ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tom Beerbower" <tbeerbo...@hortonworks.com>
Subject Re: Review Request 36110: HCat Service Check warns keytab contains no suitable keys when Kerberos is enabled
Date Thu, 02 Jul 2015 00:10:24 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/36110/#review90169
-----------------------------------------------------------

Ship it!


Ship It!

- Tom Beerbower


On July 1, 2015, 10:08 p.m., Robert Levas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/36110/
> -----------------------------------------------------------
> 
> (Updated July 1, 2015, 10:08 p.m.)
> 
> 
> Review request for Ambari, Andrew Onischuk, Dmitro Lisnichenko, Emil Anca, and Tom Beerbower.
> 
> 
> Bugs: AMBARI-12245
>     https://issues.apache.org/jira/browse/AMBARI-12245
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> HCat Service Check (part of the Hive Service Check) fails in cluster where Kerberos is
enabled:
> 
> ```
> Test connectivity to hive server
> Waiting for the Hive server to start...
> 2015-07-01 18:39:17,173 - Execute['/usr/bin/kinit -kt /etc/security/keytabs/smokeuser.headless.keytab
ambari-qa-tezview@EXAMPLE.COM; '] {'user': 'ambari-qa'}
> 2015-07-01 18:39:17,321 - Execute['! beeline -u 'jdbc:hive2://c6502.ambari.apache.org:10000/;transportMode=binary;principal=hive/_HOST@EXAMPLE.COM'
-e '' 2>&1| awk '{print}'|grep -i -e 'Connection refused' -e 'Invalid URL''] {'path':
['/bin/', '/usr/bin/', '/usr/lib/hive/bin/', '/usr/sbin/'], 'user': 'ambari-qa', 'timeout':
30}
> Successfully connected to c6502.ambari.apache.org on port 10000
> Successfully connected to Hive at c6502.ambari.apache.org on port 10000 after 6 seconds
> 2015-07-01 18:39:23,313 - File['/var/lib/ambari-agent/data/tmp/hcatSmoke.sh'] {'content':
StaticFile('hcatSmoke.sh'), 'mode': 0755}
> 2015-07-01 18:39:23,314 - Execute['/usr/bin/kinit -kt /etc/security/keytabs/smokeuser.headless.keytab
ambari-qa; env JAVA_HOME=/usr/jdk64/jdk1.8.0_40 /var/lib/ambari-agent/data/tmp/hcatSmoke.sh
hcatsmokeida8c06641_date390115 prepare'] {'logoutput': True, 'path': ['/usr/sbin', '/usr/local/bin',
'/bin', '/usr/bin', '/usr/sbin:/sbin:/usr/lib/ambari-server/*:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/var/lib/ambari-agent:/usr/hdp/current/hive-client/bin:/usr/hdp/current/hadoop-client/bin'],
'tries': 3, 'user': 'ambari-qa', 'try_sleep': 5}
> kinit: Keytab contains no suitable keys for ambari-qa@EXAMPLE.COM while getting initial
credentials
> WARNING: Use "yarn jar" to launch YARN applications.
> ```
> The issue appears to be the wrong principal name in the `kinit` command - note the missing
cluster name and realm in the principal name value.
> ```
> /usr/bin/kinit -kt /etc/security/keytabs/smokeuser.headless.keytab ambari-qa
> ```
> # Cause
> The error is caused by the use of the wrong variable when generating the kinit command
at common-services/HIVE/0.12.0.2.0/package/scripts/hcat_service_check.py:44
> ```
> {kinit_path_local} -kt {smoke_user_keytab} {smokeuser}
> ```
> 
> # Solution
> At common-services/HIVE/0.12.0.2.0/package/scripts/hcat_service_check.py:44, change `smokeuser`
to `smokeuser_principal`.
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hcat_service_check.py
d35e0b9 
>   ambari-server/src/test/python/stacks/2.0.6/HIVE/test_hive_service_check.py 5bf85fd

> 
> Diff: https://reviews.apache.org/r/36110/diff/
> 
> 
> Testing
> -------
> 
> Manually tested to ensure warning is no longer generated.
> 
> # Local test results: SUCCESS
> 
> # Jenkins test results: PENDING
> 
> 
> Thanks,
> 
> Robert Levas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message