ambari-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Levas <rle...@hortonworks.com>
Subject Re: Ambari 2.0 Kerberos Activation - Failed to create keytab
Date Sat, 18 Apr 2015 10:40:51 GMT
I am glad that I could help; even though the solution may not have been
ideal. 

I am not sure about the release dates for 2.0.1 or 2.1.  I assume sometime
before the end of May both will be released.

Rob


On 4/18/15, 2:35 AM, "Frank Eisenhauer" <feisenhauer2@gmail.com> wrote:

>Hi Rob,
>
>thank you very much.
>I wasn't aware Ambari is running as non-root as I always started Ambaris
>as root user.
>
>I changed the user setting in ambari.properties and was able to activate
>kerberos.
>
>Is there already a date for the Ambari Update to be availabe?
>
>Best regards
>Frank
>
>Am 18.04.2015 um 01:22 schrieb Robert Levas:
>> Hi FrankŠ
>>
>> It seems like Ambari is running as ambari-server, not root.  This isn¹t
>> typically an issue, but in this case the problem from
>> https://issues.apache.org/jira/browse/AMBARI-10266 is coming into play.
>> The solution will be in the next releases of Ambari (2.0.1 and 2.1), but
>> for now it appears that you need to run Ambari as root to get around
>>this
>> issue.
>>
>> Essentially, unless you are root, the directory must be executable in
>> order to write files in it.  There is a bug in Ambari where when it
>> attempts to protect temporary files created while enabling Kerberos, it
>> fails to properly set the executable flag on relevant directories. Thus
>> the error condition.  For some reason, the root user does not have this
>> restriction and the bug is avoided.
>>
>> Is it possible to run Ambari as root?  I think you need to edit
>> /etc/ambari-server/conf/ambari.properties and set ambari-server.user to
>> root:
>>
>> 	ambari-server.user=root
>>
>> Then restart Ambari.
>>
>> I am sorry that this is the only solution that I can think of until the
>> next release. I hope it helps,
>>
>> Rob
>>
>>    
>>   
>>
>>
>> On 4/17/15, 5:34 PM, "Frank Eisenhauer" <feisenhauer2@gmail.com> wrote:
>>
>>> Hi Rob,
>>>
>>> the direcory "/var/lib/ambari-server/data/tmp/" exists and has the
>>> following permissions:
>>>
>>> drwx------  2 ambari-server root 4096 Apr 13 20:28 cache
>>> drwxrwxrwx 10 ambari-server root 4096 Apr 17 21:41 tmp
>>>
>>> I changed the permissions to 777 just to exclude permissions as a root
>>> cause.
>>> But unfortunately changing the permissions has no effect on the issue.
>>>
>>> After executing "Install and Test Kerberos Client" via Ambari Kerberos
>>> wizard, two new folders are beeing created in the tmp directory, with
>>> the following permissions:
>>>
>>> drwxr-xr-x  3 ambari-server ambari-server 4096 Apr 17 23:35
>>> .ambari_1429306535296-0.d
>>> drwxr-xr-x  2 ambari-server ambari-server 4096 Apr 17 23:35
>>> .ambari_1429306535374-0.d
>>>
>>> Disk space and available inodes is not an issue. I really don't see a
>>> reason why the files cannot be writen to that directory.
>>>
>>> Inside of the first folder mentioned above, ther's is another folder
>>> with the hostname:
>>>
>>> drw------- 2 ambari-server ambari-server 4096 Apr 17 23:35
>>> HADOOP01.BIGDATA.LOCAL
>>> -rw-r--r-- 1 ambari-server ambari-server  765 Apr 17 23:35 index.dat
>>>
>>> The ambari log states, that the kerberos keytab is exported to the host
>>> directory. Might the missing execute flag be a cause for the permission
