ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas" <rle...@hortonworks.com>
Subject Re: Review Request 29459: JobHistoryServer Fails to pass service check in Kerberized cluster
Date Mon, 29 Dec 2014 21:27:40 GMT


> On Dec. 29, 2014, 4:15 p.m., Jaimin Jetly wrote:
> > ambari-server/src/main/resources/stacks/HDP/2.2/services/OOZIE/kerberos.json, lines
18-27
> > <https://reviews.apache.org/r/29459/diff/1/?file=802481#file802481line18>
> >
> >     hadoop.security.auth_to_local property in core-site.xml should also have mapping
for oozie server if oozie is an installed service. This translates to having local_username
for oozie server principal.
> >     
> >     Same stands for falcon.
> 
> Robert Levas wrote:
>     This would be a Kerberos descriptor issue after this patch is applied.  Do you want
this patch to contain the descriptor updates for that?
> 
> Jaimin Jetly wrote:
>     I just wanted to bring it to the attention. We can address it seperately in another
task. In that case please create an Apache Ambari Jira to keep track of this issue.

patch comming. :)


- Robert


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/29459/#review66301
-----------------------------------------------------------


On Dec. 29, 2014, 4:27 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/29459/
> -----------------------------------------------------------
> 
> (Updated Dec. 29, 2014, 4:27 p.m.)
> 
> 
> Review request for Ambari, John Speidel, Robert Nettleton, and Yusaku Sako.
> 
> 
> Bugs: AMBARI-8935
>     https://issues.apache.org/jira/browse/AMBARI-8935
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> JobHistoryServer Fails to pass service check in Kerberized cluster due to kerberos to
local account mapping failure 
> 
> ```
> org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException):
Permission denied: user=jhs, access=READ_EXECUTE, inode="/mr-history/done/2014":mapred:hadoop:drwxrwx---
> ```
> 
> `core-site` `auth_to_local` fails to map `jhs/_HOST` to `mapred` user.  
> 
> The solution is to dynamically create auth_to_local configuration based on kerberos descriptors.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
PRE-CREATION 
>   ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java
c7d08cc 
>   ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosPrincipalDescriptor.java
70bd396 
>   ambari-server/src/main/resources/stacks/HDP/2.2/services/FALCON/kerberos.json 827ce46

>   ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/kerberos.json 4b6213e

>   ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/kerberos.json 52c7d37

>   ambari-server/src/main/resources/stacks/HDP/2.2/services/OOZIE/kerberos.json 9cb24ca

>   ambari-server/src/main/resources/stacks/HDP/2.2/services/YARN/kerberos.json 7677a7a

>   ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
PRE-CREATION 
>   ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosPrincipalDescriptorTest.java
a35bad3 
>   ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json 64c7a8c 
>   ambari-server/src/test/resources/stacks/HDP/2.0.8/services/HDFS/kerberos.json 7271b36

> 
> Diff: https://reviews.apache.org/r/29459/diff/
> 
> 
> Testing
> -------
> 
> Manually tested on test cluster - JobHistoryServer sometimes fails the service check,
but appears to be unrelated to the auth_to_local mapping issue.
> 
> Added new test case: `org.apache.ambari.server.controller.AuthToLocalBuilderTest`
> Updated existing test case: `org.apache.ambari.server.state.kerberos.KerberosPrincipalDescriptorTest`
> 
> Waiting for Jenkins server for test results - issues with rat check in truck not related
to this patch.
> 
> Ran tests locally.
> 
> Running org.apache.ambari.server.controller.AuthToLocalBuilderTest
> Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.066 sec
> 
> Running org.apache.ambari.server.state.kerberos.KerberosPrincipalDescriptorTest
> Tests run: 5, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.141 sec
> 
> Ambari Server test results
> Tests run: 2469, Failures: 0, Errors: 0, Skipped: 13
> 
> 
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 28:17.957s
> [INFO] Finished at: Mon Dec 29 11:27:34 EST 2014
> [INFO] Final Memory: 40M/568M
> [INFO] ------------------------------------------------------------------------
> 
> 
> Thanks,
> 
> Robert Levas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message