You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Swapan Shridhar (JIRA)" <ji...@apache.org> on 2017/11/21 01:04:00 UTC
[jira] [Comment Edited] (AMBARI-22472) AMBARI-22472. Ambari Upgrade
2.5 -> 2.6 : Update NodeManager's HSI identity 'llap_zk_hive' and
'llap_task_hive' to use '/HIVE/HIVE_SERVER/hive_server_hive' reference
instead of creating the same identity again.
[ https://issues.apache.org/jira/browse/AMBARI-22472?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16257929#comment-16257929 ]
Swapan Shridhar edited comment on AMBARI-22472 at 11/21/17 1:03 AM:
--------------------------------------------------------------------
*TESTING:*
|||||||||||||||||||||||||| Ambari 2.5, before upgrade: ||||||||||||||||||||||||||
{code:title=From /etc/hive2/cong/conf.server/hive-site.xml}
<property>
<name>hive.llap.daemon.keytab.file</name>
<value>/etc/security/keytabs/hive.service.keytab</value>
</property>
<property>
<name>hive.llap.daemon.service.principal</name>
<value>hive/_HOST@EXAMPLE.COM</value>
</property>
<property>
<name>hive.llap.zk.sm.keytab.file</name>
<value>/etc/security/keytabs/hive.llap.zk.sm.keytab</value>
</property>
<property>
<name>hive.llap.zk.sm.principal</name>
<value>hive/_HOST@EXAMPLE.COM</value>
</property>
{code}
|||||||||||||||||||||||||| Upgrade to Ambari-2.6 ||||||||||||||||||||||||||
{code:title=Logs: Ambari Server Upgrade}
[root@swap-qqq-1 ~]# ambari-server upgrade
Using python /usr/bin/python
Upgrading ambari-server
INFO: Upgrade Ambari Server
INFO: Updating Ambari Server properties in ambari.properties ...
INFO: Updating Ambari Server properties in ambari-env.sh ...
WARNING: Original file ambari-env.sh kept
INFO: Fixing database objects owner
Ambari Server configured for Embedded Postgres. Confirm you have made a backup of the Ambari Server database [y/n] (y)? y
INFO: Upgrading database schema
INFO: Return code from schema upgrade command, retcode = 0
INFO: Schema upgrade completed
Adjusting ambari-server permissions and ownership...
Ambari Server 'upgrade' completed successfully.
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]# ambari-server --version
2.6.0.0-267
[root@swap-qqq-1 ~]#
{code}
{code:title=Logs : Updating Kerberos descriptors}
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:673 - Updating YARN's HSI Kerberos Descriptor ....
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:685 - Retrieved HIVE->HIVE_SERVER kerberos descriptor. Name = hive_server_hive
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:700 - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_zk_hive
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:709 - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:712 - Updated 'llap_zk_hive' principal descriptor value = ''
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:717 - Updated 'llap_zk_hive' keytab descriptor file = ''
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:720 - Updated 'llap_zk_hive' keytab descriptor owner name = ''
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:722 - Updated 'llap_zk_hive' keytab descriptor owner access = ''
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:724 - Updated 'llap_zk_hive' keytab descriptor group name = ''
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:726 - Updated 'llap_zk_hive' keytab descriptor group access = ''
18 Nov 2017 07:25:54,004 INFO [main] UpgradeCatalog260:730 - Updated 'isYarnKerberosDescUpdated' = true
{code}
{code:title=Logs : Updated HSI config 'hive.llap.zk.sm.keytab.file'}
18 Nov 2017 07:25:54,073 INFO [main] UpgradeCatalog260:767 - Updated HSI config 'hive.llap.zk.sm.keytab.file' = /etc/security/keytabs/hive.service.keytab
{code}
*From UI :*
Changed hive.llap.zk.sm.keytab.file :
[^Screen Shot 2017-11-17 at 11.44.41 PM.png]
HSI up :
[^Screen Shot 2017-11-17 at 11.44.55 PM.png]
|||||||||||||||||||||||||| UT test runs for Ambari 2.6 and HDP 2.6 (which includes llap_zk_hive and llap_task_hive): ||||||||||||||||||||||||||
{code:title=UpgradeCatalog260Test::testUpdateKerberosDescriptorArtifact()}
2017-11-20 13:09:45,366 INFO [main] upgrade.AbstractUpgradeCatalog (AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(573)) - Applying configuration with tag 'version1511212185365' and configType 'ranger-kms-audit' to cluster 'cl1'
2017-11-20 13:09:45,367 INFO [main] upgrade.AbstractUpgradeCatalog (AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(595)) - cluster 'cl1' changed by: 'ambari-upgrade'; type='ranger-kms-audit' tag='version2' from='version1'
2017-11-20 13:09:45,367 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(675)) - Updating YARN's HSI Kerberos Descriptor ....
