ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas" <rle...@hortonworks.com>
Subject Re: Review Request 36110: HCat Service Check warns keytab contains no suitable keys when Kerberos is enabled
Date Sat, 04 Jul 2015 10:49:40 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/36110/
-----------------------------------------------------------

(Updated July 4, 2015, 6:49 a.m.)


Review request for Ambari, Andrew Onischuk, Dmitro Lisnichenko, Emil Anca, and Tom Beerbower.


Changes
-------

Fixed merge issues


Bugs: AMBARI-12245
    https://issues.apache.org/jira/browse/AMBARI-12245


Repository: ambari


Description
-------

HCat Service Check (part of the Hive Service Check) fails in cluster where Kerberos is enabled:

```
Test connectivity to hive server
Waiting for the Hive server to start...
2015-07-01 18:39:17,173 - Execute['/usr/bin/kinit -kt /etc/security/keytabs/smokeuser.headless.keytab
ambari-qa-tezview@EXAMPLE.COM; '] {'user': 'ambari-qa'}
2015-07-01 18:39:17,321 - Execute['! beeline -u 'jdbc:hive2://c6502.ambari.apache.org:10000/;transportMode=binary;principal=hive/_HOST@EXAMPLE.COM'
-e '' 2>&1| awk '{print}'|grep -i -e 'Connection refused' -e 'Invalid URL''] {'path':
['/bin/', '/usr/bin/', '/usr/lib/hive/bin/', '/usr/sbin/'], 'user': 'ambari-qa', 'timeout':
30}
Successfully connected to c6502.ambari.apache.org on port 10000
Successfully connected to Hive at c6502.ambari.apache.org on port 10000 after 6 seconds
2015-07-01 18:39:23,313 - File['/var/lib/ambari-agent/data/tmp/hcatSmoke.sh'] {'content':
StaticFile('hcatSmoke.sh'), 'mode': 0755}
2015-07-01 18:39:23,314 - Execute['/usr/bin/kinit -kt /etc/security/keytabs/smokeuser.headless.keytab
ambari-qa; env JAVA_HOME=/usr/jdk64/jdk1.8.0_40 /var/lib/ambari-agent/data/tmp/hcatSmoke.sh
hcatsmokeida8c06641_date390115 prepare'] {'logoutput': True, 'path': ['/usr/sbin', '/usr/local/bin',
'/bin', '/usr/bin', '/usr/sbin:/sbin:/usr/lib/ambari-server/*:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/var/lib/ambari-agent:/usr/hdp/current/hive-client/bin:/usr/hdp/current/hadoop-client/bin'],
'tries': 3, 'user': 'ambari-qa', 'try_sleep': 5}
kinit: Keytab contains no suitable keys for ambari-qa@EXAMPLE.COM while getting initial credentials
WARNING: Use "yarn jar" to launch YARN applications.
```
The issue appears to be the wrong principal name in the `kinit` command - note the missing
cluster name and realm in the principal name value.
```
/usr/bin/kinit -kt /etc/security/keytabs/smokeuser.headless.keytab ambari-qa
```
# Cause
The error is caused by the use of the wrong variable when generating the kinit command at
common-services/HIVE/0.12.0.2.0/package/scripts/hcat_service_check.py:44
```
{kinit_path_local} -kt {smoke_user_keytab} {smokeuser}
```

# Solution
At common-services/HIVE/0.12.0.2.0/package/scripts/hcat_service_check.py:44, change `smokeuser`
to `smokeuser_principal`.


Diffs (updated)
-----

  ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/scripts/hcat_service_check.py
356e5ee 
  ambari-server/src/test/python/stacks/2.0.6/HIVE/test_hive_service_check.py 50f3359 

Diff: https://reviews.apache.org/r/36110/diff/


Testing
-------

Manually tested to ensure warning is no longer generated.

# Local test results: SUCCESS

# Jenkins test results: PENDING


Thanks,

Robert Levas


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message