You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2015/05/15 18:53:00 UTC

[jira] [Created] (AMBARI-11179) Kerberos: Oozie auth rules do not look correct

Robert Levas created AMBARI-11179:
-------------------------------------

             Summary: Kerberos: Oozie auth rules do not look correct
                 Key: AMBARI-11179
                 URL: https://issues.apache.org/jira/browse/AMBARI-11179
             Project: Ambari
          Issue Type: Bug
          Components: ambari-server
    Affects Versions: 2.1.0
            Reporter: Robert Levas
            Assignee: Robert Levas
             Fix For: 2.1.0


0) create cluster, hDP 2.2, build 1203
1) Kerb cluster (hdfs, yarn,zk)
2) add ozzie
3) add hbase
4) everything seems ok.
5) I went and looked at oozie configs, oozie.authentication.kerberos.name.rules property looks like this...is this correct?

{code}
RULE:[1:$1@$0](ambari-qa-MyCluster@EXAMPLE.COM)s/.*/ambari-qa/
RULE:[1:$1@$0](hbase-MyCluster@EXAMPLE.COM)s/.*/hbase/
RULE:[1:$1@$0](hdfs-MyCluster@EXAMPLE.COM)s/.*/hdfs/
RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//
RULE:[1:$1@$0](.*@.*TODO-KERBEROS-DOMAIN)s/@.*//
RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUSER/
RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/
RULE:[2:$1@$0](hbase@EXAMPLE.COM)s/.*/hbase/
RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/
RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/
RULE:[2:$1@$0](nm@EXAMPLE.COM)s/.*/yarn/
RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/
RULE:[2:$1@$0](oozie@EXAMPLE.COM)s/.*/oozie/
RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/
RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
RULE:[2:$1@$0](yarn@EXAMPLE.COM)s/.*/yarn/
DEFAULT
{code}


*Solution*
Remove the following values for oozie-site/oozie.authentication.kerberos.name.rules

{code:title=common-services/OOZIE/4.0.0.2.0/configuration/oozie-site.xml:145}
      RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUxSER/
      RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
      RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
      RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
      DEFAULT
{code}

{code:title=common-services/OOZIE/5.0.0.2.3/configuration/oozie-site.xml:24}
      RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUxSER/
      RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
      RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
      RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
      DEFAULT
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)