the Serde Properties and also copies the corresponding HDFS file.

Dollar sign ($) char in password results in IllegalArgumentException

Using special characters such as the dollar sign ($) for passwords and other user-supplied values with CSD-based services (those added to Cloudera Manager with custom service descriptors) raised exceptions. This has been resolved.

Hive Replication fails when Impala is SSL enabled but Hadoop services are not

Fixes a bug where some Hadoop services did not recognize the Impala SSL configuration, which caused Hive replications to fail when SSL is enabled. To enable SSL, see: Configuring TLS/SSL for HDFS, YARN and MapReduce.

This support also ensures that connection to Impala is successful when SSL is enabled even if Kerberos is not enabled.

Fixed in: Cloudera Manager 5.10.1, 5.9.2, 5.8.4

CM server error - JsonMappingException

Fixed an issue where a race condition can happen when getting the log links for unhealthy roles and then causes a null pointer exception for the Cloudera Manager homepage.

Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled

Fixed an issue where the Service Monitor cannot retrieve Navigator Metadata Server metrics when SSL is enabled for Navigator Metadata Server.

Fixed in 5.11, 5.10.1, ,5.9.2, 5.7.6

Issues Fixed in Cloudera Manager 5.7.5

The following issues are fixed in Cloudera Manager 5.7.5.

OOMKiller script does not work for Impala Catalog

Fixed a bug where OutOfMemory errors in the Catalog Server might lead to killing multiple Java processes, including other roles on the same host.

Issues Fixed in Cloudera Manager 5.7.4

The following issues are fixed in Cloudera Manager 5.7.4.

Agent orphan cleanup removes process dir from in flight process

With this fix, the preventative steps in TSB-181 are no longer required.

YARN historical reports by user shows pool-user entity

When Cloudera Manager manages multiple clusters, there is no per user tracking for historical applications and queries across clusters. Instead, Historical Applications by User and Historical Queries by User show applications and queries per user and pool. (A pool is associated with a specific cluster.)

Host inspector incorrectly warns about kernel version "2.6.32-504.16.2"

Host inspector no longer warns that kernel version "2.6.32-504.16.2" as "non-recommended."

Fix CatalogServiceClient to handle TLS connections to catalogd for UDF replication

When Impala uses SSL, Cloudera supports TLS Connection to Catalog Server. You can enable replication for any Impala UDFs/Metadata (in Hive Replication).

If total_space_bytes is really big, heartbeats fail

Fixes heartbeat failure with a host that has a mount point backed by cloud storage such as AWS.

Oozie points to older sharelib even after running sharelib install command

After an "Install Oozie Share Lib" action, the Oozie service is informed that that there is a new shared lib installed. This eliminates the need for a separate manual restart.

Cloudera Manager blocks from HS2 enabling both LDAP and Kerberos auth

HS2 supports LDAP and Kerberos authentication on the same instance for CDH 5.7.0 or higher. Previously, this was considered an error.

OOMKiller script does not work for Impala Catalog

Fixed a bug where OutOfMemory errors in the Catalog Server could lead to killing multiple java processes, including other roles on the same host.

Issues Fixed in Cloudera Manager 5.7.2

Unable to start Hue on cluster that's using Kerberos and Isilon

Hue service can now start with Isilon if Kerberos is enabled.

BDR UI: Add Search back - It is difficult to find the desired replication schedule in the Cloudera Manager 5.5 UI

The Replications page provides enhanced search functionality to filter schedules by any specified text. Searches occur within any of these schedule fields: HDFS paths, database names and table names.

Handle drop-recreate partition efficiently

With this change, properties of entities (database, table, partition, index) are not updated by default. You can choose to update properties by setting REPLICATE_PARAMETERS=true in Hive Replication Environment Advanced Configuration Snippet (Safety Valve).

Hue static directory is browsable

The static web directory in Hue is no longer indexed and browsable when the Hue Load Balancer is used.

XSS in Kerberos activation

In lower releases, there was an XSS vulnerability on the Kerberos page. This is now fixed.

XSS in host addition

In lower releases, there was an XSS vulnerability on the Add Hosts page. This is now fixed.

XSS in Host Templates

In lower releases, there was an XSS vulnerability on the Host Templates page. This is now fixed.

Cloudera Manager Agent clears out JN data directories that leads to HDFS not restarting

On RHEL 7 class systems, certain configuration actions intended to be executed only once during enablement of HDFS HA might be re-executed when you request a system shutdown or reboot. This can result in data loss. This issue is fixed in Cloudera Manager 5.7.2, but a hard restart is required on RHEL 7-class systems (including Oracle and CentOS variants) for the fix to take effect. This can be performed after upgrade in a scheduled, rolling manner.

Separation of authentication and authorization coprocessor configs in HBase

HBase Secure Bulkload is now enabled for all CDH5.5 and higher clusters, regardless of whether Kerberos is enabled. Also fixed related issue where clusters with authentication (kerberos) but not authorization failed in Hbase-related MapReduce jobs.

Adding a new service changes mapreduce.job.reduces setting

Adding a new service in Cloudera Manager no longer changes the YARN setting mapreduce.job.reduces.

BDR: Hive replication status always shows "(Dry Run)"

Running a Hive replication schedule in BDR no longer displays "(Dry Run)" in the status.

BDR Replication Schedule page is slow to load

Replication schedules page load performance is improved.

HDFS Snapshot running on unavailable nodes

When selecting a host on which to run the HDFS Snapshot command, Cloudera Manager now excludes unavailable hosts, such as hosts in maintenance mode or decommissioned hosts.

Migrating Cloudera Manager using deployment.json fails if replication schedules are configured

Migrating Cloudera Manager using deployment.json no longer fails if replication schedules are configured.

Files excluded from replication are not replicated if they are renamed

If a file excluded from replication by an exclusion filter is renamed, it is now replicated properly.

Issues Fixed in Cloudera Manager 5.7.1

Spark standalone does not come up if HDFS is not available

The Spark standalone service now works without an HDFS service. This requires Spark services to show up as stale and require a restart after upgrade to Cloudera Manager 5.7.1 and higher.

Kafka unable to start due to listener misconfiguration when Kerberos is enabled

Kafka would not start when Kerberos was enabled and the security.inter.broker.protocol default was not changed. This occurred because Kafka would try to use the same port for SASL_PLAINTEXT and PLAINTEXT. By default, Kafka now infers the protocol based on the security settings. This issue affected Cloudera Manager 5.5.2 and higher with Kafka 2.0.0 and higher. Upgrading to Cloudera Manager 5.7.1 and higher upgrades currently configured values to INFERRED unless SSL / TLS is enabled and the values are currently either PLAINTEXT or SASL_PLAINTEXT. This does not cause any change in behavior.

Default TLS keystore location for HTTPFS is on non-persistent disk

The default location for the HTTPFS TLS / SSL keystore was /var/run/hadoop-httpfs/.keystore, which could be deleted upon machine reboot. Newly created clusters now have an empty default. When upgrading to Cloudera Manager 5.7.1 or higher, the old value is maintained. There should be no disruption on upgrade, but Cloudera Manager presents a warning that the keystore is in a dangerous location. To fix this problem, move the files to a safe path on the new host, then update the configuration in Cloudera Manager to point to the new path.

Fix Spark CSD to keep client config files in subdir

The Spark CSD was modified to avoid conflicts with other CSDs that depend on it, and causes the Spark service to show up as stale on upgrade to Cloudera Manager 5.7.1 and higher.

Cloudera Manager HDFS usage reports do not include Inode references

Lower versions of Cloudera Manager HDFS usage reports do not include Inode references. As a result, usage reports underreported HDFS directory sizes and data used by users and groups in certain circumstances where HDFS snapshots were used.

Kafka MirrorMaker unable to start due to KAFKA_HOME not being set

Kafka MirrorMaker would not start when Kafka is installed using packages. This occurred because KAFKA_HOME was not set to the correct default when starting MirrorMaker. This issue affected Cloudera Manager 5.4.0 and higher with Kafka 1.4.0 and higher.

Authentication errors occur due to missing SAML metadata

  • If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you used to notice an error screen while logging out, then this upgrade will fix that issue.
  • If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you did not notice any error screen while logging out, then you will most likely see an error screen while logging out after this upgrade. In order to fix that, you can follow either of these steps:
    1. Update the metadata file in your IdP with the new file from <Cloudera Manager Server>/saml/metadata
    2. Change SAML Entity Alias under Administration > Setting "clouderaManager" to " and restart Cloudera Manager.

Child commands for deleting or adding a nameservice show stack trace

In an existing HDFS deployment with high availability, when you try to add or delete a nameservice and attempt to view the progress of the child commands, a stack trace is triggered if some of the child commands have not yet run. This fix eliminates the stack trace and informs you that the child commands have not yet been run.

HiveServer2 Web UI did not use SSL when Kerberos was enabled

SSL configuration for the HiveServer2 Web UI is now used regardless of whether Kerberos is in use.

Clusters menu expands to last cluster viewed

Previously, the Clusters menu expanded the first cluster by default, and as you expand or collapse the menu, Cloudera Manager remembers that cluster for the session. However, when you go to services, roles, or hosts of another cluster, Cloudera Manager does not remember the other cluster and shows the previously expanded cluster instead.

In release 5.7.1 and higher, Cloudera Manager remembers the last cluster viewed by a user and expands that cluster in the Clusters menu by default.

Impala does not throw null pointer exception when memory limit is not set

If the configuration property Impala Daemon Memory Limit was not set, the Impala Admission Control page threw a null pointer exception.

HDFS rolling restart fails after CDH upgrade

In previous Cloudera Manager releases, when one of a pair of highly available NameNodes was down, it was possible for rolling restart or rolling upgrade commands to fail with an error message incorrectly describing the state of the NameNode as "Busy." The error message now correctly identifies the state of the NameNode (typically "Stopped" in this situation).

The Expand Range option did not work for some charts

The Expand range to fill all values option in Chart Builder now works for all charts.

Kafka unable to start due to misconfigured security.inter.broker.protocol when Kerberos is enabled

Kafka would not start when Kerberos is enabled and the default value of security.inter.broker.protocol was not changed. This occurred because Kafka tried to use the same port for SASL_PLAINTEXT and PLAINTEXT. By default, Cloudera Manager now infers the protocol based on the security settings.

This issue affected Cloudera Manager 5.5.2 and higher with Kafka 2.0.0 and higher.

Upgrading to Cloudera Manager 5.7.1 or higher upgrades currently configured values to INFERRED unless SSL/TLS is enabled and the values are currently either PLAINTEXT or SASL_PLAINTEXT. This does not cause any change in behavior.

Oozie JVM heap metrics not reported in Chart Builder for some services

Oozie JVM metrics are now available and display on the role page. They can also be accessed through Chart Builder using the oozie_memory_heap_used and oozie_memory_total_max metrics.

Spark CSD modified

The Spark CSD was modified to avoid conflicts with other CSDs that depend on it. This change causes the Spark service to require a restart when upgrading to Cloudera Manager 5.7.1.

Poorly formed Advanced Configuration Snippets cause null pointer exception with diagnostic bundles

Certain poorly formed Advanced Configuration Snippets could cause a Null Pointer Exception when uploading diagnostic bundles and setting up a Cloudera Manager peer.

Setting owner of a file in Isilon fails

On Isilon systems, the owner that the file is being changed to must be present on the system. In general cases, the user is not present, so this command fails with an error message suggesting that the user is not part of the supergroup. This fix addresses the issue by not failing the command.

The Install Oozie ShareLib command is now visible to users with the Configurator role.

Default location for TLS Keystore for HTTPFS is nonpersistent

The default location for the HTTPFS TLS / SSL keystore was /var/run/hadoop-httpfs/.keystore, which could be deleted when the host reboots. Newly created clusters now have an empty default instead of one that could be deleted. When upgrading to Cloudera Manager 5.7.1 or higher, the old value is maintained, so there is no disruption on upgrade. However, Cloudera Manager warns that the path is in a dangerous location. To fix this problem, move the files to a safe path on that host, and then update the configuration in Cloudera Manager to point to the new path.

Collecting diagnostic bundle displayed Java stack trace

Collecting a diagnostic bundle for a Hive replication schedule caused a Java stack trace to be shown on the page. This fix shows an error message instead of throwing a Java stack trace.

Unable to stop Cloudera Manager Agent on SLES 11

Fixes TSB-144.

Running the restart or stop service commands failed to stop the Agent.

Error creating bean

Occasionally, some users encountered the message Error creating bean with name 'newServiceHandlerRegistry' in the Cloudera Manager Admin Console. This issue has been resolved.

Impala JVM heap size is configurable

The JVM heap size of the Impala catalog server can be configured now using the Java Heap Size of Catalog Server in Bytes property. The property defaults to 4 GB, and like all memory parameters may require tuning.

Issues Fixed in Cloudera Manager 5.7.0

Plain-text passwords sent to users

An authenticated user could request and receive documents that included passwords they were permitted to modify. This information was sent as plain text. Passwords are no longer included in request responses.

Cloudera Manager forces Solr shutdown before operations complete

When stopping the Solr service, Cloudera Manager would forcibly stop the service after a period of time. This could result in Solr cores not coming up cleanly. Cloudera Manager now waits for all operations to complete on the Solr server before exiting.

Re-enabling Kerberos fails due to duplicate roles

As part of enabling Kerberos, a role is created. Attempts to re-enable Kerberos failed because the role already existed from when Kerberos was enabled before. When Kerberos is enabled, Cloudera Manager reuses any required roles if they already exist.

Processes used incorrect HOME variable

CDH service processes and third-party (CSD) processes used an incorrect HOME variable. These process now now run with the HOME environment variable set to the correct home directory based on the process user.

Stale Kerberos configuration reported after deploying Kerberos client configuration

After making Kerberos configuration changes through Administration > Settings > Kerberos, and Manage krb5.conf is enabled, the configuration issue 'Cluster has stale Kerberos configuration' might have displayed and might not have disappeared after running Cluster > cluster_name > Deploy Kerberos Client Configuration. The deploying Kerberos client configuration action now waits for pending staleness checks before identifying stale hosts on which to apply Kerberos configuration.

Workaround: Make a different, non-Kerberos edit to a configuration, and save that change. Revert that change immediately afterward.

Time range settings on report pages are incorrect

Time range settings were incorrect. They are now set correctly on report pages.

Add Service Wizard fails to set Hive on Spark performance tuning parameters

Automatic configuration for Hive on Spark performance tuning parameters did not run when adding a Hive service to an existing cluster. In the past, these tuning parameters ran when adding a cluster that contained Hive, YARN, and Spark on YARN. The rules now run as long as Hive depends on YARN in both the add service and add cluster wizards.

Setting empty values for LDAP Base DN and LDAP Domain produces errors

Setting empty values for the LDAP Base DN and LDAP Domain for Impala resulted in errors. These settings are now handled without errors.

Restart of deleted roles does not wait until deleted roles are identified

Restart and rolling restart commands did not always wait until all deleted roles were identified. As a result, services that had not yet been identified as requiring a restart were not restarted. Restart and rolling restart commands now wait for staleness checks to complete, if the user requests that only stale services be restarted. This avoids a race between staleness computation checking and how services are determined to be stale and thus restarted.

Miscellaneous problems with the Replication user interface

This release includes several fixes to the replication user interface including the following:
  • The Last Run column incorrectly sorted dates. Dates are now correctly sorted.
  • Collecting diagnostic data for failed Hive Replication commands failed with an error. This data collection now succeeds.
  • Finished schedules were shown as running. Schedules now accurately reflect their state.
  • Scheduled time was incorrectly translated between browser time and server time. Scheduled time is now correctly translated.
  • The Actions menu would be disabled while a replication schedule was running, which blocked changing future runs configurations. The Actions menu is now enabled for replication schedules with commands running.

Misleading error occurs while deploying client configuration

The error "There is already a pending command on this entity" was shown if a command was in process for a service and an attempt is made to run the "Deploy client configuration" command. This error is no longer shown.

Gathering task progress produced null pointer exceptions

Gathering progress information on a variety of tasks could result in null pointer exceptions. For example, this could occur when decommissioning a host. Progress information is now gathered as expected.

User interface elements are hidden when windows are resized

Some windows could be resized so buttons were not visible. For example, this could happen with the Create Replication dialog box. The user interface now handles resizing as expected.

HDFS data transfers uses 3DES despite configuration

The configuration information for using the AES/CTR/NoPadding cipher suite for HDFS data transfers was incomplete. As a result, traffic was encrypted with the much slower 3DES algorithm. The correct configuration is now included with the HDFS client.