2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(687)) - Retrieved HIVE->HIVE_SERVER kerberos descriptor. Name = hive_server_hive
2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(707)) - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_zk_hive
2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(712)) - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(715)) - Updated 'llap_zk_hive' principal descriptor value = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(720)) - Updated 'llap_zk_hive' keytab descriptor file = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(723)) - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(725)) - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(727)) - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(729)) - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(733)) - Updated 'yarnKerberosDescUpdatedList' = [llap_zk_hive]
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(707)) - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_task_hive
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(712)) - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(715)) - Updated 'llap_zk_hive' principal descriptor value = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(720)) - Updated 'llap_zk_hive' keytab descriptor file = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(723)) - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(725)) - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(727)) - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(729)) - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(733)) - Updated 'yarnKerberosDescUpdatedList' = [llap_zk_hive, llap_task_hive]
{code}
{code:title=UpgradeCatalog260Test::testUpdateHiveConfigs()}
(AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(573)) - Applying configuration with tag 'version1511212185535' and configType 'hive-interactive-site' to cluster 'null'
2017-11-20 13:09:45,536 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:updateHiveConfigs(778)) - Updated HSI config(s) : [hive.llap.task.keytab.file, hive.llap.zk.sm.keytab.file] with values = [/etc/security/keytabs/hive.service.keytab, /etc/security/keytabs/hive.service.keytab]
{code}
was (Author: swapanshridhar):
*TESTING:*
|||||||||||||||||||||||||| Ambari 2.5, before upgrade: ||||||||||||||||||||||||||
{code:title=From /etc/hive2/cong/conf.server/hive-site.xml}
<property>
<name>hive.llap.daemon.keytab.file</name>
<value>/etc/security/keytabs/hive.service.keytab</value>
</property>
<property>
<name>hive.llap.daemon.service.principal</name>
<value>hive/_HOST@EXAMPLE.COM</value>
</property>
<property>
<name>hive.llap.zk.sm.keytab.file</name>
<value>/etc/security/keytabs/hive.llap.zk.sm.keytab</value>
</property>
<property>
<name>hive.llap.zk.sm.principal</name>
<value>hive/_HOST@EXAMPLE.COM</value>
</property>
{code}
|||||||||||||||||||||||||| Upgrade to Ambari-2.6 ||||||||||||||||||||||||||
{code:title=Logs: Ambari Server Upgrade}
[root@swap-qqq-1 ~]# ambari-server upgrade
Using python /usr/bin/python
Upgrading ambari-server
INFO: Upgrade Ambari Server
INFO: Updating Ambari Server properties in ambari.properties ...
INFO: Updating Ambari Server properties in ambari-env.sh ...
WARNING: Original file ambari-env.sh kept
INFO: Fixing database objects owner
Ambari Server configured for Embedded Postgres. Confirm you have made a backup of the Ambari Server database [y/n] (y)? y
INFO: Upgrading database schema
INFO: Return code from schema upgrade command, retcode = 0
INFO: Schema upgrade completed
Adjusting ambari-server permissions and ownership...
