ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-12356) kinit of hdfs Kerberos identity fails when starting added service(s) after upgrade to ambari2.1.0
Date Sun, 12 Jul 2015 14:16:04 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-12356?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Levas updated AMBARI-12356:
----------------------------------
    Summary: kinit of hdfs Kerberos identity fails when starting added service(s) after upgrade
to ambari2.1.0  (was:  Execution of '/usr/bin/kinit -kt ... hdfs@EXAMPLE.COM' returned 1 when
try to start added before component (Oozie server,HS2 etc ) after upgrade to ambari2.1.0)

> kinit of hdfs Kerberos identity fails when starting added service(s) after upgrade to
ambari2.1.0
> -------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-12356
>                 URL: https://issues.apache.org/jira/browse/AMBARI-12356
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.1.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: kerberos, upgrade
>             Fix For: 2.1.0
>
>         Attachments: AMBARI-12356_01.patch
>
>
> STR:
> 1. Install old version of ambari (2.0.1)
> 2. Enable security
> 3. Do Ambari only upgrade to ambari2.1.0
> 4. Add some component - HiveServer2 or Ooozie server
> 5. Try to start added component
> Actual result:
> Start have been failed. 
> {code}
> Traceback (most recent call last):
>   File "/var/lib/ambari-agent/cache/common-
> services/HIVE/0.12.0.2.0/package/scripts/hive_server.py", line 182, in <module>
>     HiveServer().execute()
>   File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py",

> line 216, in execute
>     method(env)
>   File "/var/lib/ambari-agent/cache/common-
> services/HIVE/0.12.0.2.0/package/scripts/hive_server.py", line 83, in start
>     self.configure(env) # FOR SECURITY
>   File "/var/lib/ambari-agent/cache/common-
> services/HIVE/0.12.0.2.0/package/scripts/hive_server.py", line 54, in configure
>     hive(name='hiveserver2')
>   File "/usr/lib/python2.6/site-packages/ambari_commons/os_family_impl.py", line 89,
in 
> thunk
>     return fn(*args, **kwargs)
>   File "/var/lib/ambari-agent/cache/common-
> services/HIVE/0.12.0.2.0/package/scripts/hive.py", line 127, in hive
>     mode=params.webhcat_hdfs_user_mode
>   File "/usr/lib/python2.6/site-packages/resource_management/core/base.py", line 157,
in 
> __init__
>     self.env.run()
>   File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line

> 152, in run
>     self.run_action(resource, action)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line

> 118, in run_action
>     provider_action()
>   File "/usr/lib/python2.6/site-
> packages/resource_management/libraries/providers/hdfs_resource.py", line 390, in 
> action_create_on_execute
>     self.action_delayed("create")
>   File "/usr/lib/python2.6/site-
> packages/resource_management/libraries/providers/hdfs_resource.py", line 387, in 
> action_delayed
>     self.get_hdfs_resource_executor().action_delayed(action_name, self)
>   File "/usr/lib/python2.6/site-
> packages/resource_management/libraries/providers/hdfs_resource.py", line 236, in 
> action_delayed
>     main_resource.kinit()
>   File "/usr/lib/python2.6/site-
> packages/resource_management/libraries/providers/hdfs_resource.py", line 416, in kinit
>     user=user
>   File "/usr/lib/python2.6/site-packages/resource_management/core/base.py", line 157,
in 
> __init__
>     self.env.run()
>   File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line

> 152, in run
>     self.run_action(resource, action)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line

> 118, in run_action
>     provider_action()
>   File "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py",

> line 254, in action_run
>     tries=self.resource.tries, try_sleep=self.resource.try_sleep)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 70,
in 
> inner
>     result = function(command, **kwargs)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 92,
in 
> checked_call
>     tries=tries, try_sleep=try_sleep)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 140,
in 
> _call_wrapper
>     result = _call(command, **kwargs_copy)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 291,
in 
> _call
>     raise Fail(err_msg)
> resource_management.core.exceptions.Fail: Execution of '/usr/bin/kinit -kt 
> /etc/security/keytabs/hdfs.headless.keytab hdfs@EXAMPLE.COM' returned 1. kinit: Keytab

> contains no suitable keys for hdfs@EXAMPLE.COM while getting initial credentials
> {code}
> Expected results:
> Can start all added components.
> *Cause*
> The Kerberos Descriptor structure changed between Ambari 2.0 and Ambari 2.1.  This change
moved the "hdfs" Kerberos identity descriptor from the _global_ scope to under the HDFS service.
After upgrading from Ambari 2.0 to Ambari 2.1  an additional "hdfs" Kerberos identity descriptor
was added with the new principal name pattern - $\{hadoop-env/hdfs_user\}-$\{cluster_name\}@$\{realm\}.
 This occurred because the stored Kerberos Descriptor contained the _old_ structure, and when
Ambari generated a composite Kerberos Descriptor made up of the Kerberos Descriptor compiled
from the relevant stack definition with stored changes applied, that additional "hdfs" Kerberos
identity descriptor was added.  Because if this, the Kerberos logic became _confused_ and
overwrote the existing hdfs keytab file with one that contained the new principal name.
> *Solution*
> While migrating Ambari 2.0 to Ambari 2.1, fix the stored Kerberos Descriptor structure
to match the new version's structure.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message