You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@ambari.apache.org by Swapan Shridhar <ss...@hortonworks.com> on 2017/11/18 07:56:11 UTC
Review Request 63937: AMBARI-22472. Ambari Upgrade 2.5 -> 2.6 : Update
NodeManager's HSI identity 'llap_zk_hive' to use
'/HIVE/HIVE_SERVER/hive_server_hive' reference instead of creating the same
identity again.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63937/
-----------------------------------------------------------
Review request for Ambari, Jayush Luniya, Madhuvanthi Radhakrishnan, and Robert Levas.
Bugs: AMBARI-22472
https://issues.apache.org/jira/browse/AMBARI-22472
Repository: ambari
Description
-------
**Background:**
YARN NodeManager currently have 2 identities in 2.5 and 2.6 stack, namely : *'/HIVE/HIVE_SERVER/hive_server_hive'* and *'llap_zk_hive'*.
- */HIVE/HIVE_SERVER/hive_server_hive* is a reference from HIVE_SERVER, whereas
- *llap_zk_hive* creates same principal as above in a separate keytab file.
**Issue:** Recreating same identities in different files creates issues while AMbari upgrade from 2.5 to 2.6, as the *llap_zk_hive* are not refreshed/updated after the upgrade. Thus, HSI fails to come up.
**Fix:** Make * llap_zk_hive* also point as a reference pointing to /HIVE/HIVE_SERVER/hive_server_hive, so that we have one identity getting created only at one place and one keytab file.
Diffs
-----
ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java 96ce807
ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java be04cd5
ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_ranger_kms.json e17e121
Diff: https://reviews.apache.org/r/63937/diff/1/
Testing
-------
**TESTING:**
|||||||||||||||||||||||||| Ambari 2.5, before upgrade: ||||||||||||||||||||||||||
{code:title=From /etc/hive2/cong/conf.server/hive-site.xml}
<property>
<name>hive.llap.daemon.keytab.file</name>
<value>/etc/security/keytabs/hive.service.keytab</value>
</property>
<property>
<name>hive.llap.daemon.service.principal</name>
<value>hive/_HOST@EXAMPLE.COM</value>
</property>
<property>
<name>hive.llap.zk.sm.keytab.file</name>
<value>/etc/security/keytabs/hive.llap.zk.sm.keytab</value>
</property>
<property>
<name>hive.llap.zk.sm.principal</name>
<value>hive/_HOST@EXAMPLE.COM</value>
</property>
{code}
|||||||||||||||||||||||||| Upgrade to Ambari-2.6 ||||||||||||||||||||||||||
**Logs: Ambari Server Upgrade**
[root@swap-qqq-1 ~]# ambari-server upgrade
Using python /usr/bin/python
Upgrading ambari-server
INFO: Upgrade Ambari Server
INFO: Updating Ambari Server properties in ambari.properties ...
INFO: Updating Ambari Server properties in ambari-env.sh ...
WARNING: Original file ambari-env.sh kept
INFO: Fixing database objects owner
Ambari Server configured for Embedded Postgres. Confirm you have made a backup of the Ambari Server database [y/n] (y)? y
INFO: Upgrading database schema
INFO: Return code from schema upgrade command, retcode = 0
INFO: Schema upgrade completed
Adjusting ambari-server permissions and ownership...
Ambari Server 'upgrade' completed successfully.
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]# ambari-server --version
2.6.0.0-267
[root@swap-qqq-1 ~]#
**Logs : Updating Kerberos descriptors**
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:673 - Updating YARN's HSI Kerberos Descriptor ....