Solr keystore passwords are no longer presented in clear text

Because of Tomcat restrictions, Solr keystore passwords were sent as clear text on the machines running the service. They are now redacted.

Removing a host from a cluster removes all Kerberos client configuration

Removing a host from a cluster automatically removed all Kerberos client configuration from any other hosts still in the cluster. Now, when one host is removed from a cluster, any Kerberos client configuration on other hosts is unaffected.

Hive replication import fails to include some information

During the Hive replication import phase, schema and location information was not consistently populated. This information is now populated as expected.

Restarts attempt to deploy client configuration when action is not supported

After upgrading a parcel, restart or rolling restart steps automatically attempted to deploy the client configuration, even if that was not supported by the cluster configuration. Now, client configurations are deployed only if the cluster configuration supports this action.

Some pages load very slowly

Some pages, such as the All Recent Commands page, may take over 30 seconds to load. This process has been optimized, reducing load times.

kt_renewer not automatically created when Hue is added to a Kerberos-enabled cluster

When the Hue service was added to a Kerberos-enabled cluster, a single corresponding kt_renewer was not created. The process of adding the Hue service now includes checking if a keytab renewer is required, and creating one if it is.

Some jobs never run due to memory configuration

It was possible to configure the YARN NodeManager with an amount of available memory less than the amount of memory available to the YARN container. In such a case, a job might never find a NodeManager that meets the memory requirements. The system now ensures that at least one YARN container is configured with an equal or greater amount of memory than the YARN NodeManager value.

Replication schedule API not compatible with older versions

Clients using the version 10 replication schedule API did not work as expected with instances of Cloudera Manager using version 11 of the API. This meant that clients from Cloudera Manager 5.4.0 and lower did not work as expected with servers running Cloudera Manager 5.5.0 and higher. Clients and servers using these different API versions now function as expected.

Issues Fixed in Cloudera Manager 5.6.1

Scheme and location not filled in consistently during Hive replication import

In previous releases, Hive replication import phase did not consistently fill in scheme and location information. This information is now filled in as expected.

Cloudera Manager HDFS usage reports do not include Inode references

Lower versions of Cloudera Manager HDFS usage reports do not include Inode references. As a result, usage reports underreported HDFS directory sizes and data used by users and groups in certain circumstances where HDFS snapshots were used.

Kafka MirrorMaker unable to start due to KAFKA_HOME not being set

Kafka MirrorMaker would not start when Kafka is installed using packages. This occurred because KAFKA_HOME was not set to the correct default when starting MirrorMaker. This issue affected Cloudera Manager 5.4.0 and higher with Kafka 1.4.0 and higher.

kt_renewer not automatically created when Hue is added to a Kerberos-enabled cluster

When the Hue service was added to a Kerberos-enabled cluster, a single corresponding kt_renewer was not created. The process of adding the Hue service now includes checking if a keytab renewer is required, and creating one if it is.

Authentication errors occur due to missing SAML metadata

  • If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you used to notice an error screen while logging out, then this upgrade will fix that issue.
  • If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you did not notice any error screen while logging out, then you will most likely see an error screen while logging out after this upgrade. In order to fix that, you can follow either of these steps:
    1. Update the metadata file in your IdP with the new file from <Cloudera Manager Server>/saml/metadata
    2. Change SAML Entity Alias under Administration > Setting "clouderaManager" to " and restart Cloudera Manager.

Oozie JVM heap metrics not reported in Chart Builder for some services

Oozie JVM metrics are now available and display on the role page. They can also be accessed through Chart Builder using the oozie_memory_heap_used and oozie_memory_total_max metrics.

Issues Fixed in Cloudera Manager 5.6.0

CDH upgrade fails if the GPL Extras parcel in use

CDH and GPL Extras parcel versions must match exactly. When upgrading CDH, by default Cloudera Manager validates the dependency between the new CDH parcel and existing GPL Extras parcel. Since the dependency is not satisfied, the check returns an error and the upgrade fails.

Workaround:
  1. Deactivate parcel dependency checking:
    1. Select Administration > Settings.
    2. Search for Validate Parcel Relations.
    3. Deselect the checkbox.
    4. Click Save Changes to commit the changes.
  2. Deactivate the GPL Extras parcel.
  3. Download, distribute, and activate the GPL Extras parcel that matches the CDH upgrade version.
  4. Upgrade CDH.
  5. Reactivate parcel dependency checking.

Issues Fixed in Cloudera Manager 5.5.6

Separation of authentication and authorization coprocessor configs in HBase

HBase Secure Bulkload is now enabled for all CDH5.5 and higher clusters, regardless of whether Kerberos is enabled. Also fixed a related issue where clusters with authentication (Kerberos) but not authorization failed in HBase-related MapReduce jobs.

Replications page: sort by schedule ID as default

In the Replications page, the table is now sorted by ID as a default.

Hive Replication shows "Dry Run" incorrectly

Fixes an issue where running Hive Replication shows "Dry Run" in status message.

HDFS Snapshot policy is selecting unhealthy host to run on

When selecting a role to run HDFS Snapshot command, Cloudera Manager now selects a non-decommissioned host in Active status. Also, hosts in maintenance mode have a lower priority than the ones in active state.

Cloudera Manager no longer shows "this step is expected to fail" when enabling HDFS-HA

When enabling HDFS-HA, if the NameNode directories are empty, Cloudera Manager reports this as an error. In lower versions, it returned a message saying the failure is expected. Cloudera Manager now shows the correct message when performing HA.

Configuration for all services is marked stale during upgrade

When you upgrade to version 5.5.6 of Cloudera Manager, the client configuration for all services is marked stale. From the Cluster menu, select Deploy Client Configuration to redeploy the client configuration.

Issues Fixed in Cloudera Manager 5.5.4

Cluster provisioning fails

In some cases, provisioning of a cluster may fail at the start of the process. This does not happen in all cases and is mainly noticed on RHEL 6 and especially when some hosts are reporting bad health.

Releases affected: 5.5.0-5.5.3, 5.6.0-5.6.1, 5.7.0

Releases containing the fix: 5.5.4, 5.7.1

For releases containing the fix, parcel activation and first run command now completes as expected, even when some hosts report bad health.

This issue is fixed in Cloudera Manager 5.5.4 and 5.7.1 and higher.

Scheme and location not filled in consistently during Hive replication import

In previous releases, Hive replication import phase did not consistently fill in scheme and location information. This information is now filled in as expected.

Kafka MirrorMaker unable to start due to KAFKA_HOME not being set

Kafka MirrorMaker would not start when Kafka is installed using packages. This occurred because KAFKA_HOME was not set to the correct default when starting MirrorMaker. This issue affected Cloudera Manager 5.4.0 and higher with Kafka 1.4.0 and higher.

Cloudera Manager HDFS usage reports do not include Inode references

Lower versions of Cloudera Manager HDFS usage reports do not include Inode references. As a result, usage reports underreported HDFS directory sizes and data used by users and groups in certain circumstances where HDFS snapshots were used.

New Hive tables fail to replicate when Sentry Sync is enabled

When Sentry Sync is enabled, new Hive tables failed to replicate. Replication now occurs as expected.

kt_renewer not automatically created when Hue is added to a Kerberos-enabled cluster

When the Hue service was added to a Kerberos-enabled cluster, a single corresponding kt_renewer was not created. The process of adding the Hue service now includes checking if a keytab renewer is required, and creating one if it is.

Authentication errors occur due to missing SAML metadata

  • If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you used to notice an error screen while logging out, then this upgrade will fix that issue.
  • If you use SAML for external authentication and were on Cloudera Manager 5.5.0 and higher prior to this upgrade and if you did not notice any error screen while logging out, then you will most likely see an error screen while logging out after this upgrade. In order to fix that, you can follow either of these steps:
    1. Update the metadata file in your IdP with the new file from <Cloudera Manager Server>/saml/metadata
    2. Change SAML Entity Alias under Administration > Setting "clouderaManager" to " and restart Cloudera Manager.

HDFS rolling restart fails after CDH upgrade

In previous Cloudera Manager releases, when one of a pair of highly available NameNodes was down, it was possible for rolling restart or rolling upgrade commands to fail with an error message incorrectly describing the state of the NameNode as "Busy." The error message now correctly identifies the state of the NameNode (typically "Stopped" in this situation).

Oozie JVM heap metrics not reported in Chart Builder for some services

Oozie JVM metrics are now available and display on the role page. They can also be accessed through Chart Builder using the oozie_memory_heap_used and oozie_memory_total_max metrics.

Issues Fixed in Cloudera Manager 5.5.3

Users using external LDAP authentication with no local Cloudera Manager user role explicitly set may default to the read-only role when upgrading to Cloudera Manager 5.5.2

When upgrading to Cloudera Manager 5.5.2, customers who have non-read-only roles configured through LDAP, and have not explicitly set Cloudera Manager local roles, may lose their Cloudera Manager privileges set by LDAP.

Releases affected: Cloudera Manager 5.5.2

Users affected: Customers who use LDAP for Cloudera Manager user authorization and have upgraded Cloudera Manager from a version lower than 5.5.0 to Cloudera Manager 5.5.2. For example:
  • May be affected: Install Cloudera Manager 5.3 -> Upgrade to Cloudera Manager 5.5.1 -> Upgrade to Cloudera Manager 5.5.2
  • Unaffected: Install Cloudera Manager 5.5.1 -> Upgrade to Cloudera Manager 5.5.2
Users not affected:
  • Customers who installed Cloudera Manager 5.5.0 and higher and upgraded.
  • Customers who use Cloudera Manager local role authorization, regardless of upgrade path and version.

Severity: High

Action required: If you have upgraded to Cloudera Manager 5.5.2 and cannot log in with proper permissions, do the following:
  1. Resolve any conflicting user authorization permissions between LDAP and Cloudera Manager local permissions.
  2. Contact Cloudera Support for further instructions if you cannot resolve conflicting LDAP and Cloudera Manager user permissions.
If you have not yet upgraded to Cloudera Manager 5.5.2, and are using LDAP user authorization:
  1. Before upgrading, resolve any conflicting user authorization permissions between LDAP and Cloudera Manager local permissions.
  2. Upgrade to Cloudera Manager 5.5.3 or higher.

Issues Fixed in Cloudera Manager 5.5.2

Oozie and HttpFS keystore passwords are no longer presented in clear text

Because of Tomcat restrictions, the Oozie and HttpFS keystore passwords were sent as clear text on the machines running the services. They are now hidden.

Cross-site scripting vulnerability using malformed strings in the Parcel Remote URLs list

An attacker could set a malformed string in the Parcel Remote URLs list in the database and trigger the attack when a user accesses the Administration Settings page. This attack is now prevented.

Starting/stopping roles for Flume instance succeeds but displays nothing in popup

In Cloudera Manager 5.5.0, running a Flume start/stop service command would succeed, but display an empty popup. This is now fixed.

Role process commands missing stderr and stdout in command details

In Cloudera Manager 5.5, certain commands did not show links to stderr or stdout in the Cloudera Manager UI even if they were executed recently. These could still be found in /var/run/cloudera-scm-agent/process/ on that host. In Cloudera Manager 5.5.2 stderr and stdout should appear as they did before.

Note that links to stderr and stdout for commands may disappear if another command is run on that role. This is expected. The logs can still be found in /var/run/cloudera-scm-agent/process/ on that host.

Updating the Hive NameNode location multiple times could lead to data corruption

Multiple updates to the Hive NameNode location could cause Hive Metastore database corruption. Issuing the same command multiple times no longer produces problems.

Cloudera Manager skips NameNode logs in the diagnostic bundle

Scheduled diagnostic bundles did not include recent role logs. Diagnostic bundles collected manually (not scheduled) worked as expected. Now, scheduled diagnostic bundles include the latest NameNode logs.

Kafka 2.0 fails to deploy on large clusters as reserved.broker.max.id defaults to 1000

Large Kafka clusters would not start when Cloudera Manager-generated broker IDs exceeded the value set by reserved.broker.max.id. The default value of broker.id.generation.enable has now been set to false to disable the reserved.broker.max.id configuration property and avoid collisions.

Cloudera Manager fails to propagate HBase coprocessors to the gateway nodes

Cloudera Manager does not propagate HBase coprocessors to the gateway nodes. As a result, tools that depend on the HBase security subsystem, such as the loadIncrementalHFiles tool, do not use security features, even in secure environments.

Workaround: Add the following properties to the HBase Client Advanced Configuration Snippet (Safety Valve) for hbase-site.xml and restart all HBase clients:
<property>
  <name>hbase.coprocessor.region.classes</name>
  <value>org.apache.hadoop.hbase.security.token.TokenProvider,org.apache.hadoop.hbase.security.access.SecureBulkLoadEndpoint</value>
</property> 

HDFS nameservices API call returns incorrect HA role status

The HDFS nameservices API returned incorrect active/standby status information for HA roles. API calls made about roles that were active might return standby status and roles that were in standby status might return active status. Information about host statuses is now accurate.

Hive requires the hive principal for HiveServer2 host as well as load balancer

An issue with HiveServer2 missing its principal and keytab when Hive is load-balanced has been fixed.

More descriptive error message for service trying to start on a decommissioned host

Cloudera Manager now displays a more descriptive error message when it skips the "Start" command because all roles are started or decommissioned or on a decommissioned host.

UI shows repeated errors when loading replications page

Issue fixed with loading the replication page when a previous replication command fails without launching a MapReduce job.

Allow option for external users to be assigned roles in the local database

In Cloudera Manager 5.5, role assignments for external users was disabled, which caused upgrade issues. The fix rolls back the change but instead of using a union approach, implements the following precedence rules:
  • If a user is assigned a role in Cloudera Manager, this local role is used.
  • Otherwise, a user's LDAP group association determines the user role.

Clean up usercache directories on migration from unsecure to secure mode

Fixes an issue that led to YARN jobs failing after migration from unsecure to secure mode.

Spark REST API does not work when parcels are used

The REST API for retrieving data from a live Spark UI or from the Spark History Server has been fixed.

In secure clusters, DataNode fails to start when dfs.data.transfer.protection is set and DataNode ports are changed to unprivileged ports

Before this fix, the only way to run the DataNode on unprivileged ports (port number > 1024) in a Kerberized cluster with DataNode Data Transfer Protection enabled, was to use single-user mode. Now this configuration works for both regular and single-user mode installs.

Both Hadoop SSL and DataNode Data Transfer Protection are still required for unprivileged DataNode ports to work in a Kerberized cluster. This configuration is supported only in CDH 5.2 and higher.

New validation warning for non-recommended secure DataNode configurations in CDH 5.2 and higher

On a Kerberos-enabled cluster running CDH 5.2 and higher, there are two recommended DataNode configurations. Use SASL/TLS with DataNode Data Transfer Protection enabled to encrypt the connection, or use only privileged ports to communicate. The supported combinations of HDFS configuration properties follow:
  • Security through SASL/TLS (preferred):
    • DataNode Data Transfer Protection - Enabled
    • Hadoop TLS/SSL - Enabled
    • DataNode Transceiver Port - Non-privileged (that is, port number >= 1024)
    • Secure DataNode Web UI Port (TLS/SSL) - Non-privileged (that is, port number >= 1024)
  • Security through privileged ports:
    • DataNode Data Transfer Protection - Disabled
    • Hadoop TLS/SSL - Disabled
    • DataNode Transceiver Port - Privileged (that is, port number < 1024)
    • DataNode HTTP Web UI Port - Privileged (that is, port number < 1024)

    Any configuration other than these results in a validation warning or error from Cloudera Manager. In particular, the following configuration, which is allowed by HDFS but is not recommended, results in a (dismissible) validation warning:

  • (Not Recommended) Security without enabling DataNode Data Transfer Protection:
    • DataNode Data Transfer Protection - Disabled
    • Hadoop TLS/SSL - Enabled
    • DataNode Transceiver Port - Privileged (that is, port number < 1024)
    • Secure DataNode Web UI Port (TLS/SSL) - Non-privileged (that is, port number >= 1024)

All configurations other than the three listed result in Cloudera Manager displaying a validation error.

Sensitive environment parameters not redacted for CSDs

Passwords in environment variables for CSDs are now redacted.

Update Apache Commons Collections library in Cloudera Manager due to major security vulnerability

The Apache Commons Collections library has been upgraded to 3.2.2 to fix a critical security vulnerability.

