ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hari Sekhon (JIRA)" <>
Subject [jira] [Updated] (AMBARI-8785) Resource Manager HA Kerberos principal not handled and user not notified of requirement
Date Thu, 18 Dec 2014 12:12:13 GMT


Hari Sekhon updated AMBARI-8785:
    Summary: Resource Manager HA Kerberos principal not handled and user not notified of requirement
 (was: Resource Manager HA Kerberos principal not handled or even notified)

> Resource Manager HA Kerberos principal not handled and user not notified of requirement
> ---------------------------------------------------------------------------------------
>                 Key: AMBARI-8785
>                 URL:
>             Project: Ambari
>          Issue Type: Bug
>    Affects Versions: 1.7.0
>         Environment: HDP 2.1
>            Reporter: Hari Sekhon
> When enabling Yarn Resource Manager HA in a Kerberos secured cluster, Ambari fails to
tell the user about the required Kerberos principal + keytab for the new Resource Manager
> As as result the new Resource Manager fails to start with the following logs:
> {code}2014-12-18 11:39:06,379 FATAL resourcemanager.ResourceManager (
- Error starting ResourceManager
> org.apache.hadoop.yarn.exceptions.YarnRuntimeException: Failed to login
>         at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.serviceStart(
>         at org.apache.hadoop.service.AbstractService.start(
>         at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.main(
> Caused by: Login failure for rm/<host>@REALM from keytab /etc/security/keytabs/rm.service.keytab
>         at
>         at
>         at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.doSecureLogin(
>         at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.serviceStart(
>         ... 2 more
> Caused by: Unable to obtain password from user
>         at
>         at
>         at
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at sun.reflect.NativeMethodAccessorImpl.invoke(
>         at sun.reflect.DelegatingMethodAccessorImpl.invoke(
>         at java.lang.reflect.Method.invoke(
>         at
>         at$000(
>         at$
>         at$
>         at Method)
>         at
>         at
>         at
>         ... 5 more
> 2014-12-18 11:39:06,383 INFO  resourcemanager.ResourceManager (
> /************************************************************
> SHUTDOWN_MSG: Shutting down ResourceManager at <host>/x.x.x.x
> ************************************************************/
> {code}
> The fix is quite simple for experienced cluster administrators, create the principal,
export the keytab, mimic the original RM permissions of yarn:hadoop 620 (not really correct
octal but that's a separate issue I've already raised to fix keytab perms AMBARI-8138) and
then it will start up.
> This is sort of related to AMBARI-8610 where Ambari should export a CSV for new hosts/services
to allow existing automation scripts to generate the principals and and distributed the keytabs
such as the basic shipped with Ambari or the more real world FreeIPA one
I publish on my github (
> Except in this instance it's not a new service, it's just HA enablement where it doesn't
notify users that RM HA will require a new Keberos principal + keytab to allow them to do
that, never mind provide a subset CSV for passing to a kerberos setup script. This issue will
also affect NN HA if Ambari ever allows setting up NN HA without disabling Kerberos first.
> Regards,
> Hari Sekhon

This message was sent by Atlassian JIRA

View raw message