You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Eric Yang (JIRA)" <ji...@apache.org> on 2017/07/26 16:04:01 UTC

[jira] [Commented] (AMBARI-21577) Hive-Service check failing in post EU validation (IOP-HDP)

    [ https://issues.apache.org/jira/browse/AMBARI-21577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16101850#comment-16101850 ] 

Eric Yang commented on AMBARI-21577:
------------------------------------

Quote from Hortonworks internal bug tracker by Robert Levas:

The problem the existence of the following rule in the auth-to-local rule set (core-site/hadoop.security.auth_to_local):
{code}
RULE:[2:$1@$0](HTTP@EXAMPLE.COM)s/.*/cstm-hbase/
{code}

This rule was added due to an Kerberos identity descriptor from the BigInsight stack definition:
{code}
/HBASE/HBASE_REST_SERVER
{code}
{code}
                {
                  "keytab" : {
                    "configuration" : "hbase-site/hbase.rest.authentication.kerberos.keytab",
                    "file" : "${keytab_dir}/hbase.service.keytab",
                    "group" : {
                      "access" : "",
                      "name" : "${cluster-env/user_group}"
                    },
                    "owner" : {
                      "access" : "r",
                      "name" : "${hbase-env/hbase_user}"
                    }
                  },
                  "name" : "hbase_rest_server_spnego",
                  "principal" : {
                    "configuration" : "hbase-site/hbase.rest.authentication.kerberos.principal",
                    "local_username" : "${hbase-env/hbase_user}",
                    "type" : "service",
                    "value" : "HTTP/_HOST@${realm}"
                  }
                }
{code}
I am not sure what purpose this definition has since it seems to be messing up at least Hive and probably a few other things since this forces the SPNEGO identity to translate to the local user cstm-hbase (in this case). Generally it is expected that the SPNEGO identities has no explicit translation and by default will translate to HTTP. One way this is relevant is when the proxyuser configurations are considered. In this cluster, there are no hadoop.proxyuser.cstm-hbase configurations. However, the hadoop.proxyuser.HTTP configurations are set properly.... thus allowing the Hive service check to work when the rule in question is removed.
How do we want to proceed? Since BigInsights is going away, I guess there is no need to address the problem in that stack. So maybe upon upgrade, we try to figure out which rules should be removed and fix the auth-to-local rule set(s). There appears to be other issues with the rule set:

{code}
RULE:[2:$1@$0](amshbase@EXAMPLE.COM)s/.*/cstm-ams/
RULE:[2:$1@$0](amshbase@EXAMPLE.COM)s/.*/cstm-hbase/
{code}

In the above case, the 2nd rule will never get executed since the first matching rule wins. So amshbase/*@EXAMPLE.COM will always translate to cstm-ams.
Programmatically fixing this may be difficult since we wont be able to tell which rules were added by Ambari and which were custom. So the rules that do not belong will appear to Ambari as custom rules, so they can not be removed. Maybe we can document this issue and have the user manually fix it after the upgrade to HDP?

In any case, I made the necessary change to the cluster at http://172.22.120.154:8080 and the Hive service check now works.

> Hive-Service check failing in post EU validation (IOP-HDP)
> ----------------------------------------------------------
>
>                 Key: AMBARI-21577
>                 URL: https://issues.apache.org/jira/browse/AMBARI-21577
>             Project: Ambari
>          Issue Type: Bug
>          Components: stacks
>    Affects Versions: 2.5.2
>         Environment:  OS:- RHEL 7
>  Ambari Upgraded 2.2.0 to 2.5.2.0-174
> Express Upgrade:- BigInsights-4.2.0.0 to HDP-2.6.2.0-107
>            Reporter: Eric Yang
>             Fix For: 2.5.2
>
>
> Steps to reproduce:-
> 1. Installed a IOP cluster ambari-version:- 2.2.0/20160616_1658,BigInsights-4.2.0.0
> 2. Upgrade the ambari from 2.2.0 to 2.5.2.0-174(IOP Clusters)
> 3. Remove IOP Select.
> 4. Register HDP Stack to HDP-2.6.2.0-107.
> 5. EU
> 6. Post EU
> Hive- Service check is failing :- 
> {code}
> HTTP/vs-iop420tofnsec-re-2.openstacklocal@EXAMPLE.COM is not allowed to impersonate ambari-qa
> {code}
> stderr:-
> {code}
> Traceback (most recent call last):
>   File "/var/lib/ambari-agent/cache/common-services/HIVE/0.12.0.2.0/package/scripts/service_check.py", line 194, in <module>
>     HiveServiceCheck().execute()
>   File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py", line 329, in execute
>     method(env)
>   File "/var/lib/ambari-agent/cache/common-services/HIVE/0.12.0.2.0/package/scripts/service_check.py", line 99, in service_check
>     webhcat_service_check()
>   File "/usr/lib/python2.6/site-packages/ambari_commons/os_family_impl.py", line 89, in thunk
>     return fn(*args, **kwargs)
>   File "/var/lib/ambari-agent/cache/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat_service_check.py", line 125, in webhcat_service_check
>     logoutput=True)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/base.py", line 166, in __init__
>     self.env.run()
>   File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 160, in run
>     self.run_action(resource, action)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 124, in run_action
>     provider_action()
>   File "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py", line 262, in action_run
>     tries=self.resource.tries, try_sleep=self.resource.try_sleep)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 72, in inner
>     result = function(command, **kwargs)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 102, in checked_call
>     tries=tries, try_sleep=try_sleep, timeout_kill_strategy=timeout_kill_strategy)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 150, in _call_wrapper
>     result = _call(command, **kwargs_copy)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 303, in _call
>     raise ExecutionFailed(err_msg, code, out, err)
> resource_management.core.exceptions.ExecutionFailed: Execution of '/var/lib/ambari-agent/tmp/templetonSmoke.sh vs-iop420tofnsec-re-2.openstacklocal ambari-qa 20111 idtest.ambari-qa.1500877355.88.pig /etc/security/keytabs/smokeuser.headless.keytab true /usr/bin/kinit ambari-qa@EXAMPLE.COM /var/lib/ambari-agent/tmp' returned 1. Templeton Smoke Test (ddl cmd): Failed. : {"error":"User: HTTP/vs-iop420tofnsec-re-2.openstacklocal@EXAMPLE.COM is not allowed to impersonate ambari-qa"}http_code <500>
> {code} 
> Screenshot:- !Screen Shot 2017-07-24 at 12.04.44 PM.png|thumbnail! 
> Live-Server:- http://172.22.115.63:8080.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)