Remove plaintext keystore password from /api/v6/cm/config

With the addition of the JVM parameter, \-Dcom.cloudera.api.redaction=true, sensitive configuration values are redacted from the API.

JVM parameter to redact passwords now redacts the password salt and hash

When API redaction is turned on using the JVM argument -Dcom.cloudera.api.redaction=true, it also redacts the user's pwHash and pwSalt values. Passwords for Cloudera Manager Peers are also redacted.

Oozie keystore and truststore passwords now redacted

Oozie's Java keystore and truststore passwords are no longer sent in clear text on the command line.

Several Replication UI fixes

  • The Replication UI Last Run column now sorts correctly based on dates.
  • Collecting diagnostic data for failed Hive Replication commands no longer fails.
  • Finished schedules are no longer shown as running when the user is watching the page.
  • Scheduled time now accurately translates between browser time and server time.
  • Actions menu is now enabled for replication schedules with commands running. Previously, it would be disabled while a replication schedule was running, which blocked changing the configuration for future runs.

Fix Java detection

Java detection in the "Components" view for a host was fixed to account for Java versions installed using symlinks in /usr/java (such as /usr/java/default). A similar fix was made to the host inspector's Java detection logic.

When Host Monitor is stopped, cluster/services status in Cloudera Manager API returns Good instead of N/A or Unknown

If the Host Monitor is down, the service details page will still be able to present non-host related health status.

Issues Fixed in Cloudera Manager 5.5.1

Apache Commons Collections deserialization vulnerability

Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.

In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.

The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.

Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.

Users affected: All

Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.

Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.

Issues Fixed in Cloudera Manager 5.5.0

Setting the HBase WAL provider to the default in Cloudera Manager causes the RegionServer process to fail to start

Setting the HBase WAL provider to the default using Cloudera manager erroneously sets the value of hbase.wal.provider to default, when it should be set to defaultProvider. This causes the RegionServer process to fail to start.

Workaround: Do not use Cloudera Manager to set the WAL provider to the default. Instead, add the following properties to the RegionServer Advanced Configuration Snippet (Safety Valve) for hbase-site.xml and restart all HBase clients.
<property>
  <name>hbase.wal.provider</name>
  <value>defaultProvider</value>
</property> 

Incorrect path format causes access permission failure

The file path format used in sequence file `ing was incorrect. In replications involving a large number of files and when the Delete Policy for the replication is set to Delete to trash or Delete Permanently, distcp uses the local file system to save the intermediate result of sequence file sorting. An incorrect path format causes access permission failure.

Out-of-memory exception for Hive replication

Hive replication throws an out-of-memory exception when exporting a table with a large number of partitions.

Incorrect value emitted into hbase-site.xml

When configuring an HBase WAL provider with the "HBase Default" option, Cloudera Manager emits an incorrect value into hbase-site.xml and HBase reports an error.

Failed replication no longer fail silently

When a replication is attempted between secure and insecure clusters, the replication reports an error and fails silently.

The Replication Schedules page displays error after failed replication

A dialog box that shows a Java exception displays in the Replication Schedules page after a failed replication and the page is inaccessible.

Cloudera Manager now allows you to use '/' in cluster names

In previous versions, this resulted in problems during replication because '/' was treated as an URL path.

HDFS replication fails because of improper snapshot directory handling

Replications fail when converting a snapshot path to a regular path when the grandparent of the source directory is snapshottable.

Renewal time limits and lifetime limits are removed for Kerberos tickets

Snapshots that take longer than 30 minutes failed because the Kerberos tickets for the snapshots expired too soon . The renewal and lifetime limits have been replaced with the system default lifetime and renewal limits, instead of 30 minutes.

Replication schedules fails to catch configuration errors during creation

The schedule configuration is not validated when it is created, which causes errors during replication.

Audit events now include the schedule ID

The replication ID has been added to the schedule creation, update, and deletion audit events.

OutOfMemory error when running HDFS replication

HDFS replication fails with an OutOfMemory exception (in stderr.log) when an HDFS replication job replicates a large number of files.

Hive replication does not preserve user and group names for the database directory

File permissions of the database directory that maps to a Hive database are not preserved.

Exception in configuration history after changing host configuration

An IllegalStateException is reported in the History and Rollback page after changing host configuration.

Host Inspector no longer expects the impala user to be in the hdfs group

To conform to security best practices, the impala user should not be in the hdfs group.

The DataNode Refresh Data Directories command fails on secure clusters

DataNode refresh failed on Kerberized clusters.

Topology should only include hosts with Hadoop daemons

A topology map is created for the services HDFS, YARN, and MapReduce. In releases earlier than 5.5.0, hosts with only gateway roles for these services were also added to the topology map. This might erroneously mark many configurations as stale, requiring restarts or refreshes to resolve the staleness.

Agent host_id property is erroneously set to hostname

Previously, attempting to set the listening_hostname property in the Agent config.ini file (which is not normally necessary) changed the Agent's host ID to use this hostname, instead of the normal value.

JAVA_HOME override setting does not affect component list

The component list for a host is not affected by a custom JAVA_HOME setting.

Monitoring performance issues on large, busy clusters

A number of fixes have been made to improve Service Monitor and Host Monitor performance, particularly problems manifesting as large, regular garbage-collection pauses, on large, busy clusters.

JAVA_HOME does not get passed to Agents

Client configuration deployment fails to locate Java in the custom JAVA_HOME environment variable, if that is specified via host configuration.

Job History Server Retaining Logs in Secure Clusters

The Job History Server fails to delete old logs from HDFS on secure clusters, with the error "Failed to specify server's Kerberos principal name."

On Kerberized clusters, incorrect values reported for DataNode process metrics

The DataNode process is incorrectly monitored on Kerberized clusters.

During kt_renewer kinit call authentication may fail

On Kerberized clusters, Cloudera Manager might periodically report monitoring failures due to authentication errors when attempting to communicate with various role web servers to collect metrics. This is due to synchronization issues between the Agent's calls to kinit and attempts to perform Kerberos authentication with the role web servers. This has been fixed by adding logic to retry requests for metrics in the Agent a number of times on authentication failures. These retries will be logged but should not result in health failures and alerts.

Client configurations are incorrectly marked as stale when a host is rebooted

Rebooting a host can causes the client configurations for gateway roles on that host to be marked as stale even though they are up to date.

Rolling restart fails when inheriting inappropriate JVM properties

Rolling restart inherits custom HBase RegionServer JVM properties and can fail when those properties are inappropriate for non-daemon JVMs.

Clusters can fail if Java 1.6 is installed

JAVA_HOME is set to Java 1.6 if installed, even if version 1.8 is also installed.

Start should clearly indicate when it fails due to a missing parcel

Previously a missing parcel was logged only in the Agent log. The Cloudera Manager Admin Console now indicates that a required parcel is missing when starting a role or deploying client configurations.

Client configuration deployment timeout set too large for large number of hosts

The deploy client configuration timeout value was set to according to the number of hosts. This caused a problem when there are large number of hosts. The tasks to deploy client configurations are run concurrently so there was no need to wait that long. The timeout value was changed to a fixed value.

Two HBase metrics charts display "No Data"

HBase IPC metrics were not collected on CDH 5.4 and higher HBase due to a metric name change.

Agent operating system detection logic fixed on updated Oracle Enterprise Linux 6.x

An Oracle Enterprise Linux 6.x update to its python-libs unexpectedly changed the output of the Agent's operating system detection logic, which caused problems with parcel distribution and other issues.

ZooKeeper jute.maxbuffer emitted into configuration instead of JVM arguments

The ZooKeeper jute.maxbuffer property was emitted into zoo.cfg instead of in the JVM arguments. It is now passed to the JVM through the process environment variable ZOOKEEPER_SERVER_OPTS and takes effect correctly.

High -Xms set for Hive clients

-Xms is set equal to -Xmx for all Hive clients which causes the Java runtime to reserve -Xms memory even if the client does not need it. This particularly affects machines with low resources. The -Xms setting has been removed so that the Java runtime does not assign -Xmx memory at the start. Instead, it starts with a much lower Java heap and increases it if needed.

Service autoconfiguration set Kafka memory to 0

The Kafka service was initially configured with 0 memory because the autoconfiguration rules did not respect specified units. This is now correctly set to a value between 50 and 1024 MiB depending on available memory on the host. This issue affected any third-party CSD-based services using memory parameters with units other than "bytes".

Topics with a period not reporting metrics

Topics with a period (".") in the name would not show metrics in Cloudera Manager.

Sensitive information in Cloudera Manager diagnostic support bundles

Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions: (1) Modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) Modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data-handling policies.

Users affected:
  • Users storing sensitive data in advanced configuration snippets

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

Immediate Action Required:
  • Upgrade Cloudera Manager to one of the following releases: Cloudera Manager 5.5.0, 5.4.6, 5.3.7, 5.2.7, 5.1.6, 5.0.7, 4.8.6

Cloudera Management Service can fail with a large Flume configuration file

When a Flume configuration file is large, calling its Kerberos credentials with regex can cause the Cloudera Management Service to time out and fail. In addition, the Cloudera Manager Server uses 100% of the CPU and the UI hangs.

Charts built on simple select statements can return partial results

Charts built on queries in the form <select metric> for service or role metrics might not filter entities properly and might report hitting the stream limit.

Issues Fixed in Cloudera Manager 5.4.11

Cloudera Manager HDFS usage reports do not include Inode references

Lower versions of Cloudera Manager HDFS usage reports do not include Inode references. As a result, usage reports underreported HDFS directory sizes and data used by users and groups in certain circumstances where HDFS snapshots were used.

Kafka MirrorMaker unable to start due to KAFKA_HOME not being set

Kafka MirrorMaker would not start when Kafka is installed using packages. This occurred because KAFKA_HOME was not set to the correct default when starting MirrorMaker. This issue affected Cloudera Manager 5.4.0 and higher with Kafka 1.4.0 and higher.

Issues Fixed in Cloudera Manager 5.4.10

Scheme and location not filled in consistently during Hive replication import

In previous releases, Hive replication import phase did not consistently fill in scheme and location information. This information is now filled in as expected.

Having hive.compute.query.using.stats enabled by default produced incorrect results for some queries that used stats only

By default, hive.compute.query.using.stats was enabled. This produced incorrect results for some queries that used stats only. This setting is now disabled by default.

YARN jobs fail after enabling Kerberos authentication or selecting Always Use Container Executor

After Kerberos security is enabled on a cluster or Always Use Container Executor is selected, YARN jobs failed. This occurred because the contents of any previously existing YARN User Cache directory could not be overridden after security was enabled. YARN jobs now complete as expected after a change in Kerberos security or usage of Container Executor.

Scheduled diagnostic bundles do not include recent role logs

Diagnostic bundles collected manually included all expected logs, but bundles collected on a schedule did not include role logs. Scheduled diagnostic bundles now include all expected logs.

Issues Fixed in Cloudera Manager 5.4.9

Apache Commons Collections deserialization vulnerability

Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.

In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.

The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.

Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.

Users affected: All

Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.

Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.

Cross-site scripting vulnerability using malformed strings in the parcel remote URL list

An attacker could set a malformed string in parameters that consist of a list of strings and trigger the attack when a user accessed the corresponding configuration page in classic layout mode. This attack is now prevented.

Cross-site scripting vulnerability using malformed host template name

An attacker could set a malformed host template name in the backend database and trigger the attack when a user applies the host template. This attack is now prevented.

Snapshot policies with names with special characters not handled as expected

Snapshot policies with names containing special characters such as #, $, ?, or % were not handled as expected. These snapshot policies were not consistently found because the special characters in their names were parsed incorrectly. Snapshot policies with names containing special characters are now handled as expected.

Kafka MirrorMaker fails to find messages if ZooKeeper root directory is changed

When the ZooKeeper root directory is changed, the corresponding value in ZK_QUORUM that is passed to Kafka MirrorMaker processes is not updated. In that case, MirrorMaker fails to find messages. Changes to ZooKeeper root are now propagated properly, resulting in MirrorMaker finding messages.

Updating the Hive NameNode location multiple times could lead to data corruption

Multiple updates to the Hive NameNode location could cause Hive metastore database corruption. Issuing the same command multiple times no longer produces problems.

Cloudera Manager monitors subject to excessive garbage-collection workload

The Cloudera Manager Service Monitor and Cloudera Manager Host Monitor wrote aggregate timeseries data in a way that resulted in significant garbage-collection workloads. Writes are now split based on metric threshold counts, resulting in lower garbage-collection loads.

Kafka MirrorMaker fails to start because of missing settings

Kafka MirrorMaker provided no defaults for Destination Broker List, Topic Whitelist, and Topic Blacklist, and no way to set these values in the wizard. These values can now be set in the wizard when adding a new instance.

Cloudera Manager dry-run replication history shows unexpected values

BDR replication in dry-run mode should show the number of files that would be copied and the number of bytes those files would comprise if the same job were executed without the dry-run option. Dry-run mode showed the number of replicable files accessed up to a maximum of 1024 files and showed the total number of bytes those files comprise, up to 512 bytes per file.

The results of dry-runs now show the actual number of source files and their composite bytes that would be covered in the replication schedule. These categories are labeled replicable files and replicable bytes.

Issues Fixed in Cloudera Manager 5.4.8

Clusters can fail if Java 1.6 is installed

JAVA_HOME is set to Java 1.6 if installed even if 1.8 is also installed.

OutOfMemory error when running HDFS replication

HDFS replication fails with an OutOfMemory exception (in stderr.log) when an HDFS replication job replicates a large number of files.

Cloudera Management Service can fail with a large Flume configuration file

When a Flume configuration file is large, calling its Kerberos credentials with regex can cause the Cloudera Management Service to timeout and fail. In addition, the Cloudera Manager Server uses too much CPU (100%) and the UI hangs.

Client configurations are incorrectly marked as stale when a host is rebooted

Rebooting a host can cause the client configurations for gateway roles on that host to be marked as stale even though they are actually up to date.

Issues Fixed in Cloudera Manager 5.4.7

Operating system detection logic for Oracle Enterprise Linux 6 breaks parcel distribution

Fixes the operating system detection logic on updated Oracle Enterprise Linux 6 systems. An Oracle update to its python-libs logic unexpectedly changed the output of the Agent's operating system detection logic, which caused problems with parcel distribution and other issues.

ZooKeeper jute.maxbuffer property emitted into the wrong file

The ZooKeeper jute.maxbuffer property is emitted into zoo.cfg instead of in the JVM arguments. It is now passed to the JVM through the process environment variable ZOOKEEPER_SERVER_OPTS and takes effect correctly.

Create user API call is allowed for user with insufficient permissions

Using the "create a user" API call, a user who normally could not create users is able to create a read-only user account. The API call now respects the permissions.

Spark Authentication property is propagated to the wrong client configuration

Beginning with Cloudera Manager 5.4.6, the Spark Authentication configuration property is correctly propagated to client configurations.

Agent hostname in config.ini is changed to wrong value

Attempting to set the listening_hostname property in the Agent's config.ini file (which is not normally necessary) changes the Agent's host ID to use this hostname, instead of the normal value. The host ID is now left unchanged, as expected.

Cloudera Manager monitors the incorrect process for DataNode

On Kerberized clusters, Cloudera Manager monitors the wrong process as the DataNode. That has been fixed. For customers using Kerberized HDFS, Cloudera Manager reports incorrect statistics in some areas (memory, file descriptor, CPU usage, I/O, and networking, but not HDFS statistics). There is a small impact to health monitoring because of this issue. For customers using the stacks collection feature on a Kerberized DataNode and where jstack collection was enabled, this issue kills the parent jsvc process of the DataNode and leaves the DataNode up, but causes Cloudera Manager to report the process as dead.

Issues Fixed in Cloudera Manager 5.4.6

Sensitive Information in Cloudera Manager Diagnostic Support Bundles

Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.

Users affected:
  • Users storing sensitive data in advanced configuration snippets

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

Immediate Action Required:
  • Upgrade Cloudera Manager to one of the following releases: Cloudera Manager 5.4.6, 5.3.7, 5.2.7, 5.1.6, 5.0.7, 4.8.6

Issues Fixed in Cloudera Manager 5.4.5

Cancel Impala Query attempts to connect via TLS/SSL despite TLS/SSL being disabled

In Impala queries, if you select Cancel for any query, you see a small "internal error" at the top of the query list. This occurs because an attempt to connect via TLS/SSL is performed even though Impala does not have TLS/SSL enabled.

