You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ambari.apache.org by Fay Wang <fa...@yahoo.com> on 2016/01/08 00:48:22 UTC
Failed to put kerberos descriptor via REST API
Thanks, Rob, for the info!
I am able to get the default kerberos descriptor via REST api, but
get an error when issuing the following command to update the descriptor:
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d @/tmp/descriptor_update.json http://localhost:8080/api/v1/clusters/MyCluster/artifacts/kerberos_descriptor
HTTP/1.1 100 Continue
HTTP/1.1 404 Not Found
User: admin
Set-Cookie: AMBARISESSIONID=ia3j9lvqclb6fytb01x5c2vl;Path=/;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/plain
Content-Length: 244
Server: Jetty(8.1.17.v20150415)
{
"status" : 404,
"message" : "org.apache.ambari.server.controller.spi.NoSuchResourceException: The requested resource doesn't exist: Artifact not found, Artifacts/cluster_name=MyCluster AND Artifacts/artifact_name=kerberos_descriptor"
}
The content of /tmp/descriptor_update.json:
{
"artifact_data" : {
"services" : [
{
"configurations" : [
{
"core-site" : {
"hadoop.proxyuser.HTTP.hosts" : "*"
}
}
],
"name" : "HIVE"
}
]
}
}
Thanks in advance for the help!
-fay
Re: Failed to put kerberos descriptor via REST API
Posted by Robert Levas <rl...@hortonworks.com>.
Hi Fay…
What version of Ambari are you using? I believe the credential mechanism changed in Ambari 2.2.0.
Before Ambari 2.2.0, the KDC administrator credential is stored in “session” and thus a HTTP session is needed to maintain access to this data between API calls. The error message indicates that this is what may be happening. So to fix it, you need to establish a HTTP session using CURL.
For Ambar 2.2.0 and up, the KDC administrator credential is stored in a server-wide keys store… either in temporary or permitted storage. If you are using this version, then the error message is incorrect and should actually direct you to use the credentials API – see https://github.com/apache/ambari/blob/trunk/ambari-server/docs/api/v1/credential-resources.md. No session is needed for this.
Rob
From: Fay Wang <fa...@yahoo.com>>
Reply-To: Fay Wang <fa...@yahoo.com>>
Date: Thursday, January 7, 2016 at 10:30 PM
To: Robert Levas <rl...@hortonworks.com>>
Cc: "user@ambari.apache.org<ma...@ambari.apache.org>" <us...@ambari.apache.org>>
Subject: Re: Failed to put kerberos descriptor via REST API
Thanks, Rob. Changing to POST works fine!
I am now able to kerberize the cluster using the REST API. However. starting services fails:
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d '{"ServiceInfo": {"state" : "STARTED"}}' http://localhost:8080/api/v1/clusters/MyCluster/services
HTTP/1.1 400 Bad Request
User: admin
Set-Cookie: AMBARISESSIONID=n1bo172w5po26xndrqfg95z9;Path=/;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/plain
Content-Length: 460
Server: Jetty(8.1.17.v20150415)
{
"status" : 400,
"message" : "java.lang.IllegalArgumentException: Missing KDC administrator credentials.\nThe KDC administrator credentials must be set in session by updating the relevant Cluster resource.This may be done by issuing a PUT to the api/v1/clusters/(cluster name) API entry point with the following payload:\n{\n \"session_attributes\" : {\n \"kerberos_admin\" : {\"principal\" : \"(PRINCIPAL)\", \"password\" : \"(PASSWORD)\"}\n }\n}"
}
I then issued the command as suggested by the above message:
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d '{"session_attributes" : {"kerberos_admin" : {"principal" : "fay/admin@EXAMPLE.COM<ma...@EXAMPLE.COM>", "password" : "passw0rd"}}}' http://localhost:8080/api/v1/clusters/MyCluster
and then re-issued the start-service command. Still the start failed with the same error message.
Many thanks for your patience and help!
-fay
On Thursday, January 7, 2016 5:28 PM, Robert Levas <rl...@hortonworks.com>> wrote:
Hi Fay...
Instead of PUT, you should do a POST. To create a new kerberos_descriptor artifact. If a kerberos_descriptor artifact already existed, then you out PUT to update it.
I'll have to check, is the documentation I correct or confusing?
Rob
On Jan 7, 2016, at 6:50 PM, Fay Wang <fa...@yahoo.com>> wrote:
Thanks, Rob, for the info!
I am able to get the default kerberos descriptor via REST api, but
get an error when issuing the following command to update the descriptor:
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d @/tmp/descriptor_update.json http://localhost:8080/api/v1/clusters/MyCluster/artifacts/kerberos_descriptor
HTTP/1.1 100 Continue
HTTP/1.1 404 Not Found
User: admin
Set-Cookie: AMBARISESSIONID=ia3j9lvqclb6fytb01x5c2vl;Path=/;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/plain
Content-Length: 244
Server: Jetty(8.1.17.v20150415)
{
"status" : 404,
"message" : "org.apache.ambari.server.controller.spi.NoSuchResourceException: The requested resource doesn't exist: Artifact not found, Artifacts/cluster_name=MyCluster AND Artifacts/artifact_name=kerberos_descriptor"
}
The content of /tmp/descriptor_update.json:
{
"artifact_data" : {
"services" : [
{
"configurations" : [
{
"core-site" : {
"hadoop.proxyuser.HTTP.hosts" : "*"
}
}
],
"name" : "HIVE"
}
]
}
}
Thanks in advance for the help!
