You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by "Alejandro Fernandez (JIRA)" <ji...@apache.org> on 2014/08/23 00:54:12 UTC
[jira] [Commented] (AMBARI-6496) Ambari fails to start services
because it still tries to kinit for hdfs_user when hdfs_principal_name is
customized.
[ https://issues.apache.org/jira/browse/AMBARI-6496?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14107646#comment-14107646 ]
Alejandro Fernandez commented on AMBARI-6496:
---------------------------------------------
Repro steps,
1. Install Ambari 1.6.1 on a cluster with HDFS, YARN, TEZ, Nagios, Ganglia, and Zookeeper
2. From the Admin-Security page, use Firebug or Chrome's Debugger to change the "HDFS user principal" field by removing the read-only, and set its value to "etl_t123_hdfs". The full principal name should then be "etl_t123_hdfs@EXAMPLE.COM"
3. Save the .csv file
4. On the server, issue the following commands
{code}
> sudo su -
> cp /vagrant/host-principal-keytab-list.csv /tmp/
> cp /vagrant/insecure_private_key /tmp/insecure_private_key
> cp /var/lib/ambari-server/resources/scripts/kerberos-setup.sh /tmp/
> cp /var/lib/ambari-server/resources/scripts/krb5.conf /tmp/
> cd /tmp
> mkdir /etc/security/keytabs
> sh kerberos-setup.sh host-principal-keytab-list.csv insecure_private_key
{code}
Verify that all of the principals and keytabs were created.
{code}
> kadmin.local -q "listprincs" | grep "EXAMPLE.COM"
> klist -k -t /etc/security/keytabs/hdfs.headless.keytab
Keytab name: FILE:/etc/security/keytabs/hdfs.headless.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
2 08/21/14 22:06:37 etl_t123_hdfs@EXAMPLE.COM
2 08/21/14 22:06:37 etl_t123_hdfs@EXAMPLE.COM
2 08/21/14 22:06:37 etl_t123_hdfs@EXAMPLE.COM
2 08/21/14 22:06:37 etl_t123_hdfs@EXAMPLE.COM
2 08/21/14 22:06:37 etl_t123_hdfs@EXAMPLE.COM
2 08/21/14 22:06:37 etl_t123_hdfs@EXAMPLE.COM
{code}
5. Before clicking on the "Apply" button on the wizard, perform the following on the server,
For both of these files, add the following line to the "values" section
/var/lib/ambari-server/resources/stacks/HDP/2.0.6/services/HDFS/configuration/core-site.xml
/var/lib/ambari-agent/cache/stacks/HDP/2.0.6/services/HDFS/configuration/core-site.xml
{code}
RULE:[2:$1@$0](.*hdfs@.*)s/.*/hdfs/
{code}
of the property named "hadoop.security.auth_to_local".
6. Click "Apply". This will restart the services, which will fail with a kinit problem.
In version 1.6.1, there's also a bug in hdfs_namenode.py, in which the following line should be
{code}
namenode_safe_mode_off = format("su - {hdfs_user} -c 'hdfs dfsadmin -safemode get' | grep 'Safe mode is OFF'")
{code}
instead of
{code}
namenode_safe_mode_off = format("su - {hdfs_user} -c 'hadoop dfsadmin -safemode get' | grep 'Safe mode is OFF'")
{code}
I replaced this directly on the server, and then tried to restart the services again.
7. To hide the underlying problem, change the value of the "hdfs_principal_name" property by running,
{code}
> /var/lib/ambari-server/resources/scripts/configs.sh set localhost dev global hdfs_principal_name "hdfs"
{code}
Ensure the property was saved by navigating to
http://{server}.ambari.apache.org:8080/api/v1/clusters/{cluster}/configurations?type=global
E.g.,
http://c6401.ambari.apache.org:8080/api/v1/clusters/dev/configurations?type=global&tag=version1408659047251
and checking the value of the hdfs_principal_name property.
Note that in Ambari 1.7.0, the hdfs_principal_name property changed from being stored in "global" to "hadoop-env"
To test the fix, all services must be installed, and restarted while kerberized.
> Ambari fails to start services because it still tries to kinit for hdfs_user when hdfs_principal_name is customized.
> --------------------------------------------------------------------------------------------------------------------
>
> Key: AMBARI-6496
> URL: https://issues.apache.org/jira/browse/AMBARI-6496
> Project: Ambari
> Issue Type: Bug
> Affects Versions: 1.6.1
> Reporter: Mahadev konar
> Assignee: Alejandro Fernandez
> Fix For: 1.7.0
>
>
> Ambari fails to start services because it still tries to kinit for hdfs_user when hdfs_principal_name is customized.
--
This message was sent by Atlassian JIRA
(v6.2#6252)