Cloudera Manager displays a spurious validation warning about the Cloudera Management Service truststore

Cloudera Manager incorrectly warns that Cloudera Management Service daemons will use HTTPS for communication with either Cloudera Manager or CDH services, even if no Cloudera Management Service truststore is in use.

Aggregation of Work attributes

Cloudera Manager now correctly aggregates Work attributes such as YARN applications or Impala query duration.

Hue Solr Indexer

Cloudera Manager now creates the correct configuration required to create a collection.

Cloudera Manager incorrectly reports “Not finalized” status for rolling upgrade

When performing a rolling upgrade from a version of CDH lower than 5.4 to CDH 5.4, and the HDFS rolling upgrade is finalized, Cloudera Manager incorrectly reports the status as not finalized. This is an error in reporting only and does not affect HDFS functionality.

Validation errors not visible from service-level configuration pages

Validation errors and warnings were only visible when accessing the individual instance-level configuration pages. This has been fixed.

Add Role Instances wizard does not work when initialized using the Cloudera Manager search box

You can now start the Add Role Instances wizard by searching for "<service name> Add Role" in the Cloudera Manager Admin Console search box.

Cloudera Manager now allows you to use '/' in cluster names

In previous versions, this resulted in problems during replication because '/' was treated as an URL path.

Expose HBase multi-WAL configuration properties in Cloudera Manager

The properties were added and are now being written to the hbase-site.xcml file.

Custom Kerberos principals now handled correctly during Solr startup

The Solr custom Kerberos principal is now initialized properly during Solr server startup.

Added a check in the Upgrade and Kerberos wizards to make sure Spark-standalone is not enabled

Spark Standalone does not work in clusters with Kerberos authentication. Spark on YARN supports Kerberos and is recommended over Spark Standalone. Either disable Kerberos or remove Spark Standalone before upgrading.

Fixed link for Reports when YARN high availability is enabled

The Reports link in HA mode would result in a 404 error.

Removed bogus failure when deploying client configuration

Deploying client configuration would sometimes fail because Cloudera Manager could not locate JAVA_HOME. This is not a valid failure because deploying client configuration does not require Java.

Added core-site.xml to Sentry's classpath

Previously, core-site.xml was only added to Sentry's configuration folder, but not the classpath.

Improved memory usage in serializing objects and writing them to support bundles

Performance improvements that require less memory were made for the creation of bundles.

New property to enable suppressing INFO-level log messages from NameNode

You can now use the NameNode Block State Change Logging Threshold property to suppress INFO-level block state change log messages from the NameNode.

Improved advice for clock offset health test

The way the health of the host's NTP daemon is determined was changed recently, which caused some cases where the related health test (host clock offset) failed without a warning. Information on this change was added to Cloudera Manager.

Cloudera Manager displays warning about using RHEL 6 with Transparent Huge Pages (THP)

The THP algorithm was broken in certain variants of RHEL 6.2 and above. Cloudera Manager now displays a warning if THP is enabled for all RHEL 6 and above.

Agent gets no logs if the last log4j event is larger than the max-size specified

If the byte_limit (max-size) specified by Cloudera Manager during log retrieval was smaller than the last log4j event to be collected, the Agent skipped the complete event and return nothing. This behavior was modified so pick the first N bytes (N = max-size) are picked from the log4j event and return a partial log4j event.

Agent log retrieval does not always honor timeouts

Cloudera Manager Agents no longer enter an infinite loop during log retrieval.

Cloudera Manager Agent missing log messages

The default timeout for displaying log entries (../logs/search and ../logs/context) has been increased to 60 seconds.

Fixed cross-site scripting vulnerability

A cross-site scripting vulnerability was discovered and fixed in Cloudera Manager.

New property added for ResourceManager high availability failover

The ZooKeeper session timeout property yarn.resourcemanager.zk-timeout-ms was added, and its default value is 1 minute.

Set maximum value for YARN mapreduce.jobhistory.max-age-ms to 10 years

Cloudera Manager would previously display a validation error when the value was greater than 60 days.

Added warning in upgrade wizard regarding dropped support for symlinks in CDH 5

This fix added a warning about removing HDFS symlinks when upgrading from CDH 4 to CDH 5.

Refresh Data Directories command no longer fails on secure clusters

The DataNodeRefreshCommand now sets SCM_KERBEROS_PRINCIPAL in the environment of the command process, which causes hdfs.sh to do a kinit. Before this change, a manual kinit was required.

New Sentry Synchronization Path Prefixes added in NameNode configuration are not enforced correctly

Any new path prefixes added in the NameNode configuration are not correctly enforced by Sentry. The ACLs are initially set correctly, however they would be reset to the old default after some time interval.

Workaround: Set the following property in Sentry Service Advanced Configuration Snippet (Safety Valve) and Hive Metastore Server Advanced Configuration Snippet (Safety Valve) for hive-site.xml:
<property>
<name>sentry.hdfs.integration.path.prefixes</name>
<value>/user/hive/warehouse, ADDITIONAL_DATA_PATHS</value>
</property>
where ADDITIONAL_DATA_PATHS is a comma-separated list of HDFS paths where Hive data will be stored. The value should be the same value as sentry.authorization-provider.hdfs-path-prefixes set in the hdfs-site.xml on the NameNode.

Fixed NullPointerException on health tests' Details page

The health tests Details page threw a NullPointerException because it was referring to a deprecated metric name.

Improved Service Monitor Canary check to see if HTable is disabled

Without this check, Service Monitor would fail due to too many ZooKeeper connection messages leaking into the Service Monitor log. This resulted in resource and allocation pressures on the Service Monitor.

Cloudera Manager no longer retains unnecessary references to HTables

Retaining too many unnecessary references to HTable was using up too much memory, especially when working with a large number of tables.

Sqoop 2 failure in Kerberized clusters fixed

Cloudera Manager was using the wrong authentication package and picking up the wrong configuration properties for Sqoop 2 authentication with Kerberos.

Fixed Solr server startup error

The Solr server would not start due to insufficient space for the shared memory file.

Added HBase Canary security configuration properties

Enabling the HBase canary on a secure cluster would fail. The new properties now let Cloudera Manager specify the canary's Kerberos principal and keytab in the hbase-site.xml deployed at the RegionServers.

Issues Fixed in Cloudera Manager 5.4.3

Improve Impala queries coordinator node metrics handling

For Impala queries that returned very few rows, Cloudera Manager could fail to report information such as HDFS I/O metrics on the Impala Query Monitoring and Query Detail pages. The discrepancy was typically relatively small because those queries often did very little work.

Performance issues when changing configurations on HDFS

Fixed a performance issue where HDFS configuration pages responded slowly.

Typo in Cloudera Manager metrics reference

The word “Concerning” was misspelled in many metrics reference pages.

Issues with Navigator field audit_log_max_file_size

The log4j appender changed from RollingFileAppender to RollingFileWithoutDeleteAppender.

The Isilon client configuration core-site.xml file does not contain proxy users

The parameters are available in the Cloudera Manager Admin Console, but the configurations are not emitted in the core-site.xml file.

Solr gateway role should not have a log4j.properties advanced configuration snippet

The Solr gateway role does not have a log4j.properties file.

The Cloudera Manager Agent force_start's hard stop commands did not set all invariants

This resulted in NPE being reported in Cloudera Manager logs when accessing active and recent command operations.

Configuration staleness icons appear to be enabled for users in read-only role

When moused over, the icons change to a hand indicating that they are active. However, users in the read-only role cannot act on changed configurations.

Setting yarn.resourcemanager.am.max-retries throws error

Observed when setting the Maximum Number of Attempts for MapReduce Jobs and then setting ApplicationMaster Maximum Attempts, which also sets yarn.resourcemanager.am.max-retries.

Cloudera Manager reports the wrong value for Impala bytes read from cache

Instead of cached bytes it reported the value of short circuit bytes.

Fixed cross-site scripting vulnerabilities

A variety of possible cross-site scripting vulnerabilities have been fixed.

Location of Number of rows drop-down changed

On pages where multiple rows display, the drop-down menu where users select the number of rows to display on a page now appears at the bottom of all lists.

Minimum allowed value change for YARN property

The Max Shuffle Connections property now allows a value of 0, which indicates no limit on the number of connections.

Upgrade error

A bug was fixed that prevented upgrades from CDH 4.7.1 to CDH 5.4.3.

Change to Parcels page

On the Parcels page, the first cluster in the list is now automatically selected by default.

All Password Input Fields do not allow auto complete

All password input fields in Cloudera Manager do not allow auto complete.

TLS Keystore Configuration Error

It is no longer possible to delete the values of the Path to TLS Keystore File and Keystore Password properties and save them while the Use TLS Encryption for Admin Console property is enabled.

Host configuration properties and Agent restart messages

Some host configuration properties no longer incorrectly state that an Agent restart is required.

More detailed error messages for failed role migration

If there is a failure validating the NameNode or JournalNode data directories while migrating roles, Cloudera Manager now displays detailed error information, including error codes.

New property to configure Oozie shared library upload timeout

To prevent timeouts due to slow disks or networks, a new Oozie property, Oozie Upload ShareLib Command Timeout, has been added to set the timeout.

New Cluster-Wide Configuration Pages

The following new Cluster-Wide configuration pages have been added:
  • Databases
  • Local Data Directories
  • Local Data Files
  • Navigator Settings
  • Service Dependencies

To access these pages in Cloudera Manager, select Cluster > Cluster Name > Configuration.

Naming of Health Tests

The names of some Health Tests have changed to use consistent capitalization.

Impala Monitoring Queries for Per-node peak memory

Impala queries that report per-node peak memory were incorrect when the value is zero.

Enable Hive on Spark Property

The description of the Enable Hive on Spark property has been updated to remind the user that the Enable Spark on YARN property must also be selected.

Role Trigger property in Flume

Setting a value for the Flume Role Triggers property no longer causes validation warnings.

Restart of Service Monitor leaves files that can fill the disk

Restarts of the Service Monitor no longer leave extraneous copies of files that unnecessarily take up disk space.

HiveServer 2 properties omit Java options

Setting any of the following properties no longer causes Java options to be omitted:
  • Allow URIs in Database Policy File
  • HiveServer2 TLS/SSL Certificate Trust Store File
  • HiveServer2 TLS/SSL Certificate Trust Store Password

CDH Parcel distribution reports HTTP 503 errors

Cloudera Manager no longer displays HTTP 503 errors during distribution of the CDH parcel to a large cluster.

Diagnostic bundle reports incorrect status for SELinux

Diagnostic bundles sometimes reported SELinux as disabled when it was enabled. The bundle now reports the correct status.

Hue configuration warnings do not link to correct page

On the Cloudera Manager page that displays Hue configuration issues, the links now take the user to the correct page where the user can correct the configuration.

Date display in Cloudera Manager log viewer

The month and date have been added before the time value in logs displayed in Cloudera Manager.

Disabling Hive Metastore Canary Test

When you disable the Hive Metastore health test by deselecting the Hive Metastore Canary Health property, the Hive Canary is now also disabled.

Agent failure when TLS 1.0 is disabled

If TLS 1.0 is disabled, the Agent now tries to negotiate the connection using TLS 1.1 or TLS 1.2.

Slowness when displaying details of a stale configuration

The details page now displays more quickly when a user clicks on the Stale Configuration icon.

Slowness observed when accessing replication page in Cloudera Manager

When you access the replication page in Cloudera Manager, the page responds slowly due to a large number of replication history records. The number of displayed historical records has been changed from 100 to 20.

Log Searches for Cloudera Manager Server

Searching the Cloudera Manager Server logs now works as expected.

Failed TLS Configuration and Cloudera Manager Restart

If the TLS configuration has errors, Cloudera Manager now falls back to non-TLS operation when restarting.

New headers added

New headers have been added to Cloudera Manager HTTP response headers to protect against vulnerabilities.

Hive Logging property restored

The Enable Explain Logging (hive.log.explain.output) property was removed in an earlier release and is now included in the configurations.

Hive Metastore Update NameNodes Command

A 150 second timeout was removed from the Update Hive Metastore NameNodes command to prevent timeouts on deployments that use Hive extensively.

Kafka Parcel Installation

Cloudera Manager now correctly detects the Kafka version for parcel installation.

Agent restart failure

In a condition where an Agent restart was required due to a Hive configuration change and a subsequent disk failure, the Agent now restarts as expected.

Error message wording

Some Cloudera Manager error messages referred to Cloudera Manager as “CM”. These messages now use the full name “Cloudera Manager”.

Oozie metrics failures

Retrieval of Oozie metrics sometimes fails due to timeout issues which are now resolved.

NameNode Role Migration Failures

When a NameNode role migration fails due to the destination role data directories being non-empty or having incorrect permissions, you no longer need to complete the migration manually. An error message displays and you can now correct the problem and re-run the command.

AWS S3 HBase configuration property renamed to Amazon S3

Several configuration properties for HBase have been renamed from AWS S3 to Amazon S3, in order to use the correct product name.

NodeManager Host Resources page display for the NodeManager Recovery Directory

The NodeManager Recovery Directory now displays on the NodeManager host resources page.

Host Inspector page now includes link to Show Inspector Results

The Host Inspector page now displays a link to a page that displays detailed results.

Initialization Script Improvements

The Cloudera Manager Agent initialization script now checks correctly for running processes.

Default Value for Hue parameter changed

The default value for the Hue cherrypy_server_threads property has been changed from 10 to 50.

Express Installation Wizard Package Installation Page CDH Version

The Express Installation Wizard Package installation page no longer allows the user to proceed without selecting a CDH version.

Host Component page display

The Host Component page now displays the package version for the KMS Trustee Key Provider.

Installation Wizard hangs during package installation

The Installation Wizard hangs during a CDH package installation and the status displays as “Acquiring Installation Lock”. A bug was fixed where the Agent incorrectly failed to release a lock until the Agent is restarted.

Minimum allocation violation not caught by Cloudera Manager

NodeManager did not start because Cloudera Manager did not correctly validate memory and CPU settings against their minimum values.

Impala core dump directories are now configurable

Three new properties that specify the location of core dump directories have been added to the Impala configurations:
  • Catalog Server Core Dump Directory
  • Impala Daemon Core Dump Directory
  • StateStore Core Dump Directory

Typo in Sqoop DB path suffix (SqoopParams.DERBY_SUFFIX)

Sqoop 2 appears to lose data when upgrading to CDH 5.4. This is due to Cloudera Manager erroneously configuring the Derby path with "repositoy" instead of "repository". The correct path name is now used.

Agent fails when retrieving log files with very long messages

When searching or retrieving large log files using the Agent, the Agent no longer consumes near 100% CPU until it is restarted. This can also happen then the collect host statistics command is issued.

Automated Solr TLS/SSL configuration may fail silently

Cloudera Manager 5.4.1 offers simplified TLS/SSL configuration for Solr. This process uses a solrctl command to configure the urlSchemeSolr cluster property. The solrctl command produces the same results as the Solr REST API call /solr/admin/collections?action=CLUSTERPROP&name=urlScheme&val=https. For example, the call might appear as: https://example.com:8983/solr/admin/collections?action=CLUSTERPROP&name=urlScheme&val=https

Cloudera Manager automatically executes this command during Solr service startup. If this command fails, the Solr service startup now reports an error.

Removing the default value of a property fails

For example, when you access the Automatically Downloaded Parcels property on the following page: Home > Administration > Settings and remove the default CDH value, the following error message displays: "Could not find config to delete with template name: parcel_autodownload_products". This error has been fixed.

Issues Fixed in Cloudera Manager 5.4.1

distcp default configuration memory settings overwrite MapReduce settings

Replication used for backup and disaster recovery does not correctly set the MapReduce Java options, and you cannot configure them. In release 5.4.1, Cloudera Manager uses the MapReduce gateway configuration to determine the Java options for replication jobs. Replication job settings cannot be configured independently of MapReduce gateway configuration. See Backup and disaster recovery replication does not set MapReduce Java options.

Oozie high availability plug-in is now configured by Cloudera Manager

In CDH 5.4.0, Oozie added a new HA plugin that allows all of the Oozie servers to synchronize their Job ID assignments and prevent collisions. Cloudera Manager 5.4.0 did not configure this new plugin; Cloudera Manager 5.4.1 now does so.

HDFS read throughput Impala query monitoring property is misleading

The hbase_bytes_read_per_second and hdfs_bytes_read_per_second Impala query properties have been renamed to hbase_scanner_average_bytes_read_per_second and hdfs_scanner_average_bytes_read_per_second to more accurately reflect that these properties return the average throughput of the query's HBase and HDFS scanner threads, respectively. The previous names and descriptions indicated that these properties were the query's total HBase and HDFS throughput, which was not accurate.

