ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Levas <rle...@hortonworks.com>
Subject Re: Ambari 2.0 Kerberos Activation - Failed to create keytab
Date Fri, 17 Apr 2015 23:22:38 GMT
Hi FrankŠ

It seems like Ambari is running as ambari-server, not root.  This isn¹t
typically an issue, but in this case the problem from
https://issues.apache.org/jira/browse/AMBARI-10266 is coming into play.
The solution will be in the next releases of Ambari (2.0.1 and 2.1), but
for now it appears that you need to run Ambari as root to get around this
issue.

Essentially, unless you are root, the directory must be executable in
order to write files in it.  There is a bug in Ambari where when it
attempts to protect temporary files created while enabling Kerberos, it
fails to properly set the executable flag on relevant directories. Thus
the error condition.  For some reason, the root user does not have this
restriction and the bug is avoided.

Is it possible to run Ambari as root?  I think you need to edit
/etc/ambari-server/conf/ambari.properties and set ambari-server.user to
root:

	ambari-server.user=root

Then restart Ambari.

I am sorry that this is the only solution that I can think of until the
next release. I hope it helps,

Rob

  
 


On 4/17/15, 5:34 PM, "Frank Eisenhauer" <feisenhauer2@gmail.com> wrote:

>Hi Rob,
>
>the direcory "/var/lib/ambari-server/data/tmp/" exists and has the
>following permissions:
>
>drwx------  2 ambari-server root 4096 Apr 13 20:28 cache
>drwxrwxrwx 10 ambari-server root 4096 Apr 17 21:41 tmp
>
>I changed the permissions to 777 just to exclude permissions as a root
>cause.
>But unfortunately changing the permissions has no effect on the issue.
>
>After executing "Install and Test Kerberos Client" via Ambari Kerberos
>wizard, two new folders are beeing created in the tmp directory, with
>the following permissions:
>
>drwxr-xr-x  3 ambari-server ambari-server 4096 Apr 17 23:35
>.ambari_1429306535296-0.d
>drwxr-xr-x  2 ambari-server ambari-server 4096 Apr 17 23:35
>.ambari_1429306535374-0.d
>
>Disk space and available inodes is not an issue. I really don't see a
>reason why the files cannot be writen to that directory.
>
>Inside of the first folder mentioned above, ther's is another folder
>with the hostname:
>
>drw------- 2 ambari-server ambari-server 4096 Apr 17 23:35
>HADOOP01.BIGDATA.LOCAL
>-rw-r--r-- 1 ambari-server ambari-server  765 Apr 17 23:35 index.dat
>
>The ambari log states, that the kerberos keytab is exported to the host
>directory. Might the missing execute flag be a cause for the permission
>denied error?
>
>The installation runs on CentOS 6.6 and Java Version is 1.7.0_71
>
>Am 17.04.2015 um 23:14 schrieb Robert Levas:
>> Hi Frank,
>>
>> Can you check to see if /var/lib/ambari-server/data/tmp/ exists on the
>> Ambari server host?  If so, what permissions does it have?
>>
>> Ideally, /var/lib/ambari-server/data/tmp/ exists and all directories in
>> the path are executable by the user that Ambari runs as.
>>
>> Both of these are essentially covered in
>> https://issues.apache.org/jira/browse/AMBARI-10266 and I saw that you
>> acknowledged the solution in the ticket, but I just wanted to make sure
>>we
>> covered all of the bases.
>>
>> Other than this, I am not sure while the file cannot be written.
>>Obvious
>> things like being out of disk space or memory could cause the issue, but
>> you would be seeing other issues if this was the case.
>>
>> What OS and Java VM are you running Ambari on?
>>
>> Rob
>>
>> On 4/17/15, 4:03 PM, "Frank Eisenhauer" <feisenhauer2@gmail.com> wrote:
>>
>>> Hi Jeff,
>>>
>>> Ambari is running as root.
>>>
>>> Am 17.04.2015 um 21:50 schrieb Jeff Sposetti:
>>>> Hi, Are you running your Ambari Server as non-root?
>>>>
>>>> https://issues.apache.org/jira/browse/AMBARI-10266
>>>>
>>>> You might be hitting that BUG.
>>>>
>>>> On 4/17/15, 3:41 PM, "Frank Eisenhauer" <feisenhauer2@gmail.com>
>>>>wrote:
>>>>
>>>>> Hi All,
>>>>> I'm trying to enable Kerberos in Ambari 2.0.0 after upgrade from
>>>>>Ambari
>>>>> 1.7.
>>>>>
>>>>> During "Test Kerberos Client" I'm getting the error "Failed to create
>>>>> keytab file for ambari-qa_idheyfiu@BIGDATA.XXX - Failed to export
>>>>> keytab
>>>>> file"
>>>>>
>>>>> The ambari-server.log states:
