DSE 6.8.2 release notes
DataStax Enterprise 6.8.x release notes are now hosted here: DSE 6.8.4 and later release notes |
31 July 2020
6.8.2 Components
All components from DSE 6.8.2 are listed. Components updated since DSE 6.8.1 (if any) are indicated with an asterisk (*).
-
Apache Solr™ 6.0.1.4.2769
-
Apache Spark™ 2.4.0.16
-
Apache TinkerPop™ 3.4.5 with additional production-certified changes
-
Apache Tomcat® 8.0.53
-
DSE Java Driver 1.10.0-dse+20200217
-
Netty 4.1.25.7.dse
-
Spark JobServer 0.8.0.49
DSE 6.8.2 is compatible with Apache Cassandra 3.11 and adds additional production-certified changes, if any.
Along with Cassandra 3.11.6, DSE 6.8.2 is supported by DataStax Kubernetes Operator for Apache Cassandra.
Experimental features
DataStax Labs provides the Apache Cassandra and DataStax communities with non-supported previews of potential production software enhancements, tools, aids, and partner software designed to increase productivity. See DataStax Labs and DSE OpsCenter Labs features.
DSE 6.8.2 Highlights
DSE database
-
New
systemd
units for package installs on RHEL and other compatible operating systems. See RedHat systemd configuration. -
New
nodetool import
command that lets you import SSTables from one or more directories. See nodetool import. -
Several new settings in
cassandra.yaml
. See 6.8.2 DSE database changes and enhancements below. -
Storage-Attached Indexing (SAI), a beta feature, adds supports for defining an index based on an individual column that is part of the table’s composite partition key. You can define separate, additional SAI indexes on other individual columns in the same table’s composite partition key. SAI 6.8.x continues to support defining multiple SAI indexes on any non-partition key column in the same table. See Examine SAI column index and query rules.
DSE security
Enhanced LDAP settings to properly handle nested groups so that LDAP enumerates all ancestors of a user’s distinguishedName
.
Inherited groups retrieval with directory_search
and members_search
types.
Fixed fetching parent groups of a role that’s mapped to an LDAP group.
See the security section of this topic.
6.8.2 DSE database
Changes and enhancements:
-
New
systemd
units for package installs on RHEL and other compatible operating systems. See RedHat systemd configuration. (DSP-7603) -
New
nodetool import
command that lets you import SSTables from one or more directories. See nodetool import. (DB-3253) -
New disk-usage guardrail,
disk_usage_max_disk_size_in_gb
, added incassandra.yaml
. See disk_usage_max_disk_size_in_gb. (DB-4380) -
New
snapshot_before_dropping_column
configuration option added incassandra.yaml
. See snapshot_before_dropping_column.(DB-2690) -
Increased the default
direct_reads_size_in_mb
value incassandra.yaml
. See direct_reads_size_in_mb. (DB-4348) -
New entries to
jvm.options
to assist with capturing thread dumps. (DSP-20778) -
If encryption is set on an SSTable, the SAI indexes are encrypted as well. Specifically the entire trie string terms dictionary is encrypted. Also, the user-readable sections of the kdtree are encrypted. See About SAI encryption. (DSP-16939)
-
Storage-Attached Indexing (SAI) adds support for queries using SAI indexes based on
INET
columns (IPv4 and IPv6). The queries may use EQ, GT, LT, GE, and LE operators. (DSP-17734) -
Storage-Attached Indexing (SAI), a beta feature, adds supports for defining an index based on an individual column that is part of the table’s composite partition key. You can define separate, additional SAI indexes on other individual columns in the same table’s composite partition key. SAI 6.8.x continues to support defining multiple SAI indexes on any non-partition key column in the same table. See Examine SAI column index and query rules. (DSP-20634)
-
PKCS11 keystore is supported in Advanced workloads. See keystore_type. (DSP-20094)
-