Enabling wildcarding in a secure environment causes NameNode to fail to start

In a secure cluster, if you use a wildcard for the NameNode's RPC or HTTP bind address, the NameNode fails to start. For example, dfs.namenode.http-address must be a real, routable address and port, not 0.0.0.0.port. In Cloudera Manager, the "Bind NameNode to Wildcard Address" property must not be enabled. This should affect you only if you are running a secure cluster and your NameNode needs to bind to multiple local addresses.

Bug: HDFS-4448

Workaround: Disable the "Bind NameNode to Wildcard Address" property found on the Configuration tab for the NameNode role group.

Support for adding Hue with high availability

The Express and Add Service wizards now allow users to define multiple Hue service roles. If Kerberos is enabled, a co-located KT Renewer role is automatically added for each Hue server row.

Parameter validation fails with more than one Hue role

When you add a second Hue role to a cluster, the error message "Failed parameter validation" displays.

Cross-site scripting vulnerabilities

Various cross-site scripting vulnerabilities were fixed.

Clicking the "Revert to default" icon stores the default value as a user-defined value in the new configuration pages

Cloudera Manager 5.4.1 fixes an issue in which saving an empty configuration value causes the value to be replaced by the default value. The empty value is now saved instead of the default value.

Spurious validation warning and missing validations when multiple Hue Server roles are present

When multiple Hue Server roles are created for a single Hue Service, Cloudera Manager displays a spurious validation warning for Hue with the label "Failed parameter validation." The Cloudera Manager Server log may also contain exception messages of the form:
2015-03-30 17:15:45,077 WARN ActionablesProvider-0:com.cloudera.cmf.service.ServiceModelValidatorImpl:
Parameter validation failed java.lang.IllegalArgumentException: There is more than one role with roletype: HUE_SERVER [...] {
These messages do not correspond to actual validation warnings and can be ignored. However, some validations normally performed are skipped when this spurious warning is generated, and should be done manually. Specifically, if Hue's authentication mechanism is set to LDAP, the following configuration should be validated:
  1. The Hue LDAP URL property must be set.
  2. For CDH 4.4 and lower, set one (but not both) of the following two Hue properties: NT Domain or LDAP Username Pattern.
  3. For CDH 4.5 and higher, if the Hue property Use Search Bind Authentication is selected, exactly one of the two Hue properties NT Domain and LDAP Username Pattern must be set, as described in step 2 above.

Logging of command unavailable message improved

When a command is unavailable, the error messages are now more descriptive.

Client configuration logs no longer deleted by the Agent

If the Agent fails to deploy a new client configuration, the client log file is no longer deleted by the agent. The Agent saves the log file and appends new log entries to the saved log file.

HDFS role migration requires certain HDFS roles to be running

Before using the Migrate Roles wizard to migrate HDFS roles, you must ensure that the following HDFS roles are running as described:

  • A majority of the JournalNodes in the JournalNode quorum must be running. With a quorum size of three JournalNodes, for example, at least two JournalNodes must be running. The JournalNode on the source host need not be running, as long as a majority of all JournalNodes are running.
  • When migrating a NameNode and co-located Failover Controller, the other Failover Controller (that is, the one that is not on the source host) must be running. This is true whether or not a co-located JournalNode is being migrated as well, in addition to the NameNode and Failover Controller.
  • When migrating a JournalNode by itself, at least one NameNode / Failover Controller co-located pair must be running.

HDFS role migration requires automatic failover to be enabled

Migration of HDFS NameNode, JournalNode, and Failover Controller roles through the Migrate Roles wizard is only supported when HDFS automatic failover is enabled. Otherwise, it causes a state in which both NameNodes are in standby mode.

HDFS/Hive replication fails when replicating to target cluster that runs CDH 4 and has Kerberos enabled

Workaround: None.

Issues Fixed in Cloudera Manager 5.4.0

Proxy Configuration in Single User Mode is Fixed

In single user mode, all services are using the same user to proxy other users in an unsecure cluster, which is the user that is running all the CDH processes on the cluster. To restrict that user so that it can proxy other users from only certain hosts and only certain groups, configure the YARN Proxy User Hosts and YARN Proxy User Groups properties in the HDFS service. The setting here supersedes all other proxy user configurations in single user mode.

The Parcels page allows access to the patch release notes

Clicking the icon with an "i" in a blue circle next to a parcel shows the release notes.

Monitoring Fails on Impala Catalog Server with TLS/SSL Enabled

When enabling TLS/SSL for Impala web servers (webserver_certificate_file), Cloudera Manager does not emit use_ssl in the cloudera-monitor.properties file for the Catalog Server. Other services (Impala Daemon and StateStore) are configured correctly. This causes monitoring to fail for the Catalog Server even though it is working as expected.

Default Value Changed for hive.exec.reducers.bytes.per.reducer

To improve performance, the default value for the hive.exec.reducers.bytes.per.reducer property has been changed from 1 GB to 64 MB. If this value has been customized, the customized value is retained during an upgrade. If the old default of 1 GB was not changed, the value will be updated to 64MB during an upgrade.

Issues Fixed in Cloudera Manager 5.3.10

Scheme and location not filled in consistently during Hive replication import

In previous releases, Hive replication import phase did not consistently fill in scheme and location information. This information is now filled in as expected.

YARN jobs fail after enabling Kerberos authentication or selecting Always Use Container Executor

After Kerberos security is enabled on a cluster or Always Use Container Executor is selected, YARN jobs failed. This occurred because the contents of any previously existing YARN User Cache directory could not be overridden after security was enabled. YARN jobs now complete as expected after a change in Kerberos security or usage of Container Executor.

Issues Fixed in Cloudera Manager 5.3.9

Apache Commons Collections deserialization vulnerability

Cloudera has learned of a potential security vulnerability in a third-party library called the Apache Commons Collections. This library is used in products distributed and supported by Cloudera (“Cloudera Products”), including core Apache Hadoop. The Apache Commons Collections library is also in widespread use beyond the Hadoop ecosystem. At this time, no specific attack vector for this vulnerability has been identified as present in Cloudera Products.

In an abundance of caution, we are currently in the process of incorporating a version of the Apache Commons Collections library with a fix into the Cloudera Products. In most cases, this will require coordination with the projects in the Apache community. One example of this is tracked by HADOOP-12577.

The Apache Commons Collections potential security vulnerability is titled “Arbitrary remote code execution with InvokerTransformer” and is tracked by COLLECTIONS-580. MITRE has not issued a CVE, but related CVE-2015-4852 has been filed for the vulnerability. CERT has issued Vulnerability Note #576313 for this issue.

Releases affected: CDH 5.5.0, CDH 5.4.8 and lower, CDH 5.3.8 and lower, CDH 5.2.8 and lower, CDH 5.1.7 and lower, Cloudera Manager 5.5.0, Cloudera Manager 5.4.8 and lower, Cloudera Manager 5.3.8 and lower, and Cloudera Manager 5.2.8 and lower, Cloudera Manager 5.1.6 and lower, Cloudera Manager 5.0.7 and lower, Cloudera Navigator 2.4.0, Cloudera Navigator 2.3.8 and lower.

Users affected: All

Impact: This potential vulnerability may enable an attacker to execute arbitrary code from a remote machine without requiring authentication.

Immediate action required: Upgrade to Cloudera Manager 5.5.1 and CDH 5.5.1, Cloudera Manager 5.4.9 and CDH 5.4.9, Cloudera Manager 5.3.9 and CDH 5.3.9, and Cloudera Manager 5.2.9 and CDH 5.2.9, and Cloudera Manager 5.1.7 and CDH 5.1.7, and Cloudera Manager 5.0.8 and CDH 5.0.8.

Cloudera Manager monitors subject to excessive garbage-collection workload

The Cloudera Manager Service Monitor and Cloudera Manager Host Monitor wrote aggregate timeseries data in a way that resulted in significant garbage-collection workloads. Writes are now split based on metric threshold counts, resulting in lower garbage-collection loads.

Cloudera Manager dry-run replication history shows unexpected values

BDR replication in dry-run mode should show the number of files that would be copied and the number of bytes those files would comprise if the same job were executed without the dry-run option. Dry-run mode showed the number of replicable files accessed up to a maximum of 1024 files and showed the total number of bytes those files comprise, up to 512 bytes per file.

The results of dry-runs now show the actual number of source files and their composite bytes that would be covered in the replication schedule. These categories are labeled replicable files and replicable bytes.

Updating the Hive NameNode location multiple times could lead to data corruption

Multiple updates to the Hive NameNode location could cause Hive metastore database corruption. Issuing the same command multiple times no longer produces problems.

Issues Fixed in Cloudera Manager 5.3.8

Rolling Restart fails when inheriting inappropriate JVM properties

Rolling Restart inherits custom HBase RegionServer JVM properties and can fail when those properties are inappropriate for non-daemon JVMs.

Exception thrown when viewing host configuration change

When ConfigContext is initialized to both cluster and host, it defaults to cluster. If the context is a host, this can cause the ConfigTableUtil class to throw an IllegalStateException.

Issues Fixed in Cloudera Manager 5.3.7

Sensitive Information in Cloudera Manager Diagnostic Support Bundles

Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.

Users affected:
  • Users storing sensitive data in advanced configuration snippets

Severity: High

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

Immediate Action Required:
  • Upgrade Cloudera Manager to one of the following releases: Cloudera Manager 5.4.6, 5.3.7, 5.2.7, 5.1.6, 5.0.7, 4.8.6

Issues Fixed in Cloudera Manager 5.3.6

Cloudera Manager reports the wrong value for Impala bytes read from cache

Instead of cached bytes, it reported the value of short-circuit bytes.

Cancel Impala Query attempts to connect via TLS/SSL despite TLS/SSL being disabled

In Impala queries, if you select Cancel for any query, you get a small "internal error" at the top of the query list. This is because an attempt to connect via TLS/SSL is done even though Impala does not have TLS/SSL enabled.

The Cloudera Manager displays a spurious validation warning about the Cloudera Management Service truststore

Cloudera Manager incorrectly warns that Cloudera Management Service daemons will use HTTPS for communication with either Cloudera Manager or CDH services even if no Cloudera Management Service truststore is in use.

Issues Fixed in Cloudera Manager 5.3.4

Slowness observed when accessing replication page in Cloudera Manager

When you access the replication page in Cloudera Manager, the page responds slowly due to a large number of replication history records. The number of displayed historical records has been changed from 100 to 20.

Cloudera Manager overwrites the krb5.conf file after disabling management by Cloudera Manager

When a cluster has been configured to enable Kerberos by clicking the Manage krb5.conf through Cloudera Manager button, Cloudera Manager writes out a krb5.conf file. If a user subsequently disables this feature by disabling the Manage krb5.conf through Cloudera Manager option and then restarting Cloudera Manager and the Agent, Cloudera Manager overwrites the existing krb5.conf file.

Header injection vulnerability in internal logging call

An internal call to a servlet with a malformed logger name created information that could be used in a cross-site scripting attack.

Graph for "Total Containers Running Across NodeManagers" displays high values

The graph Total Containers Running Across NodeManagers, which displays on the YARN status page, displayed incorrect high values.

Clicking the "Revert to default" icon stores the default value as a user-defined value in the new configuration pages

Saving an empty configuration value causes the value to be replaced by the default value. The empty value is now saved instead of the default value.

Some Operational Reports do not return results

The following reports do not return results:
  • Overpopulated Directories
  • Large Directories
  • Custom Reports where the Replication parameter is set to 0.

Xalan has been upgraded to version 2.7.2

To address a vulnerability identified by CVE-2014-0107, Xalan has been updated to version 2.7.2.

Setting threshold values of -1 or -2 not accepted in new configuration layout pages

When you set threshold values in various properties, you could not select Specify and then enter -1 to indicate "Any" or -2 to indicate "Never". You can now enter -1 or -2.

Rolling upgrade arguments are reversed

The following arguments for rolling upgrade are reversed:
  • Sleep seconds
  • Failure threshold

Issues Fixed in Cloudera Manager 5.3.3

hive.metastore.client.socket.timeout default value changed to 60

The default value of the hive.metastore.client.socket.timeout property has changed to 60 seconds.

TLS/SSL Enablement property name changes

The property hadoop.ssl.enabled is deprecated. Cloudera Manager has been updated to use either dfs.http.policy or yarn.http.policy properties instead.

Changing the Service Monitor Client Config Overrides property requires restart

Cloudera Manager no longer requires you to restart your cluster after changing the Service Monitor Client Config Overrides property for a service.

Cluster name changed from specified name to "cluster" after upgrade

After updating to a new release, Cloudera Manager replaces the specified cluster name with cluster. Cloudera Manager now uses the correct cluster name.

Configuration without host_id in upgrade DDL causes upgrade problems

A client configuration row in the database DDL did not set host_id, causing upgrade problems. Cloudera Manager now catches this condition before upgrading.

hive.log.explain.output property is hidden

The property hive.log.explain.output is known to create instability of Cloudera Manager Agents in some specific circumstances, especially when the hive queries generate extremely large EXPLAIN outputs. Therefore, the property has been hidden from the Cloudera Manager configuration screens. You can still configure the property through the use of advanced configuration snippets.

Slow staleness calculation can lead to ZooKeeper data loss when new servers are added

In Cloudera Manager 5.x, starting new ZooKeeper Servers shortly after adding them can cause ZooKeeper data loss when the number of new servers exceeds the number of old servers.

Spark and Spark (standalone) services fail to start if you upgrade to CDH 5.2.x parcels from an older CDH package

Spark and Spark standalone services fail to start if you upgrade to CDH 5.2.x parcels from an older CDH package.

Workaround: After upgrading rest of the services, uninstall the old CDH packages, and then start the Spark service.

Deploy client configuration across cluster after upgrade from Cloudera Manager 4.x to 5.3

Following a 4.x -> 5.3 upgrade, you must deploy client configuration across the entire cluster before deleting any gateway roles, any services, or any hosts. Otherwise the existing 4.x client configurations may be left registered and orphaned on the hosts where they were deployed, requiring you to manually intervene to delete them.

Oozie health bad when Oozie is HA, cluster is kerberized, and Cloudera Manager and CDH are upgraded

Oozie health will go bad if high availability is enabled in a kerberized cluster with Cloudera Manager 5.0 and CDH 5.0 and Cloudera Manager and CDH are then upgraded to 5.1 or higher.

Workaround: Disable Oozie HA and then re-enable HA again.

HDFS/Hive replication fails when replicating to target cluster that runs CDH 4.0 and has Kerberos enabled

Workaround: None.

Issues Fixed in Cloudera Manager 5.3.2

The Review Changes page sometimes hangs

The Review Changes page hangs due to the inability to handle the "File missing" scenario.

High volume of TGT events against AD server with "bad token" messages

A fix has been made to how Kerberos credential caching is handled by management services, resulting in a reduction in the number of Kerberos Ticket Granting Ticket (TGT) requests from the cluster to a KDC. This would have been noticed as "Bad Token" messages being seen in high volume in KDC logging and unnecessarily causing re-authentication by management services.

Accumulo missing kinit when running with Kerberos

Cloudera Manager is unable to run Accumulo when hostname command does not return FQDN of hosts.

HiveServer2 leaks threads when using impersonation

For CDH 5.3 and higher, Cloudera Manager will configure HiveServer2 to use the HDFS cache even when impersonation is on. For earlier CDH, there were bugs with the cache when impersonation was in use, so it is still disabled.

Deploying client configurations fails if there are dead hosts present in the cluster

If there are hosts in the cluster where the Cloudera Manager agent heartbeat is not working, then deploying client configurations does not work. Starting with Cloudera Manager 5.3.2, such hosts are ignored while deploying client configurations. When the issues with the host are fixed, Cloudera Manager will show those hosts as having stale client configurations, at which point you can redeploy them.

Health test monitors free space available on the wrong filesystem

The Cloudera Manager Health Test to monitor free space available for the Cloudera Manager Agent's process directory monitors space on the wrong filesystem. It should monitor the tmpfs that the Cloudera Manager Agent creates, but instead monitors the Cloudera Manager Agent working directory.

Starting ZooKeeper Servers from Service or Instance page fails

Stopped ZooKeeper servers cannot be started from the Service or Instance page, but only from the Role page of the server using the start action for the role.

