Hi, As far as security is concerned we (Criteo) are using CDH5 with JDK8 in production with security enabled. We reported some gripes with some specific java versions: https://issues.cloudera.org/browse/DISTRO-732
I would bump the dependency to _u51 or later; _u40 _u45 do have a lot of problems with SPNEGO SSO. JB