>>> denied error?
>>>
>>> The installation runs on CentOS 6.6 and Java Version is 1.7.0_71
>>>
>>> Am 17.04.2015 um 23:14 schrieb Robert Levas:
>>>> Hi Frank,
>>>>
>>>> Can you check to see if /var/lib/ambari-server/data/tmp/ exists on the
>>>> Ambari server host?  If so, what permissions does it have?
>>>>
>>>> Ideally, /var/lib/ambari-server/data/tmp/ exists and all directories
>>>>in
>>>> the path are executable by the user that Ambari runs as.
>>>>
>>>> Both of these are essentially covered in
>>>> https://issues.apache.org/jira/browse/AMBARI-10266 and I saw that you
>>>> acknowledged the solution in the ticket, but I just wanted to make
>>>>sure
>>>> we
>>>> covered all of the bases.
>>>>
>>>> Other than this, I am not sure while the file cannot be written.
>>>> Obvious
>>>> things like being out of disk space or memory could cause the issue,
>>>>but
>>>> you would be seeing other issues if this was the case.
>>>>
>>>> What OS and Java VM are you running Ambari on?
>>>>
>>>> Rob
>>>>
>>>> On 4/17/15, 4:03 PM, "Frank Eisenhauer" <feisenhauer2@gmail.com>
>>>>wrote:
>>>>
>>>>> Hi Jeff,
>>>>>
>>>>> Ambari is running as root.
>>>>>
>>>>> Am 17.04.2015 um 21:50 schrieb Jeff Sposetti:
>>>>>> Hi, Are you running your Ambari Server as non-root?
>>>>>>
>>>>>> https://issues.apache.org/jira/browse/AMBARI-10266
>>>>>>
>>>>>> You might be hitting that BUG.
>>>>>>
>>>>>> On 4/17/15, 3:41 PM, "Frank Eisenhauer" <feisenhauer2@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi All,
>>>>>>> I'm trying to enable Kerberos in Ambari 2.0.0 after upgrade from
>>>>>>> Ambari
>>>>>>> 1.7.
>>>>>>>
>>>>>>> During "Test Kerberos Client" I'm getting the error "Failed to
>>>>>>>create
>>>>>>> keytab file for ambari-qa_idheyfiu@BIGDATA.XXX - Failed to export
>>>>>>> keytab
>>>>>>> file"
>>>>>>>
>>>>>>> The ambari-server.log states:
>>>>>>> 17 Apr 2015 21:41:29,601  INFO [Server Action Executor Worker
4215]
>>>>>>> CreateKeytabFilesServerAction:170 - Creating keytab file for
>>>>>>> ambari-qa_idheyfiu@BIGDATA$
>>>>>>> 17 Apr 2015 21:41:29,636 ERROR [Server Action Executor Worker
4215]
>>>>>>> KerberosOperationHandler:433 - Failed to export keytab file
>>>>>>> java.io.FileNotFoundException:
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>/var/lib/ambari-server/data/tmp/.ambari_1429299679291-0.d/HADOOP-SRV
>>>>>>>01
>>>>>>> /4
>>>>>>> e6
>>>>>>> d850833d0d36946b1c5c5b260bec371c5247c
>>>>>>> (Pe$
>>>>>>>            at java.io.FileOutputStream.open(Native Method)
>>>>>>>            at
>>>>>>> java.io.FileOutputStream.<init>(FileOutputStream.java:221)
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.directory.server.kerberos.shared.keytab.Keytab.writeFile(
>>>>>>>Ke
>>>>>>> yt
>>>>>>> ab
>>>>>>> .java:273)
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.directory.server.kerberos.shared.keytab.Keytab.write(Keyt
>>>>>>>ab
>>>>>>> .j
>>>>>>> av
>>>>>>> a:133)
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.ambari.server.serveraction.kerberos.KerberosOperationHand
>>>>>>>le
>>>>>>> r.
>>>>>>> cr
>>>>>>> eateKeytabFile(KerberosOperationHandler.java:429)
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServ
>>>>>>>er
>>>>>>> Ac
>>>>>>> ti
>>>>>>> on.processIdentity(CreateKeytabFilesServerAction.java:276)
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.
>>>>>>>pr
>>>>>>> oc
>>>>>>> es
