ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dmytro Sen" <d...@hortonworks.com>
Subject Re: Review Request 36752: AMS does not work with Kerberization in distrbuted mode
Date Fri, 24 Jul 2015 17:19:53 GMT


> On Июль 23, 2015, 11:49 п.п., Sid Wagle wrote:
> > What about "amszk/_HOST@${realm}" in common-services/AMBARI_METRICS/0.1.0/kerberos.json?
This would create a wrong keytab if cluster ZK is not co-hosted right.

The root cause of this issue is using "zookeeper/_HOST@_REALM" principal as zookeeper service
principal by default, any zookeeper client tries to authenticate zookeeper service with this
principal name, but for AMS case clients should use "amszk/_HOST@_REALM" (or any other custom
principal name, set by user). The default principal can be overridden by setting system property
"-Dzookeeper.sasl.client.username=amszk", so clients will be authenticating AMS-ZOOKEEPER
with "amszk/_HOST@_REALM".

My patch allows to use any custom principal name or keytab name for zookeeper service. Tested
on cluster, where AMS Collector isn't co-hosted with zookeeper.
Keytabs on AMS collector node
[root@c6403 ambari-metrics-collector]# ll /etc/security/keytabs/
total 32
-r-------- 1 ams       hadoop 433 ??? 24 08:37 ams.collector.keytab
-r-------- 1 ams       hadoop 433 ??? 24 08:37 ams-hbase.master.keytab
-r-------- 1 ams       hadoop 433 ??? 24 08:37 ams-hbase.regionserver.keytab
-r-------- 1 ams       hadoop 418 ??? 24 08:37 ams-zk.service.keytab
-r-------- 1 hdfs      hadoop 403 ??? 24 08:37 dn.service.keytab
-r--r----- 1 hdfs      hadoop 303 ??? 24 08:37 hdfs.headless.keytab
-r--r----- 1 ambari-qa hadoop 328 ??? 24 08:37 smokeuser.headless.keytab
-r--r----- 1 root      hadoop 413 ??? 24 08:37 spnego.service.keytab


- Dmytro


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/36752/#review92836
-----------------------------------------------------------


On Июль 23, 2015, 11:37 п.п., Dmytro Sen wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/36752/
> -----------------------------------------------------------
> 
> (Updated Июль 23, 2015, 11:37 п.п.)
> 
> 
> Review request for Ambari, Myroslav Papirkovskyy and Sid Wagle.
> 
> 
> Bugs: AMBARI-12347
>     https://issues.apache.org/jira/browse/AMBARI-12347
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> STR:
> Setup AMS in distributed mode
> Enable Kerberos using the Security wizard
> AMS fails to start with following log messages:
> /var/log/ambari-metrics-collector/ambari-metrics-collector.log:
> 22:36:44,699 ERROR [main] ConnectionManager$HConnectionImplementation:879 - The node
/ams-hbase-secure is not in ZooKeeper. It should have been written by the master. Check the
value configured in 'zookeeper.znode.parent'. There could be a mismatch with the one configured
in the master.
> /var/log/ambari-metrics-collector/hbase-ams-master-h1.log:
> 2015-07-08 22:51:08,626 WARN  [main] zookeeper.RecoverableZooKeeper: Possibly transient
ZooKeeper, quorum=h1:61181, exception=org.apache.zookeeper.KeeperException$ConnectionLossException:
KeeperErrorCode = ConnectionLoss for /ams-hbase-secure
> 2015-07-08 22:51:08,626 ERROR [main] zookeeper.RecoverableZooKeeper: ZooKeeper create
failed after 4 attempts
> 2015-07-08 22:51:08,626 ERROR [main] master.HMasterCommandLine: Master exiting
> java.lang.RuntimeException: Failed construction of Master: class org.apache.hadoop.hbase.master.HMaster
> 
> 
> Diffs
> -----
> 
>   ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-env.xml
a3ddb6a 
>   ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-hbase-env.xml
6325a50 
>   ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py
5e4da80 
> 
> Diff: https://reviews.apache.org/r/36752/diff/
> 
> 
> Testing
> -------
> 
> OK
> ----------------------------------------------------------------------
> Total run:806
> Total errors:0
> Total failures:0
> OK
> 
> 
> Thanks,
> 
> Dmytro Sen
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message