Flume Metrics page does not render agent metrics

Starting in Cloudera Manager 5.3, some or all Flume component data was missing from the Flume Metrics Details page.

Broken link to help pages on Chart Builder page

The help icon (question mark) on the Chart Builder page returns a 404 error.

Import MapReduce configurations to YARN now handles NodeManager vcores and memory

Running the wizard to import MapReduce configurations to YARN will now populate yarn.nodemanager.resource.cpu-vcores and yarn.nodemanager.resource.memory-mb correctly based on equivalent MapReduce configuration.

Issues Fixed in Cloudera Manager 5.3.1

Deploy client configuration across cluster after upgrade from Cloudera Manager 4.x to 5.3

Following a 4.x -> 5.3 upgrade, you must deploy client configuration across the entire cluster before deleting any gateway roles, any services, or any hosts. Otherwise the existing 4.x client configurations may be left registered and orphaned on the hosts where they were deployed, requiring you to manually intervene to delete them.

Deploy client configuration across cluster after upgrade from Cloudera Manager 4.x to 5.3

Following a 4.x -> 5.3 upgrade, you must deploy client configuration across the entire cluster before deleting any gateway roles, any services, or any hosts. Otherwise the existing 4.x client configurations may be left registered and orphaned on the hosts where they were deployed, requiring you to manually intervene to delete them.

Oozie health bad when Oozie is HA, cluster is kerberized, and Cloudera Manager and CDH are upgraded

Oozie health will go bad if high availability is enabled in a kerberized cluster with Cloudera Manager 5.0 and CDH 5.0 and Cloudera Manager and CDH are then upgraded to 5.1 or higher.

Workaround: Disable Oozie HA and then re-enable HA again.

Deploy client configuration no longer fails after 60 seconds

When configuring a gateway role on a host that already contains a role of the same type—for example, an HDFS gateway on a DataNode—the deploy client configuration command no longer fails after 60 seconds.

service cloudera-scm-server force_start now works

After deleting services, the Cloudera Manager Server log no longer contains foreign key constraint failure exceptions

When using Isilon, Cloudera Manager now sets mapred_submit_replication correctly

When EMC Isilon storage is used, there is no DataNode, so you cannot set mapred_submit_replication to a number smaller than or equal to the number of DataNodes in the network. Cloudera Manager now does the following when setting mapred_submit_replication:

  • If using HDFS, sets to a minimum of 1 and issues a warning when greater than the number of DataNodes
  • If using Isilon, sets to 1 and does not check against the number of DataNodes

The Cloudera Manager Agent now sets the file descriptor ulimit correctly on Ubuntu

During upgrade, bootstrapping the standby NameNode step no longer fails with standby NameNode connection refused when connecting to active NameNode

Deploy krb5.conf now also deploys it on hosts with Cloudera Management Service roles

Cloudera Manager allows upgrades to unknown CDH maintenance releases

Cloudera Manager 5.3.0 supports any CDH release less than or equal to 5.3, even if the release did not exist when Cloudera Manager 5.3.0 was released. For packages, you cannot currently use the upgrade wizard to upgrade to such a release. This release adds a custom CDH field for the package case, where you can type in a version that did not exist at the time of the Cloudera Manager release.

impalad memory limit units error in EnableLlamaRMCommand

The EnableLlamaRMCommand sets the value of the impalad memory limit to equal the NM container memory value. But the latter is in MB, and the former is in bytes. Previously, the command did not perform the conversion; this has been fixed.

Running MapReduce v2 jobs are now visible using the Application Master view

In the Application view, selecting Application Master for a MRv2 job previously resulted in no action.

Deleting services no longer results in foreign key constraint exceptions

The Cloudera Manager Server log previously showed several foreign key constraint exceptions that were associated with deleted services. This has been fixed.

HiveServer2 keystore and LDAP group mapping passwords are no longer exposed in client configuration files

The HiveServer2 keystore password and LDAP group mapping passwords were emitted into the client configuration files. This exposed the passwords in plain text in a world-readable file. This has been fixed.

A cross-site scripting vulnerability in Cloudera Management Service web UIs fixed

The high availability wizard now sets the HDFS dependency on ZooKeeper

Workaround: Before enabling high availability, do the following:
  1. Create and start a ZooKeeper service if one does not exist.
  2. Go to the HDFS service.
  3. Click the Configuration tab.
  4. Select HDFS Service-Wide.
  5. Select Category > Main.
  6. Locate the ZooKeeper Service property or search for it by typing its name in the Search box. Select the ZooKeeper service you created.

    If more than one role group applies to this configuration, edit the value for the appropriate role group. See Modifying Configuration Properties Using Cloudera Manager.

  7. Click Save Changes to commit the changes.

BDR no longer assumes superuser is common if clusters have the same realm

If source and destination clusters are in the same Kerberos realm, Cloudera Manager assumed that superuser of the destination is also the superuser on the source cluster. However, HDFS can be configured so that this is not the case.

Issues Fixed in Cloudera Manager 5.3.0

Setting the default umask in HDFS fails in new configuration layout

Setting the default umask in the HDFS configuration section to 002 in the new configuration layout displays an error:"Could not parse: Default Umask : Could not parse parameter 'dfs_umaskmode'. Was expecting an octal value with a leading 0. Input: 2", preventing the change from being submitted.

Workaround: Submit the change using the classic configuration layout.

Spark and Spark (standalone) services fail to start if you upgrade to CDH 5.2.x parcels from an older CDH package

Spark and Spark standalone services fail to start if you upgrade to CDH 5.2.x parcels from an older CDH package.

Workaround: After upgrading rest of the services, uninstall the old CDH packages, and then start the Spark service.

Fixed MapReduce Usage by User reports when using an Oracle database backend

Setting the default umask in HDFS fails in new configuration layout

Setting the default umask in the HDFS configuration section to 002 in the new configuration layout displays an error:"Could not parse: Default Umask : Could not parse parameter 'dfs_umaskmode'. Was expecting an octal value with a leading 0. Input: 2", preventing the change from being submitted.

Workaround: Submit the change using the classic configuration layout.

Enabling Integrated Resource Management for Impala sets Impala Daemon Memory Limit Incorrectly

The Enable Integrated Resource Management command for Impala (available from the Actions pull-down menu on the Impala service page) sets the Impala Daemon Memory Limit to an unusably small value. This can cause Impala queries to fail.

Workaround 1: Upgrade to Cloudera Manager 5.3.

Workaround 2:
  1. Run the Enable Integrated Resource Management wizard up to the Restart Cluster step. Do not click Restart Now.
  2. Click on the leave this wizard link to exit the wizard without restarting the cluster.
  3. Go to the YARN service page. Click Configuration, expand the category NodeManager Default Group, and click Resource Management.
  4. Note the value of the Container Memory property.
  5. Go to the Impala service page and click Configuration. Type impala daemon memory limit into the search box.
  6. Set the value of the Impala Daemon Memory Limit property to the value noted in step 4 above.
  7. Restart the cluster.

Rolling restart and upgrade of Oozie fails if there is a single Oozie server

Rolling restart and upgrade of Oozie fails if there is only a single Oozie server. Cloudera Manager will show the error message "There is already a pending command on this role."

Workaround: If you have a single Oozie server, do a normal restart.

Allow "Started but crashed" processes to be restarted by a Start command

In Cloudera Manager 5.3, it is now possible to restart a crashed process with the Start command and not just the Restart command.

Add dependency from Agent to Daemons package to yum

In Cloudera Manager 5.3, an explicit dependency has been added from the Agent package to the Daemons package so that upgrading Cloudera Manager 5.2.0 or later to Cloudera Manager 5.3 causes the agent to be upgraded as well. Previously, the Cloudera Manager installer always installed both packages, but this is now enforced at the package dependency level as well.

Issues Fixed in Cloudera Manager 5.2.7

Sensitive Information in Cloudera Manager Diagnostic Support Bundles

Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.

Users affected:
  • Users storing sensitive data in advanced configuration snippets

Severity: High

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

Immediate Action Required:
  • Upgrade Cloudera Manager to one of the following releases: Cloudera Manager 5.4.6, 5.3.7, 5.2.7, 5.1.6, 5.0.7, 4.8.6

Issues Fixed in Cloudera Manager 5.2.6

Cloudera Manager Agent may become slow or get stuck when responding to commands and when sending heartbeats to Cloudera Manager Server

This issue can occur when Cloudera Navigator auditing is turned on. The auditing code reads audit logs and sends them to the Audit Server. It acquires a lock to protect the list of roles being audited. The same list is also modified by the Cloudera Manager Agent's main thread when a role is started or stopped. If the Audit thread takes too much time to send audits to the Audit Server (which can happen if there is backlog of audit logs), it starves the main Agent thread. This causes the main Agent thread to not send heartbeats and to not respond to commands from the Cloudera Manager Server.

Problems restarting the NameNode

The NameNode would not restart due to a blocked thread that was processing audit events.

Cloudera Manager reports the wrong value for Impala bytes read from cache

Instead of cached bytes, it reported the value of short-circuit bytes.

Directory operational reports do not return results

The following reports now return results:
  • Overpopulated Directories
  • Large Directories
  • Custom reports where Replication= 0

Cloudera Manager uses Xalan 2.7.2

The version of Xalan used in Cloudera Manager has been upgraded to version 2.7.2 to address a possible vulnerability.

Cluster name changed to "cluster" after upgrade

After upgrading CDH, the display name of the cluster no longer changes to “cluster”.

Cloudera Manager monitors the wrong directory for space threshold warnings

Cloudera Manager was monitoring the disk space thresholds using the /var/run/cloudera-scm-agent directory. Cloudera Manager now monitors the correct directory: /var/run/cloudera-scm-agent/process.

Default timeout value for the Hive MetaStore changed to 60 seconds

The default value in the Hive Service Monitor Client Config Overrides property for the hive.metastore.client.socket.timeout property is now 60.

Changing client configuration overrides

Changes made to client configuration overrides did not take effect until the service was restarted.

Issues Fixed in Cloudera Manager 5.2.5

Slow staleness calculation can lead to ZooKeeper data loss when new servers are added

In Cloudera Manager 5, starting new ZooKeeper Servers shortly after adding them can cause ZooKeeper data loss when the number of new servers exceeds the number of old servers.

Permissions set incorrectly on YARN Keytab files

Permissions on YARN Keytab files for NodeManager were set incorrectly to allow read access to any user.

Issues Fixed in Cloudera Manager 5.2.2

Impalad memory limit units error in EnableLlamaRMCommand has been fixed

The EnableLlamaRMCommand sets the value of the impalad memory limit to equal the NM container memory value. But the latter is in MB, and the former is in bytes. Previously, the command did not perform the conversion; this has been fixed.

Fixed MapReduce Usage by User reports when using an Oracle database backend

HiveServer2 keystore and LDAP group mapping passwords are no longer exposed in client configuration files

The HiveServer2 keystore password and LDAP group mapping passwords were emitted into the client configuration files. This exposed the passwords in plain text in a world-readable file. This has been fixed.

Running MapReduce v2 jobs are now visible using the Application Master view

In the Application view, selecting Application Master for a MRv2 job previously resulted in no action.

Deleting services no longer results in foreign key constraint exceptions

The Cloudera Manager Server log previously showed several foreign key constraint exceptions that were associated with deleted services. This has been fixed.

Issues Fixed in Cloudera Manager 5.2.1

“POODLE” vulnerability on TLS/SSL enabled ports

The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack takes advantage of a cryptographic flaw in the obsolete TLS/SSLv3 protocol, after first forcing the use of that protocol. The only solution is to disable TLS/SSLv3 entirely. This requires changes across a wide variety of components of CDH and Cloudera Manager in 5.2.0 and all earlier versions. Cloudera Manager 5.2.1 provides these changes for Cloudera Manager 5.2.0 deployments. All Cloudera Manager 5.2.0 users should upgrade to 5.2.1 as soon as possible. For more information, see the Cloudera Security Bulletin.

Can use the log4j advanced configuration snippet to override the default audit logging configuration even if not using Navigator

In Cloudera Manager 5.2.0 only, it was not possible to use the log4j advanced configuration snippet to override the default audit logging configuration when Navigator was not being used.

Cloudera Manager now collects metrics for CDH 5.0 DataNodes and NameNodes

A number of NameNode and DataNode charts show no data and a number of NameNode and DataNode health checks show unknown results. Metric collection for CDH 5.1 roles is unaffected.

Workaround: None.

The Reports Manager and Event Server Thrift servers no longer crash on HTTP requests

HTTP queries against the Reports Manager and Event Server Thrift server would earlier cause it to crash with out-of-memory exception.

Replication commands now use the correct JAVA_HOME if an override has been provided for it

ZooKeeper connection leaks from HBase clients in Service Monitor have been fixed

When a parcel is activated, user home directories are now created with umask 022 instead of using the "useradd" default 077

Issues Fixed in Cloudera Manager 5.2.0

Bug in openssl-1.0.1e-15 disrupts TLS/SSL communication between Cloudera Manager Agents and CDH services

This issue was observed in TLS/SSL-enabled clusters running CentOS 6.4 and 6.5, where the Cloudera Manager Agent failed when trying to communicate with CDH services. You can see the bug report here.

Workaround: Upgrade to openssl-1.0.1e-16.el6_5.7.x86_64.

Alternatives database points to client configurations of deleted service

In the past, if you created a service, deployed its client configurations, and then deleted that service, the client configurations lived in the alternative database, with a possibly high priority, until cleaned up manually. Now, for a given "alternatives path" (for example /etc/hadoop/conf) if there exist both "live" client configurations (ones that would be pushed out with deploy client configurations for active services) and ones that have been "orphaned" client configurations (the service they correspond to has been deleted), the orphaned ones will be removed from the alternatives database. In other words, to trigger cleanup of client configurations associated with a deleted service you must create a service to replace it.

The YARN property ApplicationMaster Max Retries has no effect in CDH 5

The issue arises because yarn.resourcemanager.am.max-retries was replaced with yarn.resourcemanager.am.max-attempts.

Workaround:
  1. Add the following to ResourceManager Advanced Configuration Snippet for yarn-site.xml, replacing MAX_ATTEMPTS with the desired maximum number of attempts:
    <property>
    <name>yarn.resourcemanager.am.max-attempts</name><value>MAX_ATTEMPTS</value>
    </property>
  2. Restart the ResourceManager(s) to pick up the change.

The Spark History Server does not start when Kerberos authentication is enabled.

The Spark History Server does not start when managed by a Cloudera Manager 5.1 instance when Kerberos authentication is enabled.

Workaround:
  1. Go to the Spark service.
  2. Expand the Service-Wide > Advanced category.
  3. Add the following configuration to the History Server Environment Advanced Configuration Snippet property:
    SPARK_HISTORY_OPTS=-Dspark.history.kerberos.enabled=true \
    -Dspark.history.kerberos.principal=principal \
    -Dspark.history.kerberos.keytab=keytab
where principal is the name of the Kerberos principal to use for the History Server, and keytab is the path to the principal's keytab file on the local filesystem of the host running the History Server.

Hive replication issue with TLS enabled

Hive replication will fail when the source Cloudera Manager instance has TLS enabled, even though the required certificates have been added to the target Cloudera Manager's trust store.

Workaround: Add the required Certificate Authority or self-signed certificates to the default Java trust store, which is typically a copy of the cacerts file named jssecacerts in the $JAVA_HOME/jre/lib/security/ path of your installed JDK. Use keytool to import your private CA certificates into the jssecacert file.

The Spark Upload Jar command fails in a secure cluster

The Spark Upload Jar command fails in a secure cluster.

Workaround: To run Spark on YARN, manually upload the Spark assembly jar to HDFS /user/spark/share/lib. The Spark assembly jar is located on the local filesystem, typically in /usr/lib/spark/assembly/lib or /opt/cloudera/parcels/CDH/lib/spark/assembly/lib.

Clients of the JobHistory Server Admin Interface Require Advanced Configuration Snippet

Clients of the JobHistory server administrative interface, such as the mapred hsadmin tool, may fail to connect to the server when run on hosts other than the one where the JobHistory server is running.

Workaround: Add the following to both the MapReduce Client Advanced Configuration Snippet for mapred-site.xml and the Cluster-wide Advanced Configuration Snippet for core-site.xml, replacing JOBHISTORY_SERVER_HOST with the hostname of your JobHistory server:
<property>
<name>mapreduce.history.admin.address</name>
<value>JOBHISTORY_SERVER_HOST:10033</value>
</property>

Issues Fixed in Cloudera Manager 5.1.6

Sensitive Information in Cloudera Manager Diagnostic Support Bundles

Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.

