ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Levas (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AMBARI-14702) disabling kerberos does not remove auth to local rules
Date Mon, 25 Jan 2016 21:30:40 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-14702?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Robert Levas updated AMBARI-14702:
----------------------------------
    Fix Version/s:     (was: 2.2.1)
                   2.2.2

> disabling kerberos does not remove auth to local rules
> ------------------------------------------------------
>
>                 Key: AMBARI-14702
>                 URL: https://issues.apache.org/jira/browse/AMBARI-14702
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.2.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: kerberos
>             Fix For: 2.2.2
>
>
> After disabling Kerberos to fix a user generated issue with a principal name pattern,
the auth-to-local mapping(s) were not removed and thus not _fixing_ the issues that were caused:

> {noformat:title=Invalid hadoop.security.auth_to_local value}
>  <property>
>        <name>hadoop.security.auth_to_local</name>
>        <value>RULE:[1:$1@$0](${hbase_user}@EXAMPLE.COM)s/.*/hbase/
>  RULE:[1:$1@$0](${hdfs_user}@EXAMPLE.COM)s/.*/hdfs/
>  RULE:[1:$1@$0](${smokeuser}@EXAMPLE.COM)s/.*/ambari-qa/
>  RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//
>  RULE:[2:$1@$0](amshbase@EXAMPLE.COM)s/.*/ams/
>  RULE:[2:$1@$0](amszk@EXAMPLE.COM)s/.*/ams/
>  RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/
>  RULE:[2:$1@$0](hbase@EXAMPLE.COM)s/.*/hbase/
>  RULE:[2:$1@$0](hive@EXAMPLE.COM)s/.*/hive/
>  RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/
>  RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/
>  RULE:[2:$1@$0](nm@EXAMPLE.COM)s/.*/yarn/
>  RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/
>  RULE:[2:$1@$0](oozie@EXAMPLE.COM)s/.*/oozie/
>  RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/
>  RULE:[2:$1@$0](yarn@EXAMPLE.COM)s/.*/yarn/
>  DEFAULT</value>
>      </property>
> {noformat}
> {noformat:title=Errors in log}
> 2016-01-13 21:51:17,825 FATAL datanode.DataNode (DataNode.java:secureMain(2429)) - Exception
in secureMain
> java.util.regex.PatternSyntaxException: Illegal repetition near index 0
> ${hbase_user}@EXAMPLE.COM
> ^
>         at java.util.regex.Pattern.error(Pattern.java:1924)
>         at java.util.regex.Pattern.closure(Pattern.java:3104)
>         at java.util.regex.Pattern.sequence(Pattern.java:2101)
>         at java.util.regex.Pattern.expr(Pattern.java:1964)
>         at java.util.regex.Pattern.compile(Pattern.java:1665)
>         at java.util.regex.Pattern.<init>(Pattern.java:1337)
>         at java.util.regex.Pattern.compile(Pattern.java:1022)
>         at org.apache.hadoop.security.authentication.util.KerberosName$Rule.<init>(KerberosName.java:193)
>         at org.apache.hadoop.security.authentication.util.KerberosName.parseRules(KerberosName.java:336)
>         at org.apache.hadoop.security.authentication.util.KerberosName.setRules(KerberosName.java:397)
>         at org.apache.hadoop.security.HadoopKerberosName.setConfiguration(HadoopKerberosName.java:75)
>         at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:275)
>         at org.apache.hadoop.security.UserGroupInformation.setConfiguration(UserGroupInformation.java:311)
>         at org.apache.hadoop.hdfs.server.datanode.DataNode.instantiateDataNode(DataNode.java:2192)
>         at org.apache.hadoop.hdfs.server.datanode.DataNode.createDataNode(DataNode.java:2242)
>         at org.apache.hadoop.hdfs.server.datanode.DataNode.secureMain(DataNode.java:2422)
>         at org.apache.hadoop.hdfs.server.datanode.DataNode.main(DataNode.java:2446)
> 2016-01-13 21:51:17,830 INFO  util.ExitUtil (ExitUtil.java:terminate(124)) - Exiting
with status 1
> 2016-01-13 21:51:17,832 INFO  datanode.DataNode (LogAdapter.java:info(45)) - SHUTDOWN_MSG:
> /************************************************************
> {noformat}
> The auth-to-local mappings should be removed when Kerberos is disabled.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message