>>>>>>> sRecord(KerberosServerAction.java:494)
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.
>>>>>>>pr
>>>>>>> oc
>>>>>>> es
>>>>>>> sIdentities(KerberosServerAction.java:386)
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServ
>>>>>>>er
>>>>>>> Ac
>>>>>>> ti
>>>>>>> on.execute(CreateKeytabFilesServerAction.java:99)
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.ex
>>>>>>>ec
>>>>>>> ut
>>>>>>> e(
>>>>>>> ServerActionExecutor.java:504)
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.ru
>>>>>>>n(
>>>>>>> Se
>>>>>>> rv
>>>>>>> erActionExecutor.java:441)
>>>>>>>            at java.lang.Thread.run(Thread.java:744)
>>>>>>> 17 Apr 2015 21:41:29,637 ERROR [Server Action Executor Worker
4215]
>>>>>>> CreateKeytabFilesServerAction:290 - Failed to create keytab file
>>>>>>>for
>>>>>>> ambari-qa_idheyfiu$
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.ambari.server.serveraction.kerberos.KerberosOperationExce
>>>>>>>pt
>>>>>>> io
>>>>>>> n:
>>>>>>>
>>>>>>> Failed to export keytab file
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.ambari.server.serveraction.kerberos.KerberosOperationHand
>>>>>>>le
>>>>>>> r.
>>>>>>> cr
>>>>>>> eateKeytabFile(KerberosOperationHandler.java:439)
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServ
>>>>>>>er
>>>>>>> Ac
>>>>>>> ti
>>>>>>> on.processIdentity(CreateKeytabFilesServerAction.java:276)
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.
>>>>>>>pr
>>>>>>> oc
>>>>>>> es
>>>>>>> sRecord(KerberosServerAction.java:494)
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.
>>>>>>>pr
>>>>>>> oc
>>>>>>> es
>>>>>>> sIdentities(KerberosServerAction.java:386)
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServ
>>>>>>>er
>>>>>>> Ac
>>>>>>> ti
>>>>>>> on.execute(CreateKeytabFilesServerAction.java:99)
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.ex
>>>>>>>ec
>>>>>>> ut
>>>>>>> e(
>>>>>>> ServerActionExecutor.java:504)
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.ru
>>>>>>>n(
>>>>>>> Se
>>>>>>> rv
>>>>>>> erActionExecutor.java:441)
>>>>>>>            at java.lang.Thread.run(Thread.java:744)
>>>>>>> Caused by: java.io.FileNotFoundException:
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>/var/lib/ambari-server/data/tmp/.ambari_1429299679291-0.d/HADOOP-SRV
>>>>>>>01
>>>>>>> /4
>>>>>>> e6
>>>>>>> d850833d0d36946b1c5c5b260bec37$
>>>>>>>            at java.io.FileOutputStream.open(Native Method)
>>>>>>>            at
>>>>>>> java.io.FileOutputStream.<init>(FileOutputStream.java:221)
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.directory.server.kerberos.shared.keytab.Keytab.writeFile(
>>>>>>>Ke
>>>>>>> yt
>>>>>>> ab
>>>>>>> .java:273)
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.directory.server.kerberos.shared.keytab.Keytab.write(Keyt
>>>>>>>ab
>>>>>>> .j
>>>>>>> av
>>>>>>> a:133)
>>>>>>>            at
>>>>>>>
>>>>>>>
>>>>>>> 
>>>>>>>org.apache.ambari.server.serveraction.kerberos.KerberosOperationHand
>>>>>>>le
>>>>>>> r.
>>>>>>> cr
>>>>>>> eateKeytabFile(KerberosOperationHandler.java:429)
>>>>>>>            ... 7 more
>>>>>>>
>>>>>>> I've found a Jira Log
>>>>>>> "https://issues.apache.org/jira/browse/AMBARI-10266" but the
>>>>>>> mentioned
>>>>>>> solution does not solve the issue. The permission denied exception
>>>>>>> still
>>>>>>> occurs.
>>>>>>> Ambari Server is running as root.
>>>>>>>
>

Mime
View raw message