Users affected:
  • Users storing sensitive data in advanced configuration snippets

Severity: High

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

Immediate Action Required:
  • Upgrade Cloudera Manager to one of the following releases: Cloudera Manager 5.4.6, 5.3.7, 5.2.7, 5.1.6, 5.0.7, 4.8.6

Cloudera Manager Agent may become slow or get stuck when responding to commands and when sending heartbeats to Cloudera Manager Server

This issue can occur when Cloudera Navigator auditing is turned on. The auditing code reads audit logs and sends them to the Audit Server. It acquires a lock to protect the list of roles being audited. The same list is also modified by the Cloudera Manager Agent's main thread when a role is started or stopped. If the Audit thread takes too much time to send audits to the Audit Server (which can happen if there is backlog of audit logs), it starves the main Agent thread. This causes the main Agent thread to not send heartbeats and to not respond to commands from the Cloudera Manager Server.

Fixed Issues in Cloudera Manager 5.1.5

Slow staleness calculation can lead to ZooKeeper data loss when new servers are added

In Cloudera Manager 5, starting new ZooKeeper Servers shortly after adding them can cause ZooKeeper data loss when the number of new servers exceeds the number of old servers.

Permissions set incorrectly on YARN Keytab files

Permissions on YARN Keytab files for NodeManager were set incorrectly to allow read access to any user.

Fixed Issues in Cloudera Manager 5.1.4

“POODLE” vulnerability on TLS/SSL enabled ports

The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack takes advantage of a cryptographic flaw in the obsolete TLS/SSLv3 protocol, after first forcing the use of that protocol. The only solution is to disable TLS/SSLv3 entirely. This requires changes across a wide variety of components of CDH and Cloudera Manager. Cloudera Manager 5.1.4 provides these changes for Cloudera Manager 5.1.x deployments. All Cloudera Manager 5.1.x users should upgrade to 5.1.4 as soon as possible. For more information, see the Cloudera Security Bulletin.

Issues Fixed in Cloudera Manager 5.1.3

Improved speed and heap usage when deleting hosts on cluster with long history

Speed and heap usage have been improved when deleting hosts on clusters that have been running for a long time.

When there are multiple clusters, each cluster's topology files and validation for legal topology is limited to hosts in that cluster

When there are multiple clusters, each cluster's topology files and validation for legal topology is limited to hosts in that cluster. Most commands will now fail up front if the cluster's topology is invalid.

The size of the statement cache has been reduced for Oracle databases

For users of Oracle databases, the size of the statement cache has been reduced to help with memory consumption.

Improvements to memory usage of "cluster diagnostics collection" for large clusters.

Memory usage of "cluster diagnostics collection" has been improved for large clusters.

Issues Fixed in Cloudera Manager 5.1.2

If a NodeManager that is used as ApplicationMaster is decommissioned, YARN jobs will hang

Jobs can hang on NodeManager decommission due to a race condition when continuous scheduling is enabled.

Workaround:
  1. Go to the YARN service.
  2. Expand the ResourceManager Default Group > Resource Management category.
  3. Uncheck the Enable Fair Scheduler Continuous Scheduling checkbox.
  4. Click Save Changes to commit the changes.
  5. Restart the YARN service.

Could not find a healthy host with CDH 5 on it to create HiveServer2 error during upgrade

When upgrading from CDH 4 to CDH 5, if no parcel is active then the error message "Could not find a healthy host with CDH5 on it to create HiveServer2" displays. This can happen when transitioning from packages to parcels, or if you explicitly deactivate the CDH 4 parcel (which is not necessary) before upgrade.

Workaround: Wait 30 seconds and retry the upgrade.

AWS installation wizard requires Java 7u45 to be installed on Cloudera Manager Server host

Cloudera Manager 5.1 installs Java 7u55 by default. However, the AWS installation wizard does not work with Java 7u55 due to a bug in the jClouds version packaged with Cloudera Manager.

Workaround:
  1. Stop the Cloudera Manager Server.
    sudo service cloudera-scm-server stop
  2. Uninstall Java 7u55 from the Cloudera Manager Server host.
  3. Install Java 7u45 (which you can download from http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html#jdk-7u45-oth-JPR) on the Cloudera Manager Server host.
  4. Start the Cloudera Manager Server.
    sudo service cloudera-scm-server start
  5. Run the AWS installation wizard.

The YARN property ApplicationMaster Max Retries has no effect in CDH 5

The issue arises because yarn.resourcemanager.am.max-retries was replaced with yarn.resourcemanager.am.max-attempts.

Workaround:
  1. Add the following to ResourceManager Advanced Configuration Snippet for yarn-site.xml, replacing MAX_ATTEMPTS with the desired maximum number of attempts:
    <property>
    <name>yarn.resourcemanager.am.max-attempts</name><value>MAX_ATTEMPTS</value>
    </property>
  2. Restart the ResourceManager(s) to pick up the change.

(BDR) Replications can be affected by other replications or commands running at the same time

Replications can be affected by other replications or commands running at the same time, causing replications to fail unexpectedly or even be silently skipped sometimes. When this occurs, a StaleObjectException is logged to the Cloudera Manager logs. This is known to occur even with as few as four replications starting at the same time.

Issues Fixed in Cloudera Manager 5.1.1

Checking "Install Java Unlimited Strength Encryption Policy Files" During Add Cluster or Add/Upgrade Host Wizard on RPM based distributions if JDK 7 or above is pre-installed will cause Cloudera Manager and CDH to fail

If you have manually installed Oracle's official JDK 7 or 8 rpm on a host (or hosts), and check the Install Java Unlimited Strength Encryption Policy Files checkbox in the Add Cluster or Add Host wizard when installing Cloudera Manager on that host (or hosts), or when upgrading Cloudera Manager to 5.1, Cloudera Manager installs JDK 6 policy files, which will prevent any Java programs from running against that JDK. Additionally, if this situation does apply, Cloudera Manager/CDH will also choose that particular Java as the default to run against, meaning that Cloudera Manager/CDH fail to start, throwing the following message in logs: Caused by: java.lang.SecurityException: The jurisdiction policy files are not signed by a trusted signer!.

Workaround: Do not select the Install Java Unlimited Strength Encryption Policy Files checkbox during the aforementioned wizards. Instead download and install them manually, following the instructions on Oracle's website.

Issues Fixed in Cloudera Manager 5.1.0

Changes to property for yarn.nodemanager.remote-app-log-dir are not included in the JobHistory Server yarn-site.xml and Gateway yarn-site.xml

When "Remote App Log Directory" is changed in YARN configuration, the property yarn.nodemanager.remote-app-log-dir are not included in the JobHistory Server yarn-site.xml and Gateway yarn-site.xml.

Workaround: Set JobHistory Server Advanced Configuration Snippet (Safety Valve) for yarn-site.xml and YARN Client Advanced Configuration Snippet (Safety Valve) for yarn-site.xml to:
<property>
<name>yarn.nodemanager.remote-app-log-dir</name>
<value>/path/to/logs</value>
</property>

Secure CDH 4.1 clusters have Hue and Impala share the same Hive

In a secure CDH 4.1 cluster, Hue and Impala cannot share the same Hive instance. If "Bypass Hive Metastore Server" is disabled on the Hive service, then Hue will not be able to talk to Hive. Conversely, if "Bypass Hive Metastore" enabled on the Hive service, then Impala will have a validation error.

Severity: High

Workaround: Upgrade to CDH 4.2.

The command history has an option to select the number of commands, but does not always return the number you request

Workaround: None.

Hue does not support YARN ResourceManager High Availability

Workaround: Configure the Hue Server to point to the active ResourceManager:
  1. Go to the Hue service.
  2. Click the Configuration tab.
  3. Select Scope > Hue or Hue Service-Wide.
  4. Select Category > Advanced.
  5. Locate the Hue Server Advanced Configuration Snippet (Safety Valve) for hue_safety_valve_server.ini property or search for it by typing its name in the Search box.
  6. In the Hue Server Advanced Configuration Snippet for hue_safety_valve_server.ini field, add the following:
    [hadoop]
    [[ yarn_clusters ]]
    [[[default]]]
    resourcemanager_host=<hostname of active ResourceManager>
    resourcemanager_api_url=http://<hostname of active resource manager>:<web port of active resource manager>
    proxy_api_url=http://<hostname of active resource manager>:<web port of active resource manager>
    The default web port of Resource Manager is 8088.
  7. Click Save Changes to have these configurations take effect.
  8. Restart the Hue service.

Cloudera Manager does not support encrypted shuffle.

Encrypted shuffle has been introduced in CDH 4.1, but it is not currently possible to enable it through Cloudera Manager.

Severity: Medium

Workaround: None.

Hive CLI does not work in CDH 4 when "Bypass Hive Metastore Server" is enabled

Hive CLI does not work in CDH 4 when "Bypass Hive Metastore Server" is enabled.

Workaround: Configure Hive and disable the "Bypass Hive Metastore Server" option.

Alternatively, an approach can be taken that will cause the "Hive Auxiliary JARs Directory" to not work, but will enable basic Hive commands to work. Add the following to "Gateway Client Environment Advanced Configuration Snippet for hive-env.sh," then re-deploy the Hive client configuration:

HIVE_AUX_JARS_PATH="
AUX_CLASSPATH=/usr/share/java/mysql-connector-java.jar:/usr/share/java/oracle-connector-java.jar:$(find /usr/share/cmf/lib/postgresql-jdbc.jar 2> /dev/null | tail -n 1)

Incorrect Absolute Path to topology.py in Downloaded YARN Client Configuration

The downloaded client configuration for YARN includes the topology.py script. The location of this script is given by the net.topology.script.file.name property in core-site.xml. But the core-site.xml file downloaded with the client configuration has an incorrect absolute path to /etc/hadoop/... for topology.py. This can cause clients that run against this configuration to fail (including Spark clients run in yarn-client mode, as well as YARN clients).

Workaround: Edit core-site.xml to change the value of the net.topology.script.file.name property to the path where the downloaded copy of topology.py is located. This property must be set to an absolute path.

search_bind_authentication for Hue is not included in .ini file

When search_bind_authentication is set to false, Cloudera Manager does not include it in hue.ini.

Workaround: Add the following to the Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini:
[desktop]
[[ldap]]
search_bind_authentication=false

Erroneous warning displayed on the HBase configuration page on CDH 4.1 in Cloudera Manager 5.0.0

An erroneous "Failed parameter validation" warning is displayed on the HBase configuration page on CDH 4.1 in Cloudera Manager 5.0.0

Severity: Low

Workaround: Use CDH4.2 or higher, or ignore the warning.

Host recommissioning and decommissioning should occur independently

In large clusters, when problems appear with a host or role, administrators may choose to decommission the host or role to fix it and then recommission the host or role to put it back in production. Decommissioning, especially host decommissioning, is slow, hence the importance of parallelization, so that host recommissioning can be initiated before decommissioning is done.

Fixed Issues in Cloudera Manager 5.0.7

Sensitive Information in Cloudera Manager Diagnostic Support Bundles

Cloudera Manager is designed to transmit certain diagnostic data (or “bundles”) to Cloudera. These diagnostic bundles are used by the Cloudera support team to reproduce, debug, and address technical issues for our customers. Cloudera internally discovered a potential vulnerability in this feature, which could cause any sensitive data stored as “advanced configuration snippets (ACS)” (formerly called “safety valves”) to be included in diagnostic bundles and transmitted to Cloudera. Notwithstanding any possible transmission, such sensitive data is not used by Cloudera for any purpose.

Cloudera has taken the following actions: (1) modified Cloudera Manager so that it no longer transmits advanced configuration snippets containing the sensitive data, and (2) modified Cloudera Manager TLS/SSL configuration to increase the protection level of the encrypted communication.

Cloudera strives to follow and also help establish best practices for the protection of customer information. In this effort, we continually review and improve our security practices, infrastructure, and data handling policies.

Users affected:
  • Users storing sensitive data in advanced configuration snippets

Severity: High

Impact: Possible transmission of sensitive data

CVE: CVE-2015-6495

Immediate Action Required:
  • Upgrade Cloudera Manager to one of the following releases: Cloudera Manager 5.4.6, 5.3.7, 5.2.7, 5.1.6, 5.0.7, 4.8.6

Cloudera Manager Agent may become slow or get stuck when responding to commands and when sending heartbeats to Cloudera Manager Server

This issue can occur when Cloudera Navigator auditing is turned on. The auditing code reads audit logs and sends them to the Audit Server. It acquires a lock to protect the list of roles being audited. The same list is also modified by the Cloudera Manager Agent's main thread when a role is started or stopped. If the Audit thread takes too much time to send audits to the Audit Server (which can happen if there is backlog of audit logs), it starves the main Agent thread. This causes the main Agent thread to not send heartbeats and to not respond to commands from the Cloudera Manager Server.

Fixed Issues in Cloudera Manager 5.0.6

Slow staleness calculation can lead to ZooKeeper data loss when new servers are added

In Cloudera Manager 5, starting new ZooKeeper Servers shortly after adding them can cause ZooKeeper data loss when the number of new servers exceeds the number of old servers.

Fixed Issues in Cloudera Manager 5.0.5

“POODLE” vulnerability on TLS/SSL enabled ports

The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack takes advantage of a cryptographic flaw in the obsolete TLS/SSLv3 protocol, after first forcing the use of that protocol. The only solution is to disable TLS/SSLv3 entirely. This requires changes across a wide variety of components of CDH and Cloudera Manager. Cloudera Manager 5.0.5 provides these changes for Cloudera Manager 5.0.x deployments. All Cloudera Manager 5.0.x users should upgrade to 5.0.5 as soon as possible. For more information, see the Cloudera Security Bulletin.

Issues Fixed in Cloudera Manager 5.0.2

Cloudera Manager Impala Query Monitoring does not work with Impala 1.3.1

Impala 1.3.1 contains changes to the runtime profile format that break the Cloudera Manager Query Monitoring feature. This leads to exceptions in the Cloudera Manager Service Monitor logs, and Impala queries no longer appear in the Cloudera Manager UI or API. The issue affects Cloudera Manager 5.0 and 4.6 - 4.8.2.

Workaround: None. The issue will be fixed in Cloudera Manager 4.8.3 and Cloudera Manager 5.0.1. To avoid the Service Monitor exceptions, turn off the Cloudera Manager Query Monitoring feature by going to Impala Daemon > Monitoring and setting the Query Monitoring Period to 0 seconds. Note that the Impala Daemons must be restarted when changing this setting, and the setting must be restored once the fix is deployed to turn the query monitoring feature back on. Impala queries will then appear again in Cloudera Manager’s Impala query monitoring feature.

Issues Fixed in Cloudera Manager 5.0.1

Upgrade from Cloudera Manager 5.0.0 beta 1 or beta 2 to Cloudera Manager 5.0.0 requires assistance from Cloudera Support

Contact Cloudera Support before upgrading from Cloudera Manager 5.0.0 beta 1 or beta 2 to Cloudera Manager 5.0.0.

Workaround: Contact Cloudera Support.

Failure of HDFS Replication between clusters with YARN

HDFS replication between clusters in different Kerberos realms fails when using YARN if the target cluster is CDH 5.

Workaround: Use MapReduce (MRv1) instead of YARN.

If installing CDH 4 packages, the Impala 1.3.0 option does not work because Impala 1.3 is not yet released for CDH 4.

If installing CDH 4 packages, the Impala 1.3.0 option listed in the install wizard does not work because Impala 1.3.0 is not yet released for CDH 4.

Workaround: Install using parcels (where the unreleased version of Impala does not appear), or select a different version of Impala when installing with packages.

When updating dynamic resource pools, Cloudera Manager updates roles but may fail to update role information displayed in the UI

When updating dynamic resource pools, Cloudera Manager automatically refreshes the affected roles, but they sometimes get marked incorrectly as running with outdated configurations and requiring a refresh.

Workaround: Invoke the Refresh Cluster command from the cluster actions drop-down menu.

Upgrade of secure cluster requires installation of JCE policy files

When upgrading a secure cluster via Cloudera Manager, the upgrade initially fails due to the JDK not having Java Cryptography Extension (JCE) unlimited strength policy files. This is because Cloudera Manager installs a copy of the Java 7 JDK during the upgrade, which does not include the unlimited strength policy files. To ensure that unlimited strength functionality continues to work, install the unlimited strength JCE policy files immediately after completing the Cloudera Manager Upgrade Wizard and before taking any other actions in Cloudera Manager.