Python 2.7.x and 3.6+ are supported for
cqlsh
. (DB-4151) -
When working on encrypted SSTables, Cassandra tools such as
sstabledump
orsstablesplit
need to create a remote connection inReplicatedKeyProvider
to a Cassandra node in order to be able to decrypt the sstables. (Thesstableloader
tool is not affected.) However, if security is enabled on the cluster, the tools won’t be able to decrypt the sstables because they have no way of specifying security parameters for the cluster connection. (DSP-12666) -
LDAP servers can now handle multiple, comma separated addresses, with or without a port. If the port is not provided, the
ldap_options.server_port
parameter is used by default. See LDAP options. (DSP-13086)
Resolved issues:
-
Recording a slow CQL query to the log will no longer block the thread. (DSP-20894)
-
Fixed an issue where after a node replacement procedure, the bootstrap indexing in DSE Search was happening only on one TPC core. (DB-4049)
-
Fixed an issue to prevent an unbounded number of flushing tasks for memtables that are almost empty. (DB-4376)
-
Fixed an issue that caused nodes to crash after an upgrade from DSE 5.1 to 6.7.7. (DB-4379)
-
Fixed the problem with unrepairable digest mismatch between nodes running DSE 5.0.x and DSE 5.1+ (during upgrade) where the query includes a subset of columns. (DB-4399)
-
Fix an issue that was causing excessive contention during encryption/decryption operations. The fix resulted in an encryption/decryption performance improvement. (DB-4419)
-
Fixed an issue where during a large test run that reached a density of about 9TB/node, several instances of a TPC
WouldBlockException
messages, related toNodeSync
, appeared in the logs of multiple nodes. (DB-4456) -
Fixed a problem with the treatment of zeroes in the type
decimal
that could cause assertion errors, or not being able to find some rows if their key is 0 written using different precisions, or both. (DB-4472) -
Fixed the
NullPointerException
issue described in CASSANDRA-14200: NPE when dumping sstable with null value for timestamp column. (DB-4512) -
An issue that occurred while attempting to create an SSTable index (SASI) in 6.8.0 has been fixed. Previously, attempts to create a SASI index resulted in a
NoSuchMethod
error. (DSP-20720) -
Fixed an issue where the bloom filter false-positive rate calculation did not properly take into account true negatives, such as cases where read operations were attempted on non-existing rows. (DB-3246)
Known issues:
-
None.
6.8.2 DSE security
Changes and enhancements:
-
Enhanced LDAP settings to properly handle nested groups so that LDAP enumerates all ancestors of a user’s
distinguishedName
. (DSP-20107)-
Implemented inherited groups retrieval with both
directory_search
andmemberof_search
types. Before the change, even though inherited groups were requested, our LDAP feature did not take it into account at all. Users will see the difference immediately; no change in configuration is required (given the LDAP configuration is correct). -
Fixed fetching parent groups of a role which is mapped to an LDAP group. Previously when DSE needed to ascertain the roles that the particular role belonged to, DSE could get the roles only if the role of interest represented an LDAP user. When it represented an LDAP group, DSE sometimes received an empty set; in some cases, it worked by coincidence. To make this feature work, update its group search configuration. Refer to the
group_search_filter
description indse.yaml
. -
Added new options that allow you to configure optimized retrieval of parent groups including inherited ones in a single round-trip, when LDAP server supports such queries. In
dse.yaml
, seeall_groups_xxx
underldap_options
.
-
-
Two new LDAP options in
dse.yaml
(DSP-12612)-
extra_user_search_bases
-
extra_group_search_bases
See extra_user_search_bases and extra_group_search_bases.