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:685 - Retrieved HIVE->HIVE_SERVER kerberos descriptor. Name = hive_server_hive
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:700 - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_zk_hive
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:709 - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:712 - Updated 'llap_zk_hive' principal descriptor value = ''
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:717 - Updated 'llap_zk_hive' keytab descriptor file = ''
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:720 - Updated 'llap_zk_hive' keytab descriptor owner name = ''
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:722 - Updated 'llap_zk_hive' keytab descriptor owner access = ''
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:724 - Updated 'llap_zk_hive' keytab descriptor group name = ''
18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:726 - Updated 'llap_zk_hive' keytab descriptor group access = ''
18 Nov 2017 07:25:54,004 INFO [main] UpgradeCatalog260:730 - Updated 'isYarnKerberosDescUpdated' = true
**Logs : Updated HSI config 'hive.llap.zk.sm.keytab.file'**
18 Nov 2017 07:25:54,073 INFO [main] UpgradeCatalog260:767 - Updated HSI config 'hive.llap.zk.sm.keytab.file' = /etc/security/keytabs/hive.service.keytab
**From UI**:
Changed hive.llap.zk.sm.keytab.file :
https://issues.apache.org/jira/secure/attachment/12898329/Screen%20Shot%202017-11-17%20at%2011.44.41%20PM.png
HSI up :
https://issues.apache.org/jira/secure/attachment/12898328/Screen%20Shot%202017-11-17%20at%2011.44.55%20PM.png
Thanks,
Swapan Shridhar
Re: Review Request 63937: AMBARI-22472. Ambari Upgrade 2.5 -> 2.6 :
Update
NodeManager's HSI identity 'llap_zk_hive' and 'llap_task_hive' to use
'/HIVE/HIVE_SERVER/hive_server_hive' reference instead of creating the same
identity again.
Posted by Madhuvanthi Radhakrishnan <mr...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63937/#review191745
-----------------------------------------------------------
Ship it!
Ship It!
- Madhuvanthi Radhakrishnan
On Nov. 22, 2017, 12:13 a.m., Swapan Shridhar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/63937/
> -----------------------------------------------------------
>
> (Updated Nov. 22, 2017, 12:13 a.m.)
>
>
> Review request for Ambari, Jayush Luniya, Madhuvanthi Radhakrishnan, and Robert Levas.
>
>
> Bugs: AMBARI-22472
> https://issues.apache.org/jira/browse/AMBARI-22472
>
>
> Repository: ambari
>
>
> Description
> -------
>
> **Background:**
> YARN NodeManager currently has:
>
> - 2 identities in 2.5 stack, namely : **'/HIVE/HIVE_SERVER/hive_server_hive'** and **'llap_zk_hive'**.
> -- **/HIVE/HIVE_SERVER/hive_server_hive** is a reference from HIVE_SERVER, whereas
> -- **llap_zk_hive** creates same principal as above in a separate keytab file.
>
> - and 3 identities in 2.6 stack:
> *'/HIVE/HIVE_SERVER/hive_server_hive'* and *'llap_zk_hive'*.
> -- **/HIVE/HIVE_SERVER/hive_server_hive** is a reference from HIVE_SERVER, whereas
> -- **llap_zk_hive** and **llap_task_hive** creates same principal as above in a separate keytab file.
>
> **Issue:** Recreating same identities in different files creates issues while AMbari upgrade from 2.5 to 2.6, as the *llap_zk_hive* are not refreshed/updated after the upgrade. Thus, HSI fails to come up.
>
> **Fix:**
>
> **For HDP 2.5:** Make **llap_zk_hive** point as a reference pointing to /HIVE/HIVE_SERVER/hive_server_hive, so that we have one identity getting created only at one place and one keytab file.
>
> **For HDP 2.6:** Make **llap_zk_hive** and **llap_task_hive** point as a reference pointing to /HIVE/HIVE_SERVER/hive_server_hive, so that we have one identity getting created only at one place and one keytab file.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java 96ce807
> ambari-server/src/main/resources/stacks/HDP/2.5/services/YARN/kerberos.json af6bda6
> ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json e0417bf
> ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java be04cd5
> ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_ranger_kms.json e17e121
>
>
> Diff: https://reviews.apache.org/r/63937/diff/3/
>
>
> Testing
> -------
>
> **TESTING:**
>
> |||||||||||||||||||||||||| Ambari 2.5, HDP 2.5 before upgrade: ||||||||||||||||||||||||||
>
>
> {code:title=From /etc/hive2/cong/conf.server/hive-site.xml}
> <property>
> <name>hive.llap.daemon.keytab.file</name>
> <value>/etc/security/keytabs/hive.service.keytab</value>
> </property>
>
> <property>
> <name>hive.llap.daemon.service.principal</name>
> <value>hive/_HOST@EXAMPLE.COM</value>
> </property>
>
> <property>
> <name>hive.llap.zk.sm.keytab.file</name>
> <value>/etc/security/keytabs/hive.llap.zk.sm.keytab</value>
> </property>
>
> <property>
> <name>hive.llap.zk.sm.principal</name>
> <value>hive/_HOST@EXAMPLE.COM</value>
> </property>
> {code}
>
>
> |||||||||||||||||||||||||| Upgrade to Ambari-2.6 ||||||||||||||||||||||||||
>
>
> **Logs: Ambari Server Upgrade**
>
> [root@swap-qqq-1 ~]# ambari-server upgrade
> Using python /usr/bin/python
> Upgrading ambari-server
> INFO: Upgrade Ambari Server
> INFO: Updating Ambari Server properties in ambari.properties ...
