Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@ambari.apache.org
Content-Type: multipart/alternative;
 boundary="===============4766615087503126346=="
MIME-Version: 1.0
Subject: Re: Review Request 21317: Decommission issues in secure cluster.
From: "Andrew Onischuk" <aonishuk@hortonworks.com>
To: "Vitalyi Brodetskyi" <vbrodetskyi@hortonworks.com>
Cc: "Andrew Onischuk" <aonishuk@hortonworks.com>,
 "Ambari" <dev@ambari.apache.org>
Date: Mon, 12 May 2014 10:49:30 -0000
Message-ID: <20140512104930.5509.21959@reviews.apache.org>
Auto-Submitted: auto-generated
Sender: "Andrew Onischuk" <noreply@reviews.apache.org>
References: <20140512104600.16543.7658@reviews.apache.org>
In-Reply-To: <20140512104600.16543.7658@reviews.apache.org>
Reply-To: "Andrew Onischuk" <aonishuk@hortonworks.com>

--===============4766615087503126346==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/21317/
-----------------------------------------------------------

(Updated May 12, 2014, 10:49 a.m.)


Review request for Ambari and Vitalyi Brodetskyi.


Bugs: AMBARI-5729
    https://issues.apache.org/jira/browse/AMBARI-5729


Repository: ambari


Description (updated)
-------

Yarn package params.py file references to `nodemanager_principal_name` and
`nodemanager_keytab` properties. There are 3 issues over here:

  1. Ideally, Ambari agent should not access and so not even refer to any service principal name.
  2. If required, Ambari agent should use yarn-site properties to fetch service principal name and keytab path instead of using global properties.
  3. In the resourcemanager.py decomission action, Yarn user kinit's using nodemanager principal. Decommission action is always executed on resourcemanager host and so we should atleast use resource manager principal (as it is guaranteed to be on that host). **As of now in a secure cluster if NodeManager is not present on ResourceManager host then NodeManager decomissioning won't work (due to unavailability of NodeManager keytab)**

Also ambari-agent **does not kinit before executing DataNode decommission
command**. If an API request for decommissioning is made after hdfs user
kerberos ticket has expired then the request will fail due to kerberos
exception.


Diffs
-----

  ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HDFS/package/scripts/hdfs_namenode.py e7ed33b 
  ambari-server/src/main/resources/stacks/HDP/2.0.6/services/HDFS/package/scripts/params.py 7bc8ca7 
  ambari-server/src/main/resources/stacks/HDP/2.0.6/services/YARN/package/scripts/params.py 065467c 
  ambari-server/src/main/resources/stacks/HDP/2.0.6/services/YARN/package/scripts/resourcemanager.py 6e6b34f 

Diff: https://reviews.apache.org/r/21317/diff/


Testing
-------

mvn clean test


Thanks,

Andrew Onischuk


--===============4766615087503126346==--