ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas" <>
Subject Re: Review Request 31738: Kerberos: Add Host did not generate keytabs
Date Wed, 04 Mar 2015 19:26:20 GMT

This is an automatically generated e-mail. To reply, visit:

(Updated March 4, 2015, 2:26 p.m.)

Review request for Ambari, Emil Anca, Eugene Chekanskiy, John Speidel, and Robert Nettleton.

Bugs: AMBARI-9917

Repository: ambari


1) using build 440
2) three node cluster, hdfs, yarn, mr, tez, hive, zk, pig, ams
3) setup nnha, rmha
4) enabled kerb
5) all is good
6) added second hive metastore
7) added second hiveserver2
8) all is good
9) added host with DN and clients
10) keytabs are not created on the new host. i was not prompted for kdc creds. basically,
i did 1-9 all in one shot, never logging out.

As a workaround 1:
- Attempted to regen keytabs, with "missing only" checkbox checked. it looks like it remade
all principals and keytabs for the cluster but didn't distribute the keytabs. That is concerning
that this might be an additional issue for another JIRA maybe. Anycase: didn't result in getting
keytabs on my new host.

As a workaround 2:
- Attempted regen keytabs all. Made all princs and keytabs and distributed for cluster hosts
except my new host. So no lock here either.

# Solution 
Force the Kerberos logic to not prune out hosts that _will_ have the Kerberos Client installed
and in the approperiate state to receive requests. This scenarion only occurs when a new host
is being added and the components (including the KERBEROS_CLIENT) are being mass installed
and initialized.

Diffs (updated)

  ambari-server/src/main/java/org/apache/ambari/server/controller/ c4a5f4f




Manually tested in test cluster verifying the following scenarios all work:
- adding hosts, adding services (in varioius orders) 
- bringing a host up after being down before enabling Kerberos
-- regenerating keytabs before _fixing_ the Kerberos client
-- regenerating missing keytabs before _fixing_ the Kerberos client
-- regenerating keytabs after _fixing_ the Kerberos client
-- regenerating missing keytabs after _fixing_ the Kerberos client

# Local unit tests: PASSED

#Jenkins test results: PENDING (issues with Jenkins build)


Robert Levas

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message