You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/05/15 19:03:38 UTC
Review Request 34281: Kerberos: Oozie auth rules do not look correct
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34281/
-----------------------------------------------------------
Review request for Ambari, Costel Radulescu and Emil Anca.
Bugs: AMBARI-11179
https://issues.apache.org/jira/browse/AMBARI-11179
Repository: ambari
Description
-------
0) create cluster, hDP 2.2, build 1203
1) Kerb cluster (hdfs, yarn,zk)
2) add ozzie
3) add hbase
4) everything seems ok.
5) I went and looked at oozie configs, oozie.authentication.kerberos.name.rules property looks like this...is this correct?
```
RULE:[1:$1@$0](ambari-qa-MyCluster@EXAMPLE.COM)s/.*/ambari-qa/
RULE:[1:$1@$0](hbase-MyCluster@EXAMPLE.COM)s/.*/hbase/
RULE:[1:$1@$0](hdfs-MyCluster@EXAMPLE.COM)s/.*/hdfs/
RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//
RULE:[1:$1@$0](.*@.*TODO-KERBEROS-DOMAIN)s/@.*//
RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUSER/
RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/
RULE:[2:$1@$0](hbase@EXAMPLE.COM)s/.*/hbase/
RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/
RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/
RULE:[2:$1@$0](nm@EXAMPLE.COM)s/.*/yarn/
RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/
RULE:[2:$1@$0](oozie@EXAMPLE.COM)s/.*/oozie/
RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/
RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
RULE:[2:$1@$0](yarn@EXAMPLE.COM)s/.*/yarn/
DEFAULT
```
#Solution
Remove the following values for oozie-site/oozie.authentication.kerberos.name.rules
_common-services/OOZIE/4.0.0.2.0/configuration/oozie-site.xml:145_
```
RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUxSER/
RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
DEFAULT
```
_common-services/OOZIE/5.0.0.2.3/configuration/oozie-site.xml:24_
```
RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUxSER/
RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
DEFAULT
```
Diffs
-----
ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/configuration/oozie-site.xml d7ae0e9
ambari-server/src/main/resources/common-services/OOZIE/5.0.0.2.3/configuration/oozie-site.xml b17e4cd
Diff: https://reviews.apache.org/r/34281/diff/
Testing
-------
Thanks,
Robert Levas
Re: Review Request 34281: Kerberos: Oozie auth rules do not look
correct
Posted by Emil Anca <ea...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34281/#review84124
-----------------------------------------------------------
Ship it!
Ship It!
- Emil Anca
On May 15, 2015, 5:03 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/34281/
> -----------------------------------------------------------
>
> (Updated May 15, 2015, 5:03 p.m.)
>
>
> Review request for Ambari, Costel Radulescu and Emil Anca.
>
>
> Bugs: AMBARI-11179
> https://issues.apache.org/jira/browse/AMBARI-11179
>
>
> Repository: ambari
>
>
> Description
> -------
>
> 0) create cluster, hDP 2.2, build 1203
> 1) Kerb cluster (hdfs, yarn,zk)
> 2) add ozzie
> 3) add hbase
> 4) everything seems ok.
> 5) I went and looked at oozie configs, oozie.authentication.kerberos.name.rules property looks like this...is this correct?
