You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Sebastian Toader (JIRA)" <ji...@apache.org> on 2016/04/01 10:22:25 UTC
[jira] [Commented] (AMBARI-15645) Upgrading Kerberized JournalNode
requires HDFS principal to perform 'role edits' task
[ https://issues.apache.org/jira/browse/AMBARI-15645?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15221353#comment-15221353 ]
Sebastian Toader commented on AMBARI-15645:
-------------------------------------------
Committed to branch-2.2
{code}
commit 7a39a9905a170cea43dd550f2c034b3ed88bd5b1
Author: Robert Levas <rl...@hortonworks.com>
Date: Fri Apr 1 10:09:18 2016 +0200
AMBARI-15645. Upgrading Kerberized JournalNode requires HDFS principal to perform 'role edits' task. (Robert Levas via stoader)
{code}
Committed to trunk:
{code}
commit 0ada5769a54e687d54bbedd3011f456c6de4559e
Author: Robert Levas <rl...@hortonworks.com>
Date: Fri Apr 1 10:09:18 2016 +0200
AMBARI-15645. Upgrading Kerberized JournalNode requires HDFS principal to perform 'role edits' task. (Robert Levas via stoader)
{code}
> Upgrading Kerberized JournalNode requires HDFS principal to perform 'role edits' task
> -------------------------------------------------------------------------------------
>
> Key: AMBARI-15645
> URL: https://issues.apache.org/jira/browse/AMBARI-15645
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.1.2
> Reporter: Robert Levas
> Assignee: Robert Levas
> Fix For: 2.2.2
>
> Attachments: AMBARI-15645_branch-2.2_01.patch, AMBARI-15645_trunk_01.patch
>
>
> After upgrading HDP in Ambari version 2.1.2.1 a task a performed to _role edits_ while restarting JournalNodes. If Kerberos is enabled, the JN Kerberos identity is established before making this call when really the HDFS identity should be established - since this is an administrative HDFS call that requires the HDFS administrator user to perform.
> Because of this, the following error is generated and seen in the :
> {noformat}
> Fail: Execution of 'hdfs dfsadmin -rollEdits' returned 255. rollEdits: Access denied for user jn. Superuser privilege is required
> {noformat}
> The offending code is
> {code:title=common-services/HDFS/2.1.0.2.0/package/scripts/journalnode_upgrade.py}
> if params.security_enabled:
> Execute(params.jn_kinit_cmd, user=params.hdfs_user)
> time.sleep(5)
> hdfs_roll_edits()
> time.sleep(5)
> {code}
> It should probably be something like:
> {code:title=common-services/HDFS/2.1.0.2.0/package/scripts/journalnode_upgrade.py}
> if params.security_enabled:
> Execute(params.hdfs_kinit_cmd, user=params.hdfs_user)
> time.sleep(5)
> hdfs_roll_edits()
> time.sleep(5)
> {code}
> *Note the change from jn to hdfs in the kinit command line.*
> This issue has also been posted in https://issues.apache.org/jira/browse/AMBARI-10519.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)