Return-Path: X-Original-To: apmail-ambari-dev-archive@www.apache.org Delivered-To: apmail-ambari-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9A14817B9E for ; Sun, 29 Mar 2015 12:01:58 +0000 (UTC) Received: (qmail 4980 invoked by uid 500); 29 Mar 2015 12:01:53 -0000 Delivered-To: apmail-ambari-dev-archive@ambari.apache.org Received: (qmail 4943 invoked by uid 500); 29 Mar 2015 12:01:53 -0000 Mailing-List: contact dev-help@ambari.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ambari.apache.org Delivered-To: mailing list dev@ambari.apache.org Received: (qmail 4932 invoked by uid 99); 29 Mar 2015 12:01:53 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 29 Mar 2015 12:01:53 +0000 Date: Sun, 29 Mar 2015 12:01:52 +0000 (UTC) From: "Robert Levas (JIRA)" To: dev@ambari.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (AMBARI-10266) Cannot enable kerberos with Ambari server running non-root MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/AMBARI-10266?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robert Levas updated AMBARI-10266: ---------------------------------- Attachment: AMBARI-10266_01.patch * Fixed {{server.tmp.dir}} in ambari.properties for unix and windows implementations * Fixed permission setting on directories in {{org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction#ensureAmbariOnlyAccess}} * Added unit test for {{org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction#ensureAmbariOnlyAccess}} in {{org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerActionTest}} > Cannot enable kerberos with Ambari server running non-root > ---------------------------------------------------------- > > Key: AMBARI-10266 > URL: https://issues.apache.org/jira/browse/AMBARI-10266 > Project: Ambari > Issue Type: Bug > Components: ambari-server > Affects Versions: 2.0.0 > Reporter: Robert Levas > Assignee: Robert Levas > Fix For: 2.1.0 > > Attachments: AMBARI-10266_01.patch > > > HDP 2.2, Ambari 2.0 Build #150, MIT KDC, during setup, set to use a sudoer account for ambari-server. start ambari server. > failing during "Test Kerberos Client", see attached. > {code} > 27 Mar 2015 17:55:46,449 ERROR [qtp-client-19] KerberosHelper:1330 - Failed to create the temporary data directory. > java.io.IOException: Failed to create a temporary directory in /var/lib/ambari-server/tmp > at org.apache.ambari.server.controller.KerberosHelper.createTemporaryDirectory(KerberosHelper.java:1324) > at org.apache.ambari.server.controller.KerberosHelper.handleTestIdentity(KerberosHelper.java:945) > at org.apache.ambari.server.controller.KerberosHelper.createTestIdentity(KerberosHelper.java:433) > at org.apache.ambari.server.controller.AmbariManagementControllerImpl.createAction(AmbariManagementControllerImpl.java:2944) > at org.apache.ambari.server.controller.internal.RequestResourceProvider$1.invoke(RequestResourceProvider.java:161) > at org.apache.ambari.server.controller.internal.RequestResourceProvider$1.invoke(RequestResourceProvider.java:158) > at org.apache.ambari.server.controller.internal.AbstractResourceProvider.createResources(AbstractResourceProvider.java:273) > at org.apache.ambari.server.controller.internal.RequestResourceProvider.createResources(RequestResourceProvider.java:158) > at org.apache.ambari.server.controller.internal.ClusterControllerImpl.createResources(ClusterControllerImpl.java:289) > at org.apache.ambari.server.api.services.persistence.PersistenceManagerImpl.create(PersistenceManagerImpl.java:75) > at org.apache.ambari.server.api.handlers.CreateHandler.persist(CreateHandler.java:36) > at org.apache.ambari.server.api.handlers.BaseManagementHandler.handleRequest(BaseManagementHandler.java:72) > at org.apache.ambari.server.api.services.BaseRequest.process(BaseRequest.java:135) > at org.apache.ambari.server.api.services.BaseService.handleRequest(BaseService.java:103) > at org.apache.ambari.server.api.services.BaseService.handleRequest(BaseService.java:72) > at org.apache.ambari.server.api.services.RequestService.createRequests(RequestService.java:145) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at com.sun.jersey.spi.container.JavaMethodInvokerFactory$1.invoke(JavaMethodInvokerFactory.java:60) > at com.sun.jersey.server.impl.model.method.dispatch.AbstractResourceMethodDispatchProvider$ResponseOutInvoker._dispatch(AbstractResourceMethodDispatchProvider.java:205) > at com.sun.jersey.server.impl.model.method.dispatch.ResourceJavaMethodDispatcher.dispatch(ResourceJavaMethodDispatcher.java:75) > at com.sun.jersey.server.impl.uri.rules.HttpMethodRule.accept(HttpMethodRule.java:288) > at com.sun.jersey.server.impl.uri.rules.SubLocatorRule.accept(SubLocatorRule.java:134) > at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) > at com.sun.jersey.server.impl.uri.rules.ResourceClassRule.accept(ResourceClassRule.java:108) > at com.sun.jersey.server.impl.uri.rules.RightHandPathRule.accept(RightHandPathRule.java:147) > at com.sun.jersey.server.impl.uri.rules.RootResourceClassesRule.accept(RootResourceClassesRule.java:84) > at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1469) > at com.sun.jersey.server.impl.application.WebApplicationImpl._handleRequest(WebApplicationImpl.java:1400) > at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1349) > at com.sun.jersey.server.impl.application.WebApplicationImpl.handleRequest(WebApplicationImpl.java:1339) > at com.sun.jersey.spi.container.servlet.WebComponent.service(WebComponent.java:416) > at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:537) > at com.sun.jersey.spi.container.servlet.ServletContainer.service(ServletContainer.java:708) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) > at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:652) > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1329) > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) > at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) > at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54) > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at