>
> ```
> RULE:[1:$1@$0](ambari-qa-MyCluster@EXAMPLE.COM)s/.*/ambari-qa/
> RULE:[1:$1@$0](hbase-MyCluster@EXAMPLE.COM)s/.*/hbase/
> RULE:[1:$1@$0](hdfs-MyCluster@EXAMPLE.COM)s/.*/hdfs/
> RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//
> RULE:[1:$1@$0](.*@.*TODO-KERBEROS-DOMAIN)s/@.*//
> RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUSER/
> RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
> RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/
> RULE:[2:$1@$0](hbase@EXAMPLE.COM)s/.*/hbase/
> RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
> RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/
> RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/
> RULE:[2:$1@$0](nm@EXAMPLE.COM)s/.*/yarn/
> RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/
> RULE:[2:$1@$0](oozie@EXAMPLE.COM)s/.*/oozie/
> RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/
> RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
> RULE:[2:$1@$0](yarn@EXAMPLE.COM)s/.*/yarn/
> DEFAULT
> ```
>
>
> #Solution
> Remove the following values for oozie-site/oozie.authentication.kerberos.name.rules
>
> _common-services/OOZIE/4.0.0.2.0/configuration/oozie-site.xml:145_
> ```
> RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUxSER/
> RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
> RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
> RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
> DEFAULT
> ```
>
> _common-services/OOZIE/5.0.0.2.3/configuration/oozie-site.xml:24_
> ```
> RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUxSER/
> RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
> RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
> RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
> DEFAULT
> ```
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/configuration/oozie-site.xml d7ae0e9
> ambari-server/src/main/resources/common-services/OOZIE/5.0.0.2.3/configuration/oozie-site.xml b17e4cd
>
> Diff: https://reviews.apache.org/r/34281/diff/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 34281: Kerberos: Oozie auth rules do not look
correct
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/34281/#review83943
-----------------------------------------------------------
Ship it!
Ship It!
- Robert Levas
On May 15, 2015, 1:03 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/34281/
> -----------------------------------------------------------
>
> (Updated May 15, 2015, 1:03 p.m.)
>
>
> Review request for Ambari, Costel Radulescu and Emil Anca.
>
>
> Bugs: AMBARI-11179
> https://issues.apache.org/jira/browse/AMBARI-11179
>
>
> Repository: ambari
>
>
> Description
> -------
>
> 0) create cluster, hDP 2.2, build 1203
> 1) Kerb cluster (hdfs, yarn,zk)
> 2) add ozzie
> 3) add hbase
> 4) everything seems ok.
> 5) I went and looked at oozie configs, oozie.authentication.kerberos.name.rules property looks like this...is this correct?
>
> ```
> RULE:[1:$1@$0](ambari-qa-MyCluster@EXAMPLE.COM)s/.*/ambari-qa/
> RULE:[1:$1@$0](hbase-MyCluster@EXAMPLE.COM)s/.*/hbase/
> RULE:[1:$1@$0](hdfs-MyCluster@EXAMPLE.COM)s/.*/hdfs/
> RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//
> RULE:[1:$1@$0](.*@.*TODO-KERBEROS-DOMAIN)s/@.*//
> RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUSER/
> RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
> RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/
> RULE:[2:$1@$0](hbase@EXAMPLE.COM)s/.*/hbase/
> RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
> RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/
> RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/
> RULE:[2:$1@$0](nm@EXAMPLE.COM)s/.*/yarn/
> RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/
> RULE:[2:$1@$0](oozie@EXAMPLE.COM)s/.*/oozie/
> RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/
> RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
> RULE:[2:$1@$0](yarn@EXAMPLE.COM)s/.*/yarn/
> DEFAULT
> ```
>
>
> #Solution
> Remove the following values for oozie-site/oozie.authentication.kerberos.name.rules
>
> _common-services/OOZIE/4.0.0.2.0/configuration/oozie-site.xml:145_
> ```
> RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUxSER/
> RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
> RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
> RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
> DEFAULT
> ```
>
> _common-services/OOZIE/5.0.0.2.3/configuration/oozie-site.xml:24_
> ```
> RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUxSER/
> RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
> RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
> RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
> DEFAULT
> ```
>
>
> Diffs
> -----
>
> ambari-server/src/main/resources/common-services/OOZIE/4.0.0.2.0/configuration/oozie-site.xml d7ae0e9
> ambari-server/src/main/resources/common-services/OOZIE/5.0.0.2.3/configuration/oozie-site.xml b17e4cd
>
> Diff: https://reviews.apache.org/r/34281/diff/
>
>
> Testing
> -------
>
>
> Thanks,
>
> Robert Levas
>
>