ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Frank Eisenhauer <feisenhau...@gmail.com>
Subject Re: Ambari 2.0 Kerberos Activation - Failed to create keytab
Date Sat, 18 Apr 2015 06:35:40 GMT
Hi Rob,

thank you very much.
I wasn't aware Ambari is running as non-root as I always started Ambaris 
as root user.

I changed the user setting in ambari.properties and was able to activate 
kerberos.

Is there already a date for the Ambari Update to be availabe?

Best regards
Frank

Am 18.04.2015 um 01:22 schrieb Robert Levas:
> Hi FrankŠ
>
> It seems like Ambari is running as ambari-server, not root.  This isn¹t
> typically an issue, but in this case the problem from
> https://issues.apache.org/jira/browse/AMBARI-10266 is coming into play.
> The solution will be in the next releases of Ambari (2.0.1 and 2.1), but
> for now it appears that you need to run Ambari as root to get around this
> issue.
>
> Essentially, unless you are root, the directory must be executable in
> order to write files in it.  There is a bug in Ambari where when it
> attempts to protect temporary files created while enabling Kerberos, it
> fails to properly set the executable flag on relevant directories. Thus
> the error condition.  For some reason, the root user does not have this
> restriction and the bug is avoided.
>
> Is it possible to run Ambari as root?  I think you need to edit
> /etc/ambari-server/conf/ambari.properties and set ambari-server.user to
> root:
>
> 	ambari-server.user=root
>
> Then restart Ambari.
>
> I am sorry that this is the only solution that I can think of until the
> next release. I hope it helps,
>
> Rob
>
>    
>   
>
>
> On 4/17/15, 5:34 PM, "Frank Eisenhauer" <feisenhauer2@gmail.com> wrote:
>
>> Hi Rob,
>>
>> the direcory "/var/lib/ambari-server/data/tmp/" exists and has the
>> following permissions:
>>
>> drwx------  2 ambari-server root 4096 Apr 13 20:28 cache
>> drwxrwxrwx 10 ambari-server root 4096 Apr 17 21:41 tmp
>>
>> I changed the permissions to 777 just to exclude permissions as a root
>> cause.
>> But unfortunately changing the permissions has no effect on the issue.
>>
>> After executing "Install and Test Kerberos Client" via Ambari Kerberos
>> wizard, two new folders are beeing created in the tmp directory, with
>> the following permissions:
>>
>> drwxr-xr-x  3 ambari-server ambari-server 4096 Apr 17 23:35
>> .ambari_1429306535296-0.d
>> drwxr-xr-x  2 ambari-server ambari-server 4096 Apr 17 23:35
>> .ambari_1429306535374-0.d
>>
>> Disk space and available inodes is not an issue. I really don't see a
>> reason why the files cannot be writen to that directory.
>>
>> Inside of the first folder mentioned above, ther's is another folder
>> with the hostname:
>>
>> drw------- 2 ambari-server ambari-server 4096 Apr 17 23:35
>> HADOOP01.BIGDATA.LOCAL
>> -rw-r--r-- 1 ambari-server ambari-server  765 Apr 17 23:35 index.dat
>>
>> The ambari log states, that the kerberos keytab is exported to the host
>> directory. Might the missing execute flag be a cause for the permission
>> denied error?
>>
>> The installation runs on CentOS 6.6 and Java Version is 1.7.0_71
>>
>> Am 17.04.2015 um 23:14 schrieb Robert Levas:
>>> Hi Frank,
>>>
>>> Can you check to see if /var/lib/ambari-server/data/tmp/ exists on the
>>> Ambari server host?  If so, what permissions does it have?
>>>
>>> Ideally, /var/lib/ambari-server/data/tmp/ exists and all directories in
>>> the path are executable by the user that Ambari runs as.
>>>
>>> Both of these are essentially covered in
>>> https://issues.apache.org/jira/browse/AMBARI-10266 and I saw that you
>>> acknowledged the solution in the ticket, but I just wanted to make sure
>>> we
>>> covered all of the bases.
>>>
>>> Other than this, I am not sure while the file cannot be written.
>>> Obvious
>>> things like being out of disk space or memory could cause the issue, but
>>> you would be seeing other issues if this was the case.
>>>
>>> What OS and Java VM are you running Ambari on?
>>>
>>> Rob
>>>
>>> On 4/17/15, 4:03 PM, "Frank Eisenhauer" <feisenhauer2@gmail.com> wrote:
>>>
>>>> Hi Jeff,
>>>>
>>>> Ambari is running as root.
>>>>
>>>> Am 17.04.2015 um 21:50 schrieb Jeff Sposetti:
>>>>> Hi, Are you running your Ambari Server as non-root?
>>>>>
>>>>> https://issues.apache.org/jira/browse/AMBARI-10266
>>>>>
>>>>> You might be hitting that BUG.
>>>>>
>>>>> On 4/17/15, 3:41 PM, "Frank Eisenhauer" <feisenhauer2@gmail.com>
>>>>> wrote:
>>>>>
>>>>>> Hi All,
>>>>>> I'm trying to enable Kerberos in Ambari 2.0.0 after upgrade from
>>>>>> Ambari
>>>>>> 1.7.
>>>>>>
