ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-12180) Enabling Kerberos on cluster with AMS and no HDFS fails
Date Sat, 27 Jun 2015 11:09:04 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-12180?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Levas updated AMBARI-12180:
----------------------------------
    Description: 
In a cluster where AMS is installed but HDFS is _not_ installed, enabling Kerberos fails due
to the inability for the server-side Kerberos logic to replace ${hadoop-env/hdfs_user} when
generating the metadata used to create principals and distribute keytab files.

This condition yields the following principal (when the cluster name is AMSNOHDFS and the
realm is EXAMPLE.COM)
{noformat}
    $\{hadoop-env/hdfs_user\}-AMSNOHDFS@EXAMPLE.COM
{noformat}

This is successfully created in the (MIT) KDC. Also, the relative keytab file appears to have
been successfully created as well.

However, when distributing the keytab file and setting the ownership attributes, the agent-side
script fails with 
{code}
Traceback (most recent call last):
  File "/var/lib/ambari-agent/cache/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py",
line 77, in <module>
    KerberosClient().execute()
  File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py",
line 216, in execute
    method(env)
  File "/var/lib/ambari-agent/cache/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py",
line 67, in set_keytab
    self.write_keytab_file()
  File "/var/lib/ambari-agent/cache/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py",
line 397, in write_keytab_file
    group=group)
  File "/usr/lib/python2.6/site-packages/resource_management/core/base.py", line 157, in __init__
    self.env.run()
  File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 152,
in run
    self.run_action(resource, action)
  File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 118,
in run_action
    provider_action()
  File "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py", line
108, in action_create
    self.resource.group, mode=self.resource.mode, cd_access=self.resource.cd_access)
  File "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py", line
44, in _ensure_metadata
    _user_entity = pwd.getpwnam(user)
KeyError: 'getpwnam(): name not found: $\{hadoop-env/hdfs_user\}'
{code}

*NOTE: \ needed to be added to the hadoop-env/hdfs_user placeholder due to formatting issue*

*Solution:* 
Remove the HDFS identity reference in AMS and assume the hdfs keytab file will be on the appropriate
host(s) when HDFS is installed


  was:
In a cluster where AMS is installed but HDFS is _not_ installed, enabling Kerberos fails due
to the inability for the server-side Kerberos logic to replace ${hadoop-env/hdfs_user} when
generating the metadata used to create principals and distribute keytab files.

This condition yields the following principal (when the cluster name is AMSNOHDFS and the
realm is EXAMPLE.COM)
{noformat}
    $\{hadoop-env/hdfs_user\}-AMSNOHDFS@EXAMPLE.COM
{noformat}

This is successfully created in the (MIT) KDC. Also, the relative keytab file appears to have
been successfully created as well.

However, when distributing the keytab file and setting the ownership attributes, the agent-side
script fails with 
{code}
Traceback (most recent call last):
  File "/var/lib/ambari-agent/cache/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py",
line 77, in <module>
    KerberosClient().execute()
  File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py",
line 216, in execute
    method(env)
  File "/var/lib/ambari-agent/cache/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py",
line 67, in set_keytab
    self.write_keytab_file()
  File "/var/lib/ambari-agent/cache/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py",
line 397, in write_keytab_file
    group=group)
  File "/usr/lib/python2.6/site-packages/resource_management/core/base.py", line 157, in __init__
    self.env.run()
  File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 152,
in run
    self.run_action(resource, action)
  File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 118,
in run_action
    provider_action()
  File "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py", line
108, in action_create
    self.resource.group, mode=self.resource.mode, cd_access=self.resource.cd_access)
  File "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py", line
44, in _ensure_metadata
    _user_entity = pwd.getpwnam(user)
KeyError: 'getpwnam(): name not found: $\{hadoop-env/hdfs_user\}'
{code}

*NOTE: \ needed to be added to the hadoop-env/hdfs_user placeholder due to formatting issue*

# Solution: 
Remove the HDFS identity reference in AMS and assume the hdfs keytab file will be on the appropriate
host(s) when HDFS is installed



> Enabling Kerberos on cluster with AMS and no HDFS fails
> -------------------------------------------------------
>
>                 Key: AMBARI-12180
>                 URL: https://issues.apache.org/jira/browse/AMBARI-12180
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.0.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>            Priority: Critical
>              Labels: kerberos, kerberos_descriptor
>             Fix For: 2.1.0
>
>         Attachments: AMBARI-12180_01.patch
>
>
> In a cluster where AMS is installed but HDFS is _not_ installed, enabling Kerberos fails
due to the inability for the server-side Kerberos logic to replace ${hadoop-env/hdfs_user}
when generating the metadata used to create principals and distribute keytab files.
> This condition yields the following principal (when the cluster name is AMSNOHDFS and
the realm is EXAMPLE.COM)
> {noformat}
>     $\{hadoop-env/hdfs_user\}-AMSNOHDFS@EXAMPLE.COM
> {noformat}
> This is successfully created in the (MIT) KDC. Also, the relative keytab file appears
to have been successfully created as well.
> However, when distributing the keytab file and setting the ownership attributes, the
agent-side script fails with 
> {code}
> Traceback (most recent call last):
>   File "/var/lib/ambari-agent/cache/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py",
line 77, in <module>
>     KerberosClient().execute()
>   File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py",
line 216, in execute
>     method(env)
>   File "/var/lib/ambari-agent/cache/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py",
line 67, in set_keytab
>     self.write_keytab_file()
>   File "/var/lib/ambari-agent/cache/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py",
line 397, in write_keytab_file
>     group=group)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/base.py", line 157,
in __init__
>     self.env.run()
>   File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line
152, in run
>     self.run_action(resource, action)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line
118, in run_action
>     provider_action()
>   File "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py",
line 108, in action_create
>     self.resource.group, mode=self.resource.mode, cd_access=self.resource.cd_access)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py",
line 44, in _ensure_metadata
>     _user_entity = pwd.getpwnam(user)
> KeyError: 'getpwnam(): name not found: $\{hadoop-env/hdfs_user\}'
> {code}
> *NOTE: \ needed to be added to the hadoop-env/hdfs_user placeholder due to formatting
issue*
> *Solution:* 
> Remove the HDFS identity reference in AMS and assume the hdfs keytab file will be on
the appropriate host(s) when HDFS is installed



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message