org.apache.ambari.server.security.authorization.AmbariAuthorizationFilter.doFilter(AmbariAuthorizationFilter.java:178) > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) > at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) > at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:237) > at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167) > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1300) > at org.apache.ambari.server.api.MethodOverrideFilter.doFilter(MethodOverrideFilter.java:72) > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1300) > at org.apache.ambari.server.api.AmbariPersistFilter.doFilter(AmbariPersistFilter.java:47) > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1300) > at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:445) > at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137) > at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:559) > at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227) > at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1038) > at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:374) > at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:189) > at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:972) > at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) > at org.apache.ambari.server.controller.FailsafeHandlerList.handleNonFailSafe(FailsafeHandlerList.java:148) > at org.apache.ambari.server.controller.AmbariHandlerList.handleNonFailSafe(AmbariHandlerList.java:157) > at org.apache.ambari.server.controller.FailsafeHandlerList.handle(FailsafeHandlerList.java:130) > at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) > at org.eclipse.jetty.server.Server.handle(Server.java:363) > at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:483) > at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:931) > at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:992) > at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:856) > at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:240) > at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82) > at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:627) > at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:51) > at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608) > at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543) > at java.lang.Thread.run(Thread.java:745) > {code} > This is due to an incorrect temporary directory in the ambari.properties file. Once the (incorrect) temporary directory was manually created. The following error is observed: > {code} > 27 Mar 2015 18:00:10,630 INFO [Server Action Executor Worker 55] CreateKeytabFilesServerAction:170 - Creating keytab file for ambari-qa_mngxikyl@EXAMPLE.COM on host ip-10-99-165-62.ec2.internal > 27 Mar 2015 18:00:10,755 ERROR [Server Action Executor Worker 55] KerberosOperationHandler:433 - Failed to export keytab file > java.io.FileNotFoundException: /var/lib/ambari-server/tmp/.ambari_1427493565210-0.d/ip-10-99-165-62.ec2.internal/1ce5855f40583660938abde762237b442c2d5ba9 (Permission denied) > at java.io.FileOutputStream.open(Native Method) > at java.io.FileOutputStream.(FileOutputStream.java:221) > at org.apache.directory.server.kerberos.shared.keytab.Keytab.writeFile(Keytab.java:273) > at org.apache.directory.server.kerberos.shared.keytab.Keytab.write(Keytab.java:133) > at org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandler.createKeytabFile(KerberosOperationHandler.java:429) > at org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction.processIdentity(CreateKeytabFilesServerAction.java:276) > at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processRecord(KerberosServerAction.java:494) > at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processIdentities(KerberosServerAction.java:386) > at org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction.execute(CreateKeytabFilesServerAction.java:99) > at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.execute(ServerActionExecutor.java:504) > at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(ServerActionExecutor.java:441) > at java.lang.Thread.run(Thread.java:745) > 27 Mar 2015 18:00:10,756 ERROR [Server Action Executor Worker 55] CreateKeytabFilesServerAction:290 - Failed to create keytab file for ambari-qa_mngxikyl@EXAMPLE.COM - Failed to export keytab file > org.apache.ambari.server.serveraction.kerberos.KerberosOperationException: Failed to export keytab file > at org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandler.createKeytabFile(KerberosOperationHandler.java:439) > at org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction.processIdentity(CreateKeytabFilesServerAction.java:276) > at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processRecord(KerberosServerAction.java:494) > at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processIdentities(KerberosServerAction.java:386) > at org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServerAction.execute(CreateKeytabFilesServerAction.java:99) > at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.execute(ServerActionExecutor.java:504) > at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(ServerActionExecutor.java:441) > at java.lang.Thread.run(Thread.java:745) > Caused by: java.io.FileNotFoundException: /var/lib/ambari-server/tmp/.ambari_1427493565210-0.d/ip-10-99-165-62.ec2.internal/1ce5855f40583660938abde762237b442c2d5ba9 (Permission denied) > at java.io.FileOutputStream.open(Native Method) > at java.io.FileOutputStream.(FileOutputStream.java:221) > at org.apache.directory.server.kerberos.shared.keytab.Keytab.writeFile(Keytab.java:273) > at org.apache.directory.server.kerberos.shared.keytab.Keytab.write(Keytab.java:133) > at org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandler.createKeytabFile(KerberosOperationHandler.java:429) > ... 7 more > 27 Mar 2015 18:00:10,757 INFO > {code} > This was caused by incorrect permissions on {{/var/lib/ambari-server/tmp/.ambari_1427493565210-0.d/ip-10-99-165-62.ec2.internal/}} where the directory was set to 600 (rw-------) rather than 700 (rwx------). > *Solution* > * Fix ambari.properties to have the correct {{server.tmp.dir}} value, which is {{/var/lib/ambari-server/data/tmp}} > * Make sure the directories in the created path has executable permissions for the user that Ambari executes as. -- This message was sent by Atlassian JIRA (v6.3.4#6332)