>>>>>> During "Test Kerberos Client" I'm getting the error "Failed to create
>>>>>> keytab file for ambari-qa_idheyfiu@BIGDATA.XXX - Failed to export
>>>>>> keytab
>>>>>> file"
>>>>>>
>>>>>> The ambari-server.log states:
>>>>>> 17 Apr 2015 21:41:29,601  INFO [Server Action Executor Worker 4215]
>>>>>> CreateKeytabFilesServerAction:170 - Creating keytab file for
>>>>>> ambari-qa_idheyfiu@BIGDATA$
>>>>>> 17 Apr 2015 21:41:29,636 ERROR [Server Action Executor Worker 4215]
>>>>>> KerberosOperationHandler:433 - Failed to export keytab file
>>>>>> java.io.FileNotFoundException:
>>>>>>
>>>>>>
>>>>>> /var/lib/ambari-server/data/tmp/.ambari_1429299679291-0.d/HADOOP-SRV01
>>>>>> /4
>>>>>> e6
>>>>>> d850833d0d36946b1c5c5b260bec371c5247c
>>>>>> (Pe$
>>>>>>            at java.io.FileOutputStream.open(Native Method)
>>>>>>            at
>>>>>> java.io.FileOutputStream.<init>(FileOutputStream.java:221)
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.directory.server.kerberos.shared.keytab.Keytab.writeFile(Ke
>>>>>> yt
>>>>>> ab
>>>>>> .java:273)
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.directory.server.kerberos.shared.keytab.Keytab.write(Keytab
>>>>>> .j
>>>>>> av
>>>>>> a:133)
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandle
>>>>>> r.
>>>>>> cr
>>>>>> eateKeytabFile(KerberosOperationHandler.java:429)
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServer
>>>>>> Ac
>>>>>> ti
>>>>>> on.processIdentity(CreateKeytabFilesServerAction.java:276)
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.pr
>>>>>> oc
>>>>>> es
>>>>>> sRecord(KerberosServerAction.java:494)
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.pr
>>>>>> oc
>>>>>> es
>>>>>> sIdentities(KerberosServerAction.java:386)
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServer
>>>>>> Ac
>>>>>> ti
>>>>>> on.execute(CreateKeytabFilesServerAction.java:99)
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.exec
>>>>>> ut
>>>>>> e(
>>>>>> ServerActionExecutor.java:504)
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(
>>>>>> Se
>>>>>> rv
>>>>>> erActionExecutor.java:441)
>>>>>>            at java.lang.Thread.run(Thread.java:744)
>>>>>> 17 Apr 2015 21:41:29,637 ERROR [Server Action Executor Worker 4215]
>>>>>> CreateKeytabFilesServerAction:290 - Failed to create keytab file
for
>>>>>> ambari-qa_idheyfiu$
>>>>>>
>>>>>>
>>>>>> org.apache.ambari.server.serveraction.kerberos.KerberosOperationExcept
>>>>>> io
>>>>>> n:
>>>>>>
>>>>>> Failed to export keytab file
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandle
>>>>>> r.
>>>>>> cr
>>>>>> eateKeytabFile(KerberosOperationHandler.java:439)
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServer
>>>>>> Ac
>>>>>> ti
>>>>>> on.processIdentity(CreateKeytabFilesServerAction.java:276)
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.pr
>>>>>> oc
>>>>>> es
>>>>>> sRecord(KerberosServerAction.java:494)
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.pr
>>>>>> oc
>>>>>> es
>>>>>> sIdentities(KerberosServerAction.java:386)
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServer
>>>>>> Ac
>>>>>> ti
>>>>>> on.execute(CreateKeytabFilesServerAction.java:99)
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.exec
>>>>>> ut
>>>>>> e(
>>>>>> ServerActionExecutor.java:504)
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(
>>>>>> Se
>>>>>> rv
>>>>>> erActionExecutor.java:441)
>>>>>>            at java.lang.Thread.run(Thread.java:744)
>>>>>> Caused by: java.io.FileNotFoundException:
>>>>>>
>>>>>>
>>>>>> /var/lib/ambari-server/data/tmp/.ambari_1429299679291-0.d/HADOOP-SRV01
>>>>>> /4
>>>>>> e6
>>>>>> d850833d0d36946b1c5c5b260bec37$
>>>>>>            at java.io.FileOutputStream.open(Native Method)
>>>>>>            at
>>>>>> java.io.FileOutputStream.<init>(FileOutputStream.java:221)
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.directory.server.kerberos.shared.keytab.Keytab.writeFile(Ke
>>>>>> yt
>>>>>> ab
>>>>>> .java:273)
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.directory.server.kerberos.shared.keytab.Keytab.write(Keytab
>>>>>> .j
>>>>>> av
>>>>>> a:133)
>>>>>>            at
>>>>>>
>>>>>>
>>>>>> org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandle
>>>>>> r.
>>>>>> cr
>>>>>> eateKeytabFile(KerberosOperationHandler.java:429)
>>>>>>            ... 7 more
>>>>>>
>>>>>> I've found a Jira Log
>>>>>> "https://issues.apache.org/jira/browse/AMBARI-10266" but the
>>>>>> mentioned
>>>>>> solution does not solve the issue. The permission denied exception
>>>>>> still
>>>>>> occurs.
>>>>>> Ambari Server is running as root.
>>>>>>


Mime
View raw message