ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hari Sekhon (JIRA)" <>
Subject [jira] [Created] (AMBARI-8785) Resource Manager HA Kerberos principal not handled or even notified
Date Thu, 18 Dec 2014 12:00:28 GMT
Hari Sekhon created AMBARI-8785:

             Summary: Resource Manager HA Kerberos principal not handled or even notified
                 Key: AMBARI-8785
             Project: Ambari
          Issue Type: Bug
    Affects Versions: 1.7.0
         Environment: HDP 2.1
            Reporter: Hari Sekhon

When enabling Yarn Resource Manager HA in a Kerberos secured cluster, Ambari fails to tell
the user about the required Kerberos principal + keytab for the new Resource Manager instance.

As as result the new Resource Manager fails to start with the following logs:
{code}2014-12-18 11:39:06,379 FATAL resourcemanager.ResourceManager (
- Error starting ResourceManager
org.apache.hadoop.yarn.exceptions.YarnRuntimeException: Failed to login
        at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.serviceStart(
        at org.apache.hadoop.service.AbstractService.start(
        at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.main(
Caused by: Login failure for rm/<host>@REALM from keytab /etc/security/keytabs/rm.service.keytab
        at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.doSecureLogin(
        at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.serviceStart(
        ... 2 more
Caused by: Unable to obtain password from user

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(
        at java.lang.reflect.Method.invoke(
        at Method)
        ... 5 more
2014-12-18 11:39:06,383 INFO  resourcemanager.ResourceManager (
SHUTDOWN_MSG: Shutting down ResourceManager at <host>/x.x.x.x
The fix is quite simple for experienced cluster administrators, create the principal, export
the keytab, mimic the original RM permissions of yarn:hadoop 620 (not really correct octal
but that's a separate issue I've already raised to fix keytab perms AMBARI-8138) and then
it will start up.

This is sort of related to AMBARI-8610 where Ambari should export a CSV for new hosts/services
to allow existing automation scripts to generate the principals and and distributed the keytabs
such as the basic shipped with Ambari or the more real world FreeIPA one
I publish on my github (

Except in this instance it's not a new service, it's just HA enablement where it doesn't notify
users that RM HA will require a new Keberos principal + keytab to allow them to do that, never
mind provide a subset CSV for passing to a kerberos setup script. This issue will also affect
NN HA if Ambari ever allows setting up NN HA without disabling Kerberos first.


Hari Sekhon

This message was sent by Atlassian JIRA

View raw message