Workaround: Install the unlimited strength JCE policy files immediately after completing the Cloudera Manager Upgrade Wizard and before taking any other action in Cloudera Manager.

The Details page for MapReduce jobs displays the wrong id for YARN-based replications

The Details link for MapReduce jobs is wrong for YARN-based replications.

Workaround: Find the job id in the link and then go to the YARN Applications page and look for the job there.

Reset non-default HDFS File Block Storage Location Timeout value after upgrade from CDH 4 to CDH 5

During an upgrade from CDH 4 to CDH 5, if the HDFS File Block Storage Locations Timeout was previously set to a custom value, it will now be set to 10 seconds or the custom value, whichever is higher. This is required for Impala to start in CDH 5, and any value under 10 seconds is now a validation error. This configuration is only emitted for Impala and no services should be adversely impacted.

Workaround: None.

HDFS NFS gateway works only on RHEL and similar systems

HDFS NFS gateway works as shipped ("out of the box") only on RHEL-compatible systems, but not on SLES, Ubuntu, or Debian. Because of a bug in native versions of portmap/rpcbind, the HDFS NFS gateway does not work out of the box on SLES, Ubuntu, or Debian systems when CDH has been installed from the command-line, using packages. It does work on supported versions of RHEL-compatible systems on which rpcbind-0.2.0-10.el6 or later is installed, and it does work if you use Cloudera Manager to install CDH, or if you start the gateway as root. For more information, see supported versions

Bug: 731542 (Red Hat), 823364 (SLES), 594880 (Debian)

Workarounds and caveats:
  • On Red Hat and similar systems, make sure rpcbind-0.2.0-10.el6 or later is installed.
  • On SLES, Debian, and Ubuntu systems, do one of the following:
    • Install CDH using Cloudera Manager; or
    • As of CDH 5.1, start the NFS gateway as root; or
    • Start the NFS gateway without using packages; or
    • You can use the gateway by running rpcbind in insecure mode, using the -i option, but keep in mind that this allows anyone from a remote host to bind to the portmap.

Sensitive configuration values exposed in Cloudera Manager

Certain configuration values that are stored in Cloudera Manager are considered sensitive, such as database passwords. These configuration values should be inaccessible to non-administrator users, and this is enforced in the Cloudera Manager Administration Console. However, these configuration values are not redacted when they are read through the API, possibly making them accessible to users who should not have such access.

Gateway role configurations not respected when deploying client configurations

Gateway configurations set for gateway role groups other than the default one or at the role level were not being respected.

Documentation reflects requirement to enable at least Level 1 encryption before enabling Kerberos authentication

Cloudera Security documentation now indicates that before enabling Kerberos authentication you should first enable at least Level 1 encryption. For more information see Cloudera Security.

HDFS NFS gateway does not work on all Cloudera-supported platforms

The NFS gateway cannot be started on some Cloudera-supported platforms.

Workaround: None. Fixed in Cloudera Manager 5.0.1.

Replace YARN_HOME with HADOOP_YARN_HOME during upgrade

If yarn.application.classpath was set to a non-default value on a CDH 4 cluster, and that cluster is upgraded to CDH 5, the classpath is not updated to reflect that $YARN_HOME was replaced with $HADOOP_YARN_HOME. This will cause YARN jobs to fail.

Workaround: Reset yarn.application.classpath to the default, then re-apply your classpath customizations if needed.

Insufficient password hashing in Cloudera Manager

In versions of Cloudera Manager earlier than 4.8.3 and earlier than 5.0.1, user passwords are only hashed once. Passwords should be hashed multiple times to increase the cost of dictionary based attacks, where an attacker tries many candidate passwords to find a match. The issue only affects user accounts that are stored in the Cloudera Manager database. User accounts that are managed externally (for example, with LDAP or Active Directory) are not affected.

In addition, because of this issue, Cloudera Manager 4.8.3 cannot be upgraded to Cloudera Manager 5.0.0. Cloudera Manager 4.8.3 must be upgraded to 5.0.1 or later.

Workaround: Upgrade to Cloudera Manager 5.0.1.

Upgrade to Cloudera Manager 5.0.0 from SLES older than Service Pack 3 with PostgreSQL older than 8.4 fails

Upgrading to Cloudera Manager 5.0.0 from SUSE Linux Enterprise Server (SLES) older than Service Pack 3 will fail if the embedded PostgreSQL database is in use and the installed version of PostgreSQL is less than 8.4.

Workaround: Either migrate away from the embedded PostgreSQL database (use MySQL or Oracle) or upgrade PostgreSQL to 8.4 or greater.

MR1 to MR2 import fails on a secure cluster

When running the MR1 to MR2 import on a secure cluster, YARN jobs will fail to find container-executor.cfg.

Workaround: Restart YARN after the import.

After upgrade from CDH 4 to CDH 5, Oozie is missing workflow extension schemas

After an upgrade from CDH 4 to CDH 5, Oozie does not pick up the new workflow extension schemas automatically. User will need to update oozie.service.SchemaService.wf.ext.schemas manually and add the schemas added in CDH 5: shell-action-0.3.xsd, sqoop-action-0.4.xsd, distcp-action-0.2.xsd, oozie-sla-0.1.xsd, oozie-sla-0.2.xsd. Note: None of the existing jobs will be affected by this bug, only new workflows that require new schemas.

Workaround: Add the new workflow extension schemas to Oozie manually by editing oozie.service.SchemaService.wf.ext.schemas.

Issues Fixed in Cloudera Manager 5.0.0

HDFS replication does not work from CDH 5 to CDH 4 with different realms

HDFS replication does not work from CDH 5 to CDH 4 with different realms. This is because authentication fails for services in a non-default realm via the WebHdfs API due to a JDK bug. This has been fixed in JDK6-u34 (b03)) and in JDK7.

Workaround: Use JDK 7 or upgrade JDK6 to at least version u34.

The Sqoop Upgrade command in Cloudera Manager may report success even when the upgrade fails

Workaround: Do one of the following:
    1. Click the Sqoop service and then the Instances tab.
    2. Click the Sqoop server role then the Commands tab.
    3. Click the stdout link and scan for the Sqoop Upgrade command.
  • In the All Recent Commands page, select the stdout link for latest Sqoop Upgrade command.
Verify that the upgrade did not fail.

Cannot restore a snapshot of a deleted HBase table

If you take a snapshot of an HBase table, and then delete that table in HBase, you will not be able to restore the snapshot.

Severity: Med

Workaround: Use the "Restore As" command to recreate the table in HBase.

Stop dependent HBase services before enabling HDFS Automatic Failover.

When enabling HDFS Automatic Failover, you need to first stop any dependent HBase services. The Automatic Failover configuration workflow restarts both NameNodes, which could cause HBase to become unavailable.

Severity: Medium

New schema extensions have been introduced for Oozie in CDH 4.1

In CDH 4.1, Oozie introduced new versions for Hive, Sqoop and workflow schema. To use them, you must add the new schema extensions to the Oozie SchemaService Workflow Extension Schemas configuration property in Cloudera Manager.

Severity: Low

Workaround: In Cloudera Manager, do the following:

  1. Go to the CDH 4 Oozie service page.
  2. Go to the Configuration tab, View and Edit.
  3. Search for "Oozie Schema". This should show the Oozie SchemaService Workflow Extension Schemas property.
  4. Add the following to the Oozie SchemaService Workflow Extension Schemas property:
    shell-action-0.2.xsd 
    hive-action-0.3.xsd 
    sqoop-action-0.3.xsd
  5. Save these changes.

YARN Resource Scheduler user FairScheduler rather than FIFO.

Cloudera Manager 5.0.0 sets the default YARN Resource Scheduler to FairScheduler. If a cluster was previously running YARN with the FIFO scheduler, it will be changed to FairScheduler next time YARN restarts. The FairScheduler is only supported with CDH4.2.1 and later, and older clusters may hit failures and need to manually change the scheduler to FIFO or CapacityScheduler.

Severity: Medium

Workaround: For clusters running CDH 4 prior to CDH 4.2.1:
  1. Go the YARN service Configuration page
  2. Search for "scheduler.class"
  3. Click in the Value field and select the schedule you want to use.
  4. Save your changes and restart YARN to update your configurations.

Resource Pools Summary is incorrect if time range is too large.

The Resource Pools Summary does not show correct information if the Time Range selector is set to show 6 hours or more.

Severity: Medium

Workaround: None.

When running the MR1 to MR2 import on a secure cluster, YARN jobs will fail to find container-executor.cfg

Workaround: Restart YARN after the import steps finish. This causes the file to be created under the YARN configuration path, and the jobs now work.

When upgrading to Cloudera Manager 5.0.0, the "Dynamic Resource Pools" page is not accessible

When upgrading to Cloudera Manager 5.0.0, users will not be able to directly access the "Dynamic Resource Pools" page. Instead, they will be presented with a dialog saying that the Fair Scheduler XML Advanced Configuration Snippet is set.

Workaround:
  1. Go to the YARN service.
  2. Click the Configuration tab.
  3. Select Scope > Resource Manager or YARN Service-Wide.
  4. Select Category > Advanced.
  5. Locate the Fair Scheduler XML Advanced Configuration Snippet property or search for it by typing its name in the Search box.
  6. Copy the value of the Fair Scheduler XML Advanced Configuration Snippet into a file.
  7. Clear the value of Fair Scheduler XML Advanced Configuration Snippet.
  8. Recreate the desired Fair Scheduler allocations in the Dynamic Resource Pools page, using the saved file for reference.

New Cloudera Enterprise licensing is not reflected in the wizard and license page

Workaround: None.

The AWS Cloud wizard fails to install Spark due to missing roles

Workaround: Do one of the following:
  • Use the Installation wizard.
  • Open a new window, click the Spark service, click on the Instances tab, click Add, add all required roles to Spark. Once the roles are successfully added, click the Retry button in the Installation wizard.

Spark on YARN requires manual configuration

Spark on YARN requires the following manual configuration to work correctly: modify the YARN Application Classpath by adding /etc/hadoop/conf, making it the very first entry.

Workaround: Add /etc/hadoop/conf as the first entry in the YARN Application classpath.

Monitoring works with Solr and Sentry only after configuration updates

Cloudera Manager monitoring does not work out of the box with Solr and Sentry on Cloudera Manager 5. The Solr service is in Bad health, and all Solr Servers have a failing "Solr Server API Liveness" health check.

Severity: Medium

Workaround: Complete the configuration steps below:

  1. Create "HTTP" user and group on all machines in the cluster (with useradd 'HTTP' on RHEL-type systems).
  2. The instructions that follow this step assume there is no existing Solr Sentry policy file in use. In that case, first create the policy file on /tmp and then copy it over to the appropriate location in HDFS that Solr Servers check. If there is already a Solr Sentry policy in use, it must be modified to add the following [group] / [role] entries for 'HTTP'. Create a file (for example, /tmp/cm-authz-solr-sentry-policy.ini) with the following contents:
    [groups]
    HTTP = HTTP
    [roles]
    HTTP = collection = admin->action=query
  3. Copy this file to the location for the "Sentry Global Policy File" for Solr. The associated config name for this location is sentry.solr.provider.resource, and you can see the current value by navigating to the Sentry sub-category in the Service Wide configuration editing workflow in the Cloudera Manager UI. The default value for this entry is /user/solr/sentry/sentry-provider.ini. This refers to a path in HDFS.
  4. Check if you have entries in HDFS for the parent(s) directory:
    sudo -u hdfs hadoop fs -ls /user
  5. You may need to create the appropriate parent directories if they are not present. For example:
    sudo -u hdfs hadoop fs -mkdir /user/solr/sentry
  6. After ensuring the parent directory is present, copy the file created in step 2 to this location, as follows:
    sudo -u hdfs hadoop fs -put /tmp/cm-authz-solr-sentry-policy.ini /user/solr/sentry/sentry-provider.ini
  7. Ensure that this file is owned/readable by the solr user (this is what the Solr Server runs as):
    sudo -u hdfs hadoop fs -chown solr /user/solr/sentry/sentry-provider.ini
  8. Restart the Solr service. If both Kerberos and Sentry are being enabled for Solr, the MGMT services also need to be restarted. The Solr Server liveness health checks should clear up once SMON has had a chance to contact the servers and retrieve metrics.

Out-of-memory errors may occur when using the Reports Manager

Out-of-memory errors may occur when using the Cloudera Manager Reports Manager.

Workaround: Set the value of the "Java Heap Size of Reports Manager" property to at least the size of the HDFS filesystem image (fsimage) and restart the Reports Manager.

Applying license key using Internet Explorer 9 and Safari fails

Cloudera Manager is designed to work with IE 9 and above and Safari. However the file upload widget used to upload a license currently does not work with IE 9 or Safari. Therefore, installing an enterprise license does not work.

Workaround: Use another supported browser.

Issues Fixed in Cloudera Manager 5.0.0 Beta 2

The Sqoop Upgrade command in Cloudera Manager may report success even when the upgrade fails

Workaround: Do one of the following:
    1. Click the Sqoop service and then the Instances tab.
    2. Click the Sqoop server role then the Commands tab.
    3. Click the stdout link and scan for the Sqoop Upgrade command.
  • In the All Recent Commands page, select the stdout link for latest Sqoop Upgrade command.
Verify that the upgrade did not fail.

The HDFS Canary Test is disabled for secured CDH 5 services.

Due to a bug in Hadoop's handling of multiple RPC clients with distinct configurations within a single process with Kerberos security enabled, Cloudera Manager will disable the HDFS canary test when security is enabled so as to prevent interference with Cloudera Manager's MapReduce monitoring functionality.

Severity: Medium

Workaround: None

Not all monitoring configurations are migrated from MR1 to MR2.

When MapReduce v1 configurations are imported for use by YARN (MR2), not all of the monitoring configuration values are currently migrated. Users may need to reconfigure custom values for properties such as thresholds.

Severity: Medium

Workaround: Manually reconfigure any missing property values.

"Access Denied" may appear for some features after adding a license or starting a trial.

After starting a 60-day trial or installing a license for Enterprise Edition, you may see an "access denied" message when attempting to access certain Enterprise Edition-only features such as the Reports Manager. You need to log out of the Admin Console and log back in to access these features.

Severity: Low

Workaround: Log out of the Admin Console and log in again.

Hue must set impersonation on when using Impala with impersonation.

When using Impala with impersonation, the impersonation_enabled flag must be present and configured in the hue.ini file. If impersonation is enabled in Impala (in other words, if Impala is using Sentry) then this flag must be set true. If Impala is not using impersonation, it should be set false (the default).

Workaround: Set advanced configuration snippet value for hue.ini as follows:
  1. Go to the Hue Service Configuration Advanced Configuration Snippet for hue_safety_valve.ini under the Hue service Configuration settings, Service-Wide > Advanced category.
  2. Add the following, then uncomment the setting and set the value True or False as appropriate:
    #################################################################
    # Settings to configure Impala
    #################################################################
    
    [impala]
      ....
      # Turn on/off impersonation mechanism when talking to Impala
      ## impersonation_enabled=False

Cloudera Manager Server may fail to start when upgrading using a PostgreSQL database.

If you're upgrading to Cloudera Manager 5.0.0 beta 1 and you're using a PostgreSQL database, the Cloudera Manager Server may fail to start with a message similar to the following:
ERROR [main:dbutil.JavaRunner@57] Exception while executing
com.cloudera.cmf.model.migration.MigrateConfigRevisions 
java.lang.RuntimeException: java.sql.SQLException: Batch entry <xxx> insert into REVISIONS 
(REVISION_ID, OPTIMISTIC_LOCK_VERSION, USER_ID, TIMESTAMP, MESSAGE) values (...) 
was aborted. Call getNextException to see the cause.
Workaround: Use psql to connect directly to the server's database and issue the following SQL command:
alter table REVISIONS alter column MESSAGE type varchar(1048576);
After that, your Cloudera Manager server should start up normally.

Issues Fixed in Cloudera Manager 5.0.0 Beta 1

After an upgrade from Cloudera Manager 4.6.3 to 4.7, Impala does not start.

After an upgrade from Cloudera Manager 4.6.3 to 4.7 when Navigator is used, Impala will fail to start because the Audit Log Directory property has not been set by the upgrade procedure.

Severity: Low.

Workaround: Manually set the property to /var/log/impalad/audit. See Configuring Service Auditing Properties for more information.