Return-Path: X-Original-To: apmail-ambari-dev-archive@www.apache.org Delivered-To: apmail-ambari-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6E82D1000E for ; Tue, 17 Mar 2015 20:44:06 +0000 (UTC) Received: (qmail 2274 invoked by uid 500); 17 Mar 2015 20:44:06 -0000 Delivered-To: apmail-ambari-dev-archive@ambari.apache.org Received: (qmail 2240 invoked by uid 500); 17 Mar 2015 20:44:06 -0000 Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list dev@ambari.apache.org Received: (qmail 2225 invoked by uid 99); 17 Mar 2015 20:44:06 -0000 Received: from reviews-vm.apache.org (HELO reviews.apache.org) (140.211.11.40) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Mar 2015 20:44:06 +0000 Received: from reviews.apache.org (localhost [127.0.0.1]) by reviews.apache.org (Postfix) with ESMTP id 4FF2A1D42DF; Tue, 17 Mar 2015 20:44:05 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============0353082429600666480==" MIME-Version: 1.0 Subject: Re: Review Request 32168: Hive alert on secured cluster From: "Robert Levas" To: "Andrew Onischuk" , "Vitalyi Brodetskyi" , "Jonathan Hurley" Cc: "Robert Levas" , "Ambari" Date: Tue, 17 Mar 2015 20:44:05 -0000 Message-ID: <20150317204405.391.54057@reviews.apache.org> X-ReviewBoard-URL: https://reviews.apache.org/ Auto-Submitted: auto-generated Sender: "Robert Levas" X-ReviewGroup: Ambari X-ReviewRequest-URL: https://reviews.apache.org/r/32168/ X-Sender: "Robert Levas" References: <20150317192601.391.58463@reviews.apache.org> In-Reply-To: <20150317192601.391.58463@reviews.apache.org> Reply-To: "Robert Levas" X-ReviewRequest-Repository: ambari --===============0353082429600666480== MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit > On March 17, 2015, 3:26 p.m., Jonathan Hurley wrote: > > ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/alerts/alert_hive_thrift_port.py, line 94 > > > > > > Can you explain how the smokeuser is different than the smokeuser principal? Should the commands be executed as the principal instead of the user? > > Robert Levas wrote: > Esseitnally they represent two different identites. The _smoke user principal_ is the "username" of the Kerberos identity where the _smoke user_ is the "username" of the local user account. These values (related to the smoke user) tend to look a lot alike (_ambari-qa@EXAMPLE.COM_ and _ambari-qa_) but there are no rules that state that these names need to be so similar. This is where the _auto-to-local_ maps come into play. It attempts to match a principal name to a local user account, so there is no need to directly map the two. > > Given this, there are scenarios where the principal name of the smoke user Kerberos identity **must** be changed from _ambari-qa@REALM_. A common one is a shared KDC amoung multiple Ambari clusters. In this case, we need to make sure that one cluster does not step on another cluster's smoke user identitiy. For this, we recommend adding the cluster name to the smoke user principal. So _ambari-qa@REALM_ becomes _ambari-qa-c1@REALM_, _ambari-qa-c2@REALM_, etc... > > This is actually the case for all _headless_ (or _user_) identities to ensure uniqueness. For _service_ identities, the uniqueness comes in the form of a hostname, tying the identity to a particular host. > > Jonathan Hurley wrote: > Thanks! No problem... thanks for the review. :) - Robert ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/32168/#review76778 ----------------------------------------------------------- On March 17, 2015, 2:59 p.m., Robert Levas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/32168/ > ----------------------------------------------------------- > > (Updated March 17, 2015, 2:59 p.m.) > > > Review request for Ambari, Andrew Onischuk, Jonathan Hurley, and Vitalyi Brodetskyi. > > > Bugs: AMBARI-10101 > https://issues.apache.org/jira/browse/AMBARI-10101 > > > Repository: ambari > > > Description > ------- > > When Kerberos is enabled, Hive components show alerts due to the following error: > > ``` > WARNING 2015-03-16 06:01:08,253 base_alert.py:140 - [Alert][hive_metastore_process] Unable to execute alert. Execution of '/usr/bin/kinit -kt /etc/security/keytabs/smokeuser.headless.keytab ambari-qa; ' returned 1. kinit: Keytab contains no suitable keys for ambari-qa@REALM while getting initial credentials > ``` > > This occurs because the alert logic for Hive uses `cluster-env/smokeuser` rather than `cluster-env/smokeuser_principal_name` to get the principal name for the smoke test identity. > > > Diffs > ----- > > ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/alerts/alert_hive_metastore.py 804ddfe > ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/alerts/alert_hive_thrift_port.py 0fb8898 > > Diff: https://reviews.apache.org/r/32168/diff/ > > > Testing > ------- > > Manually testing is cluster by setting the smoke user principal name to something other than `${cluster-env/smokeuser}@${realm}` and saw that alerts for Hive were working as designed. > > > Thanks, > > Robert Levas > > --===============0353082429600666480==--