You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ambari.apache.org by Fay Wang <fa...@yahoo.com> on 2016/02/13 02:01:42 UTC
question on automating kerberization
Hi, I am able to call Ambari REST API to kerberize my cluster without going through Ambari UI. It works most of the time. However, sometime, the keytabs in a particular node of the cluster are not generated at all, causing the grief when starting the services. Although I can always regenerate keytabs afterwards, but this is truly annoying. It is a known issue? Please advise...
Thanks,
-fay
Re: question on automating kerberization
Posted by Robert Levas <rl...@hortonworks.com>.
Fay….
We can see if Ambari even attempted to distribute the keytabs to the hosts that do not have them. We can do this by grepping for SET_KEY in the command-*.json files in the ambari-agent lib directory
grep SET_KEY /var/lib/ambari-agent/data/command-*.json
This should come up with a few files that contain this string. If not, than no attempt was made to distribute the keytabs or maybe the request never made it to the hosts – which I have seen happen in at least one instance and have a task to investigate what could have gone wrong. However in that case, the keytab files were eventually distributed after what I assume to be a retry of the request (from the Ambari server).
The than that, I am out of ideas. You can try to regenerate the missing keytab files and hope they are distributed this time. This can be done via the API using the following
PUT /api/v1/clusters/CLUSTER_NAME?regenerate_keytabs=missing
{
"Clusters" : {
"security_type" : "KERBEROS"
}
}
Rob
From: Fay Wang <fa...@yahoo.com>>
Reply-To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>, Fay Wang <fa...@yahoo.com>>
Date: Sunday, February 14, 2016 at 5:28 PM
To: Robert Levas <rl...@hortonworks.com>>, "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Subject: Re: question on automating kerberization
Hi Rob,
The principals are created, and I did not see any exception/error in the ambari-server.log. Is there any other way for further investigation?
On Sunday, February 14, 2016 5:31 AM, Robert Levas <rl...@hortonworks.com>> wrote:
Hi Fay…
This is the first that I have heard of this issue. Have you noticed a pattern as to which keytab files are not being created? Did you look in the ambari-server.log file to see if any errors are logged? Have you looked in the KDC (or Active Directory) to see if the principal had been created?
Rob
From: Fay Wang <fa...@yahoo.com>>
Reply-To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>, Fay Wang <fa...@yahoo.com>>
Date: Friday, February 12, 2016 at 8:01 PM
To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Subject: question on automating kerberization
Hi,
I am able to call Ambari REST API to kerberize my cluster without going through Ambari UI. It works most of the time. However, sometime, the keytabs in a particular node of the cluster are not generated at all, causing the grief when starting the services. Although I can always regenerate keytabs afterwards, but this is truly annoying. It is a known issue? Please advise...
Thanks,
-fay
Re: question on automating kerberization
Posted by Fay Wang <fa...@yahoo.com>.
Hi Rob,
The principals are created, and I did not see any exception/error in the ambari-server.log. Is there any other way for further investigation?
On Sunday, February 14, 2016 5:31 AM, Robert Levas <rl...@hortonworks.com> wrote:
Hi Fay…
This is the first that I have heard of this issue. Have you noticed a pattern as to which keytab files are not being created? Did you look in the ambari-server.log file to see if any errors are logged? Have you looked in the KDC (or Active Directory) to see if the principal had been created?
Rob
From: Fay Wang <fa...@yahoo.com>
Reply-To: "user@ambari.apache.org" <us...@ambari.apache.org>, Fay Wang <fa...@yahoo.com>
Date: Friday, February 12, 2016 at 8:01 PM
To: "user@ambari.apache.org" <us...@ambari.apache.org>
Subject: question on automating kerberization
Hi, I am able to call Ambari REST API to kerberize my cluster without going through Ambari UI. It works most of the time. However, sometime, the keytabs in a particular node of the cluster are not generated at all, causing the grief when starting the services. Although I can always regenerate keytabs afterwards, but this is truly annoying. It is a known issue? Please advise...
Thanks,
-fay
Re: question on automating kerberization
Posted by Robert Levas <rl...@hortonworks.com>.
Hi Fay…
This is the first that I have heard of this issue. Have you noticed a pattern as to which keytab files are not being created? Did you look in the ambari-server.log file to see if any errors are logged? Have you looked in the KDC (or Active Directory) to see if the principal had been created?
Rob
From: Fay Wang <fa...@yahoo.com>>
Reply-To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>, Fay Wang <fa...@yahoo.com>>
Date: Friday, February 12, 2016 at 8:01 PM
To: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Subject: question on automating kerberization
Hi,
I am able to call Ambari REST API to kerberize my cluster without going through Ambari UI. It works most of the time. However, sometime, the keytabs in a particular node of the cluster are not generated at all, causing the grief when starting the services. Although I can always regenerate keytabs afterwards, but this is truly annoying. It is a known issue? Please advise...
Thanks,
-fay