ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Yang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AMBARI-21577) Hive-Service check failing in post EU validation (IOP-HDP)
Date Wed, 26 Jul 2017 16:04:01 GMT

    [ https://issues.apache.org/jira/browse/AMBARI-21577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16101850#comment-16101850
] 

Eric Yang commented on AMBARI-21577:
------------------------------------

Quote from Hortonworks internal bug tracker by Robert Levas:

The problem the existence of the following rule in the auth-to-local rule set (core-site/hadoop.security.auth_to_local):
{code}
RULE:[2:$1@$0](HTTP@EXAMPLE.COM)s/.*/cstm-hbase/
{code}

This rule was added due to an Kerberos identity descriptor from the BigInsight stack definition:
{code}
/HBASE/HBASE_REST_SERVER
{code}
{code}
                {
                  "keytab" : {
                    "configuration" : "hbase-site/hbase.rest.authentication.kerberos.keytab",
                    "file" : "${keytab_dir}/hbase.service.keytab",
                    "group" : {
                      "access" : "",
                      "name" : "${cluster-env/user_group}"
                    },
                    "owner" : {
                      "access" : "r",
                      "name" : "${hbase-env/hbase_user}"
                    }
                  },
                  "name" : "hbase_rest_server_spnego",
                  "principal" : {
                    "configuration" : "hbase-site/hbase.rest.authentication.kerberos.principal",
                    "local_username" : "${hbase-env/hbase_user}",
                    "type" : "service",
                    "value" : "HTTP/_HOST@${realm}"
                  }
                }
{code}
I am not sure what purpose this definition has since it seems to be messing up at least Hive
and probably a few other things since this forces the SPNEGO identity to translate to the
local user cstm-hbase (in this case). Generally it is expected that the SPNEGO identities
has no explicit translation and by default will translate to HTTP. One way this is relevant
is when the proxyuser configurations are considered. In this cluster, there are no hadoop.proxyuser.cstm-hbase
configurations. However, the hadoop.proxyuser.HTTP configurations are set properly.... thus
allowing the Hive service check to work when the rule in question is removed.
How do we want to proceed? Since BigInsights is going away, I guess there is no need to address
the problem in that stack. So maybe upon upgrade, we try to figure out which rules should
be removed and fix the auth-to-local rule set(s). There appears to be other issues with the
rule set:

{code}
RULE:[2:$1@$0](amshbase@EXAMPLE.COM)s/.*/cstm-ams/
RULE:[2:$1@$0](amshbase@EXAMPLE.COM)s/.*/cstm-hbase/
{code}

In the above case, the 2nd rule will never get executed since the first matching rule wins.
So amshbase/*@EXAMPLE.COM will always translate to cstm-ams.
Programmatically fixing this may be difficult since we wont be able to tell which rules were
added by Ambari and which were custom. So the rules that do not belong will appear to Ambari
as custom rules, so they can not be removed. Maybe we can document this issue and have the
user manually fix it after the upgrade to HDP?

In any case, I made the necessary change to the cluster at http://172.22.120.154:8080 and
the Hive service check now works.

> Hive-Service check failing in post EU validation (IOP-HDP)
> ----------------------------------------------------------
>
>                 Key: AMBARI-21577
>                 URL: https://issues.apache.org/jira/browse/AMBARI-21577
>             Project: Ambari
>          Issue Type: Bug
>          Components: stacks
>    Affects Versions: 2.5.2
>         Environment:  OS:- RHEL 7
>  Ambari Upgraded 2.2.0 to 2.5.2.0-174
> Express Upgrade:- BigInsights-4.2.0.0 to HDP-2.6.2.0-107
>            Reporter: Eric Yang
>             Fix For: 2.5.2
>
>
> Steps to reproduce:-
> 1. Installed a IOP cluster ambari-version:- 2.2.0/20160616_1658,BigInsights-4.2.0.0
> 2. Upgrade the ambari from 2.2.0 to 2.5.2.0-174(IOP Clusters)
> 3. Remove IOP Select.
> 4. Register HDP Stack to HDP-2.6.2.0-107.
> 5. EU
> 6. Post EU
> Hive- Service check is failing :- 
> {code}
> HTTP/vs-iop420tofnsec-re-2.openstacklocal@EXAMPLE.COM is not allowed to impersonate ambari-qa
> {code}
> stderr:-
> {code}
> Traceback (most recent call last):
>   File "/var/lib/ambari-agent/cache/common-services/HIVE/0.12.0.2.0/package/scripts/service_check.py",
line 194, in <module>
>     HiveServiceCheck().execute()
>   File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py",
line 329, in execute
>     method(env)
>   File "/var/lib/ambari-agent/cache/common-services/HIVE/0.12.0.2.0/package/scripts/service_check.py",
line 99, in service_check
>     webhcat_service_check()
>   File "/usr/lib/python2.6/site-packages/ambari_commons/os_family_impl.py", line 89,
in thunk
>     return fn(*args, **kwargs)
>   File "/var/lib/ambari-agent/cache/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat_service_check.py",
line 125, in webhcat_service_check
>     logoutput=True)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/base.py", line 166,
in __init__
>     self.env.run()
>   File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line
160, in run
>     self.run_action(resource, action)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line
124, in run_action
>     provider_action()
>   File "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py",
line 262, in action_run
>     tries=self.resource.tries, try_sleep=self.resource.try_sleep)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 72,
in inner
>     result = function(command, **kwargs)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 102,
in checked_call
>     tries=tries, try_sleep=try_sleep, timeout_kill_strategy=timeout_kill_strategy)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 150,
in _call_wrapper
>     result = _call(command, **kwargs_copy)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 303,
in _call
>     raise ExecutionFailed(err_msg, code, out, err)
> resource_management.core.exceptions.ExecutionFailed: Execution of '/var/lib/ambari-agent/tmp/templetonSmoke.sh
vs-iop420tofnsec-re-2.openstacklocal ambari-qa 20111 idtest.ambari-qa.1500877355.88.pig /etc/security/keytabs/smokeuser.headless.keytab
true /usr/bin/kinit ambari-qa@EXAMPLE.COM /var/lib/ambari-agent/tmp' returned 1. Templeton
Smoke Test (ddl cmd): Failed. : {"error":"User: HTTP/vs-iop420tofnsec-re-2.openstacklocal@EXAMPLE.COM
is not allowed to impersonate ambari-qa"}http_code <500>
> {code} 
> Screenshot:- !Screen Shot 2017-07-24 at 12.04.44 PM.png|thumbnail! 
> Live-Server:- http://172.22.115.63:8080.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message