You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by "Manish Nema (JIRA)" <ji...@apache.org> on 2015/02/20 13:52:11 UTC

[jira] [Created] (AMBARI-9721) SPNEGO principals are not added for logviewer for all supervisor nodes for secure storm cluster

Manish Nema created AMBARI-9721:
-----------------------------------

             Summary: SPNEGO principals are not added for logviewer for all supervisor nodes for secure storm cluster
                 Key: AMBARI-9721
                 URL: https://issues.apache.org/jira/browse/AMBARI-9721
             Project: Ambari
          Issue Type: Bug
          Components: ambari-admin, ambari-server
    Affects Versions: 1.7.0
         Environment: CentOS 6.6 64bit
Java jdk1.7.0_67
Kerberos enabled 
            Reporter: Manish Nema


While securing cluster through Ambari (Storm only cluster), SPNEGO principals for logviewers are not added for other supervisor nodes by ambari in spnego.service.keytab. It only adds principal for Nimbus nodes, this results in spnego.service.keytab only for Nimbus node.
Logviewer service for other nodes (supervisor) are not started because of this. Copying the generated spnego.service.keytab from nimbus nodes to other nodes leads to following error 

(Mechanism level: Invalid argument (400) - Cannot find key of appropriate type to decrypt AP REP - AES256 CTS mode with HMAC SHA1-96)


Also Ambari generates storm.yaml file on restarts of supervisor nodes and this presently generates "kerberos.principal": "HTTP/<nimbus.host>" only whereas it should generate kerberos principal for appropriate logviewer/supervisor node.

ui.filter.params:
  "type": "kerberos"
  "kerberos.principal": "HTTP/two.cluster"
  "kerberos.keytab": "/etc/security/keytabs/spnego.service.keytab"
  "kerberos.name.rules": "DEFAULT"

This leads to logviewer process initialize only with nimbus principal and later on generate error while browsing UI of logviewer process with following error 



after generating correct keytab which contains HTTP principals for each host and distributing it to all supervisor/logviewer nodes, logviewer starts properly but that require manual changes to storm.yaml file to change kerberos.principal for that node and manual restart to logviewer process. 





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)