Ambari Server 'upgrade' completed successfully.
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]# ambari-server --version
2.6.0.0-267
[root@swap-qqq-1 ~]#
{code}
{code:title=Logs : Updating Kerberos descriptors}
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:673 - Updating YARN's HSI Kerberos Descriptor ....
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:685 - Retrieved HIVE->HIVE_SERVER kerberos descriptor. Name = hive_server_hive
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:700 - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_zk_hive
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:709 - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:712 - Updated 'llap_zk_hive' principal descriptor value = ''
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:717 - Updated 'llap_zk_hive' keytab descriptor file = ''
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:720 - Updated 'llap_zk_hive' keytab descriptor owner name = ''
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:722 - Updated 'llap_zk_hive' keytab descriptor owner access = ''
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:724 - Updated 'llap_zk_hive' keytab descriptor group name = ''
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:726 - Updated 'llap_zk_hive' keytab descriptor group access = ''
18 Nov 2017 07:25:54,004 INFO [main] UpgradeCatalog260:730 - Updated 'isYarnKerberosDescUpdated' = true
{code}
{code:title=Logs : Updated HSI config 'hive.llap.zk.sm.keytab.file'}
18 Nov 2017 07:25:54,073 INFO [main] UpgradeCatalog260:767 - Updated HSI config 'hive.llap.zk.sm.keytab.file' = /etc/security/keytabs/hive.service.keytab
{code}
*From UI :*
Changed hive.llap.zk.sm.keytab.file :
[^Screen Shot 2017-11-17 at 11.44.41 PM.png]
HSI up :
[^Screen Shot 2017-11-17 at 11.44.55 PM.png]
> AMBARI-22472. Ambari Upgrade 2.5 -> 2.6 : Update NodeManager's HSI identity 'llap_zk_hive' and 'llap_task_hive' to use '/HIVE/HIVE_SERVER/hive_server_hive' reference instead of creating the same identity again.
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: AMBARI-22472
> URL: https://issues.apache.org/jira/browse/AMBARI-22472
> Project: Ambari
> Issue Type: Bug
> Reporter: Swapan Shridhar
> Assignee: Swapan Shridhar
> Attachments: AMBARI-22472.patch, Screen Shot 2017-11-17 at 11.44.41 PM.png, Screen Shot 2017-11-17 at 11.44.55 PM.png
>
>
> **Background:**
> YARN NodeManager currently has:
> - 2 identities in 2.5 stack, namely : **'/HIVE/HIVE_SERVER/hive_server_hive'** and **'llap_zk_hive'**.
> -- **/HIVE/HIVE_SERVER/hive_server_hive** is a reference from HIVE_SERVER, whereas
> -- **llap_zk_hive** creates same principal as above in a separate keytab file.
> - and 3 identities in 2.6 stack:
> *'/HIVE/HIVE_SERVER/hive_server_hive'* and *'llap_zk_hive'*.
> -- **/HIVE/HIVE_SERVER/hive_server_hive** is a reference from HIVE_SERVER, whereas
> -- **llap_zk_hive** and **llap_task_hive** creates same principal as above in a separate keytab file.
> **Issue:** Recreating same identities in different files creates issues while AMbari upgrade from 2.5 to 2.6, as the *llap_zk_hive* are not refreshed/updated after the upgrade. Thus, HSI fails to come up.
> **Fix:**
> **For HDP 2.5:** Make **llap_zk_hive** point as a reference pointing to /HIVE/HIVE_SERVER/hive_server_hive, so that we have one identity getting created only at one place and one keytab file.
> **For HDP 2.6:** Make **llap_zk_hive** and **llap_task_hive** point as a reference pointing to /HIVE/HIVE_SERVER/hive_server_hive, so that we have one identity getting created only at one place and one keytab file.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)