ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emil Anca" <ea...@hortonworks.com>
Subject Review Request 33974: Kerberos: Keytab files are not distributed during add host if a retry is necessary during installation
Date Fri, 08 May 2015 11:31:24 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/33974/
-----------------------------------------------------------

Review request for Ambari, Robert Levas and Vitalyi Brodetskyi.


Bugs: AMBARI-11022
    https://issues.apache.org/jira/browse/AMBARI-11022


Repository: ambari


Description
-------

When adding a new host to a cluster where Kerberos is enabled and the installation of the
new components fails, upon retry the keytabs are not distributed to the host after successfully
installing the components. Note: the new identities were not created either.
Workaround
To recover from this, the missing keytabs can be regenerated using the Regenerate Keytabs
feature with the missing only option specified. The component can then be started successfully.
Steps to reproduce
Create cluster (can be small, one node with only HDFS and Zookeeper)
Enable Kerberos
Add new host with only DataNode (no clients, only to make the failure happen quicker)
While the relevant hadoop packages are being installed, kill the package manger (i.e., yum,
zypper, etc...)
The installation of the component will fail and the retry button will be available
Click the retry button and allow the installation to complete
Startup of the Datanode component will fail due to missing keytab
2015-03-21 01:43:47,911 FATAL datanode.DataNode (DataNode.java:secureMain(2385)) - Exception
in secureMain
java.io.IOException: Login failure for dn/c6504.ambari.apache.org@EXAMPLE.COM from keytab
/etc/security/keytabs/dn.service.keytab: javax.security.auth.login.LoginException: Unable
to obtain password from user
Note: Error indicates a keytab file was found but wrong password, this isn't the case since
the keytab file was not on the host.


Problem: If components installation fails and a retry is performed, the Kerberos related component
configuration is skipped on a sequential attempts;
Solution: Components transitioning from INSTALL_FAILED->INSTALLED state should also be
taken into account.


Diffs
-----

  ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java
7b77bfa 

Diff: https://reviews.apache.org/r/33974/diff/


Testing
-------

mvn clean test -pl ambari-server

Total run:765
Total errors:0
Total failures:0
OK
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 47:47.894s
[INFO] Finished at: Thu May 07 19:13:42 EEST 2015
[INFO] Final Memory: 47M/507M
[INFO] ------------------------------------------------------------------------


Thanks,

Emil Anca


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message