>>>>> 17 Apr 2015 21:41:29,601  INFO [Server Action Executor Worker 4215]
>>>>> CreateKeytabFilesServerAction:170 - Creating keytab file for
>>>>> ambari-qa_idheyfiu@BIGDATA$
>>>>> 17 Apr 2015 21:41:29,636 ERROR [Server Action Executor Worker 4215]
>>>>> KerberosOperationHandler:433 - Failed to export keytab file
>>>>> java.io.FileNotFoundException:
>>>>>
>>>>> 
>>>>>/var/lib/ambari-server/data/tmp/.ambari_1429299679291-0.d/HADOOP-SRV01
>>>>>/4
>>>>> e6
>>>>> d850833d0d36946b1c5c5b260bec371c5247c
>>>>> (Pe$
>>>>>           at java.io.FileOutputStream.open(Native Method)
>>>>>           at 
>>>>>java.io.FileOutputStream.<init>(FileOutputStream.java:221)
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.directory.server.kerberos.shared.keytab.Keytab.writeFile(Ke
>>>>>yt
>>>>> ab
>>>>> .java:273)
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.directory.server.kerberos.shared.keytab.Keytab.write(Keytab
>>>>>.j
>>>>> av
>>>>> a:133)
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandle
>>>>>r.
>>>>> cr
>>>>> eateKeytabFile(KerberosOperationHandler.java:429)
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServer
>>>>>Ac
>>>>> ti
>>>>> on.processIdentity(CreateKeytabFilesServerAction.java:276)
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.pr
>>>>>oc
>>>>> es
>>>>> sRecord(KerberosServerAction.java:494)
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.pr
>>>>>oc
>>>>> es
>>>>> sIdentities(KerberosServerAction.java:386)
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServer
>>>>>Ac
>>>>> ti
>>>>> on.execute(CreateKeytabFilesServerAction.java:99)
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.exec
>>>>>ut
>>>>> e(
>>>>> ServerActionExecutor.java:504)
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(
>>>>>Se
>>>>> rv
>>>>> erActionExecutor.java:441)
>>>>>           at java.lang.Thread.run(Thread.java:744)
>>>>> 17 Apr 2015 21:41:29,637 ERROR [Server Action Executor Worker 4215]
>>>>> CreateKeytabFilesServerAction:290 - Failed to create keytab file for
>>>>> ambari-qa_idheyfiu$
>>>>>
>>>>> 
>>>>>org.apache.ambari.server.serveraction.kerberos.KerberosOperationExcept
>>>>>io
>>>>> n:
>>>>>
>>>>> Failed to export keytab file
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandle
>>>>>r.
>>>>> cr
>>>>> eateKeytabFile(KerberosOperationHandler.java:439)
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServer
>>>>>Ac
>>>>> ti
>>>>> on.processIdentity(CreateKeytabFilesServerAction.java:276)
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.pr
>>>>>oc
>>>>> es
>>>>> sRecord(KerberosServerAction.java:494)
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.pr
>>>>>oc
>>>>> es
>>>>> sIdentities(KerberosServerAction.java:386)
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServer
>>>>>Ac
>>>>> ti
>>>>> on.execute(CreateKeytabFilesServerAction.java:99)
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.exec
>>>>>ut
>>>>> e(
>>>>> ServerActionExecutor.java:504)
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(
>>>>>Se
>>>>> rv
>>>>> erActionExecutor.java:441)
>>>>>           at java.lang.Thread.run(Thread.java:744)
>>>>> Caused by: java.io.FileNotFoundException:
>>>>>
>>>>> 
>>>>>/var/lib/ambari-server/data/tmp/.ambari_1429299679291-0.d/HADOOP-SRV01
>>>>>/4
>>>>> e6
>>>>> d850833d0d36946b1c5c5b260bec37$
>>>>>           at java.io.FileOutputStream.open(Native Method)
>>>>>           at 
>>>>>java.io.FileOutputStream.<init>(FileOutputStream.java:221)
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.directory.server.kerberos.shared.keytab.Keytab.writeFile(Ke
>>>>>yt
>>>>> ab
>>>>> .java:273)
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.directory.server.kerberos.shared.keytab.Keytab.write(Keytab
>>>>>.j
>>>>> av
>>>>> a:133)
>>>>>           at
>>>>>
>>>>> 
>>>>>org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandle
>>>>>r.
>>>>> cr
>>>>> eateKeytabFile(KerberosOperationHandler.java:429)
>>>>>           ... 7 more
>>>>>
>>>>> I've found a Jira Log
>>>>> "https://issues.apache.org/jira/browse/AMBARI-10266" but the
>>>>>mentioned
>>>>> solution does not solve the issue. The permission denied exception
>>>>> still
>>>>> occurs.
>>>>> Ambari Server is running as root.
>>>>>
>


Mime
View raw message