-
-
While there is no change in default behavior, there is a new
render_cql_literals
option indse.yaml
under audit logging section, which isfalse
by default. When enabled, bound variables for logged statements will be rendered as CQL literals, which means there will be additional quotation marks and escaping, as well as values of all complex types (collections, tuples, UDTs) will be in human readable format. (DSP-17032) -
When DSE tries one authentication scheme and finds that the password is invalid, DSE now tries another scheme, but only if the user has a scheme permission for that other scheme. Example scenarios:
if user has permission to authenticate with scheme A, try scheme A if authenticated with A, success, exit if user has permission to authenticate with scheme B, try scheme B if authenticated with B, success, exit otherwise fail, exit
In summary, DSE controls which schemes should be tried by applying scheme permissions. Also, DSE will not try to use the scheme for which the user has no permission. (DSP-20903)
-
Raised the upper bound limit on DSE LDAP caches. See ldap_options.credentials_validity_in_ms and ldap_options.search_validity_in_seconds. (DSP-21072)
-
Provided information about how to get tools — such as
sstabledump
,sstablerepairedset
, andsstableloader
— working with SSTables that are encrypted with Transparent Data Encryption. See Using tools with TDE-encrypted SSTables. (DSP-20940)
Resolved security issues:
-
CVE security issues:
-
Fixed CVE-2019-20444 issue in which
HttpObjectDecoder.java
in Netty, before 4.1.44, allowed an HTTP header that lacked a colon. (DB-4068) -
Addressed the Jackson databind vulnerability (CVE-2020-8840) by upgrading
jackson-databind
to 2.9.10.4. (DSP-20981)
-
-
Fixed some security vulnerabilities for Solr HTTP REST API when authorization is enabled. Now, users with no appropriate permissions can perform search operations. Resources can be deleted when authorization is enabled, given the correct permissions. (DSP-20749)
-
Fixed an issue where the audit logging did not capture search queries. (DSP-21058)
-
Fixed an error condition when DSE failed to get the LDAP roles while refreshing a database schema. (DSP-21075)
6.8.2 DSE Analytics
Changes and enhancements:
PKCS11 keystore is supported in Advanced workloads. See keystore_type. (DSP-20094)
6.8.2 DSEFS
Changes and enhancements:
-
In DSEFS,
fsck
(file system consistency check) throttling is possible viap
or-parallelism
arguments. In the following example, the command performsfsck
by repairing up to 8 files at a time:dse fs fsck -p 8
This feature provides is a way to minimize
fsck
impact on overloaded clusters. TheLocationService
relies on Cassandra gossip. As a result of this change, connection/request timeouts no longer mark locations as unavailable. See the fsck reference topic. (DSP-20773)
Resolved DSEFS issues:
-
Backported the fix from DSP-15762: optimize remove recursive implementation - to lower the tombstone impact on Spark jobs. (DSP-20750)
-
Fixed excessive number of connections. (DSP-21021)
[[#682search]] === 6.8.2 DSE Search
Changes and enhancements:
-
PKCS11 keystore is supported in Advanced workloads. See keystore_type. (DSP-20094)
-
Reduced the encrypted search core loading/reloading time. (DSP-20692)
Resolved Search issues:
-
Fixed some security vulnerabilities for Solr HTTP REST API when authorization is enabled. Now, users with no appropriate permissions can perform search operations. Resources can be deleted when authorization is enabled, given the correct permissions. (DSP-20749)
-
Fixed an issue where a decryption block cache occasionally was not operational (SOLR-14498) (DSP-20987)
-
Fixed an issue where the audit logging did not capture search queries. (DSP-21058)
-
Fixed an issue where, after an LCM upgrade, the Solr http API was broken either through curl or the Solr UI. (DSP-21115)
-
Fixed an issue where after a node replacement procedure, the bootstrap indexing in DSE Search was happening only on one TPC core. (DB-4049)
6.8.2 DataStax Graph
Changes and enhancements:
PKCS11 keystore is supported in Advanced workloads. See keystore_type. (DSP-20094)
Resolved Graph issues:
Fixed an issue where DataStax Graph failed to complete a search query based on timestamp. (DSP-21117)
Cassandra changes for DSE 6.8.2
DataStax Enterprise 6.8.2 is compatible with Apache Cassandra™ 3.11 and includes all production-certified enhancements from previous versions.
General upgrade advice for DSE 6.8.2
General upgrade advice for DataStax Enterprise 6.8.0
DataStax Enterprise 6.8.2 is compatible with Apache Cassandra® 3.11. All upgrade advice from previous versions applies. Carefully reviewing the DataStax Enterprise upgrade planning and upgrade instructions can ensure a smooth upgrade and avoid pitfalls and frustrations.
DataStax Enterprise 6.8.2 is compatible with Apache Cassandra 3.11 and adds Cassandra changes for DSE 6.8.2.
For additional advice about upgrading between versions of Apache Cassandra, see General upgrade advice for DSE 6.8.1.
TinkerPop changes for DSE 6.8.2
DataStax Enterprise (DSE) 6.8.2 includes all changes from previous DSE versions. See TinkerPop upgrade documentation for all changes.