-fay
Re: Failed to put kerberos descriptor via REST API
Posted by Fay Wang <fa...@yahoo.com>.
Thanks, Rob. Changing to POST works fine!
I am now able to kerberize the cluster using the REST API. However. starting services fails:
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d '{"ServiceInfo": {"state" : "STARTED"}}' http://localhost:8080/api/v1/clusters/MyCluster/services
HTTP/1.1 400 Bad Request
User: admin
Set-Cookie: AMBARISESSIONID=n1bo172w5po26xndrqfg95z9;Path=/;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/plain
Content-Length: 460
Server: Jetty(8.1.17.v20150415)
{
"status" : 400,
"message" : "java.lang.IllegalArgumentException: Missing KDC administrator credentials.\nThe KDC administrator credentials must be set in session by updating the relevant Cluster resource.This may be done by issuing a PUT to the api/v1/clusters/(cluster name) API entry point with the following payload:\n{\n \"session_attributes\" : {\n \"kerberos_admin\" : {\"principal\" : \"(PRINCIPAL)\", \"password\" : \"(PASSWORD)\"}\n }\n}"
}
I then issued the command as suggested by the above message:curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d '{"session_attributes" : {"kerberos_admin" : {"principal" : "fay/admin@EXAMPLE.COM", "password" : "passw0rd"}}}' http://localhost:8080/api/v1/clusters/MyCluster
and then re-issued the start-service command. Still the start failed with the same error message.
Many thanks for your patience and help!
-fay
On Thursday, January 7, 2016 5:28 PM, Robert Levas <rl...@hortonworks.com> wrote:
Hi Fay...Instead of PUT, you should do a POST. To create a new kerberos_descriptor artifact. If a kerberos_descriptor artifact already existed, then you out PUT to update it.I'll have to check, is the documentation I correct or confusing?RobOn Jan 7, 2016, at 6:50 PM, Fay Wang <fa...@yahoo.com> wrote:
Thanks, Rob, for the info!
I am able to get the default kerberos descriptor via REST api, but
get an error when issuing the following command to update the descriptor:
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d @/tmp/descriptor_update.json http://localhost:8080/api/v1/clusters/MyCluster/artifacts/kerberos_descriptor
HTTP/1.1 100 Continue
HTTP/1.1 404 Not Found
User: admin
Set-Cookie: AMBARISESSIONID=ia3j9lvqclb6fytb01x5c2vl;Path=/;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/plain
Content-Length: 244
Server: Jetty(8.1.17.v20150415)
{
"status" : 404,
"message" : "org.apache.ambari.server.controller.spi.NoSuchResourceException: The requested resource doesn't exist: Artifact not found, Artifacts/cluster_name=MyCluster AND Artifacts/artifact_name=kerberos_descriptor"
}
The content of /tmp/descriptor_update.json:
{
"artifact_data" : {
"services" : [
{
"configurations" : [
{
"core-site" : {
"hadoop.proxyuser.HTTP.hosts" : "*"
}
}
],
"name" : "HIVE"
}
]
}
}
Thanks in advance for the help!
-fay
Re: Failed to put kerberos descriptor via REST API
Posted by Robert Levas <rl...@hortonworks.com>.
Hi Fay...
Instead of PUT, you should do a POST. To create a new kerberos_descriptor artifact. If a kerberos_descriptor artifact already existed, then you out PUT to update it.
I'll have to check, is the documentation I correct or confusing?
Rob
On Jan 7, 2016, at 6:50 PM, Fay Wang <fa...@yahoo.com>> wrote:
Thanks, Rob, for the info!
I am able to get the default kerberos descriptor via REST api, but
get an error when issuing the following command to update the descriptor:
curl -H "X-Requested-By:ambari" -u admin:admin -i -X PUT -d @/tmp/descriptor_update.json http://localhost:8080/api/v1/clusters/MyCluster/artifacts/kerberos_descriptor
HTTP/1.1 100 Continue
HTTP/1.1 404 Not Found
User: admin
Set-Cookie: AMBARISESSIONID=ia3j9lvqclb6fytb01x5c2vl;Path=/;Secure;HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/plain
Content-Length: 244
Server: Jetty(8.1.17.v20150415)
{
"status" : 404,
"message" : "org.apache.ambari.server.controller.spi.NoSuchResourceException: The requested resource doesn't exist: Artifact not found, Artifacts/cluster_name=MyCluster AND Artifacts/artifact_name=kerberos_descriptor"
}
The content of /tmp/descriptor_update.json:
{
"artifact_data" : {
"services" : [
{
"configurations" : [
{
"core-site" : {
"hadoop.proxyuser.HTTP.hosts" : "*"
}
}
],
"name" : "HIVE"
}
]
}
}
Thanks in advance for the help!
-fay