You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ambari.apache.org by "Sebastian Toader (JIRA)" <ji...@apache.org> on 2016/04/01 10:22:25 UTC

[jira] [Commented] (AMBARI-15645) Upgrading Kerberized JournalNode requires HDFS principal to perform 'role edits' task

    [ https://issues.apache.org/jira/browse/AMBARI-15645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15221353#comment-15221353 ] 

Sebastian Toader commented on AMBARI-15645:
-------------------------------------------

Committed to branch-2.2

{code}
commit 7a39a9905a170cea43dd550f2c034b3ed88bd5b1
Author: Robert Levas <rl...@hortonworks.com>
Date:   Fri Apr 1 10:09:18 2016 +0200

    AMBARI-15645. Upgrading Kerberized JournalNode requires HDFS principal to perform 'role edits' task. (Robert Levas via stoader)
{code}

Committed to trunk:
{code}
commit 0ada5769a54e687d54bbedd3011f456c6de4559e
Author: Robert Levas <rl...@hortonworks.com>
Date:   Fri Apr 1 10:09:18 2016 +0200

    AMBARI-15645. Upgrading Kerberized JournalNode requires HDFS principal to perform 'role edits' task. (Robert Levas via stoader)

{code}

> Upgrading Kerberized JournalNode requires HDFS principal to perform 'role edits' task
> -------------------------------------------------------------------------------------
>
>                 Key: AMBARI-15645
>                 URL: https://issues.apache.org/jira/browse/AMBARI-15645
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.1.2
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>             Fix For: 2.2.2
>
>         Attachments: AMBARI-15645_branch-2.2_01.patch, AMBARI-15645_trunk_01.patch
>
>
> After upgrading HDP in Ambari version 2.1.2.1 a task a performed to _role edits_ while restarting JournalNodes. If Kerberos is enabled, the JN Kerberos identity is established before making this call when really the HDFS identity should be established - since this is an administrative HDFS call that requires the HDFS administrator user to perform.
> Because of this, the following error is generated and seen in the :
> {noformat}
> Fail: Execution of 'hdfs dfsadmin -rollEdits' returned 255. rollEdits: Access denied for user jn. Superuser privilege is required
> {noformat}
> The offending code is
> {code:title=common-services/HDFS/2.1.0.2.0/package/scripts/journalnode_upgrade.py}
>   if params.security_enabled:
>     Execute(params.jn_kinit_cmd, user=params.hdfs_user)
>   time.sleep(5)
>   hdfs_roll_edits()
>   time.sleep(5)
> {code}
> It should probably be something like:
> {code:title=common-services/HDFS/2.1.0.2.0/package/scripts/journalnode_upgrade.py}
>   if params.security_enabled:
>     Execute(params.hdfs_kinit_cmd, user=params.hdfs_user)
>   time.sleep(5)
>   hdfs_roll_edits()
>   time.sleep(5)
> {code}
> *Note the change from jn to hdfs in the kinit command line.*
> This issue has also been posted in https://issues.apache.org/jira/browse/AMBARI-10519.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)