> INFO: Updating Ambari Server properties in ambari-env.sh ...
> WARNING: Original file ambari-env.sh kept
> INFO: Fixing database objects owner
> Ambari Server configured for Embedded Postgres. Confirm you have made a backup of the Ambari Server database [y/n] (y)? y
> INFO: Upgrading database schema
> INFO: Return code from schema upgrade command, retcode = 0
> INFO: Schema upgrade completed
> Adjusting ambari-server permissions and ownership...
> Ambari Server 'upgrade' completed successfully.
> [root@swap-qqq-1 ~]#
> [root@swap-qqq-1 ~]#
> [root@swap-qqq-1 ~]#
> [root@swap-qqq-1 ~]#
> [root@swap-qqq-1 ~]# ambari-server --version
> 2.6.0.0-267
> [root@swap-qqq-1 ~]#
>
>
> **Logs : Updating Kerberos descriptors**
>
> 21 Nov 2017 01:01:20,438 INFO [main] UpgradeCatalog260:675 - Updating YARN's HSI Kerberos Descriptor ....
> 21 Nov 2017 01:01:20,438 INFO [main] UpgradeCatalog260:687 - Retrieved HIVE->HIVE_SERVER kerberos descriptor. Name = hive_server_hive
> 21 Nov 2017 01:01:20,438 INFO [main] UpgradeCatalog260:707 - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_zk_hive
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:712 - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:715 - Updated 'llap_zk_hive' principal descriptor value = 'null'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:720 - Updated 'llap_zk_hive' keytab descriptor file = 'null'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:723 - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:725 - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:727 - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:729 - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:733 - Updated 'yarnKerberosDescUpdatedList' = [hive.llap.zk.sm.keytab.file, hive.llap.task.keytab.file]
>
> **Logs : Updated HSI config 'hive.llap.zk.sm.keytab.file'**
>
> 18 Nov 2017 07:25:54,073 INFO [main] UpgradeCatalog260:767 - Updated HSI config 'hive.llap.zk.sm.keytab.file' = /etc/security/keytabs/hive.service.keytab
>
>
> **From UI**:
>
> Changed hive.llap.zk.sm.keytab.file :
> https://issues.apache.org/jira/secure/attachment/12898329/Screen%20Shot%202017-11-17%20at%2011.44.41%20PM.png
>
> HSI up :
> https://issues.apache.org/jira/secure/attachment/12898328/Screen%20Shot%202017-11-17%20at%2011.44.55%20PM.png
>
>
> ------------------------------------
>
>
> UT test runs for Ambari 2.6 and HDP 2.6 (which includes **llap_zk_hive** and **llap_task_hive**):
>
>
> **UpgradeCatalog260Test::testUpdateKerberosDescriptorArtifact()**
>
> 2017-11-20 13:09:45,366 INFO [main] upgrade.AbstractUpgradeCatalog (AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(573)) - Applying configuration with tag 'version1511212185365' and configType 'ranger-kms-audit' to cluster 'cl1'
> 2017-11-20 13:09:45,367 INFO [main] upgrade.AbstractUpgradeCatalog (AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(595)) - cluster 'cl1' changed by: 'ambari-upgrade'; type='ranger-kms-audit' tag='version2' from='version1'
> 2017-11-20 13:09:45,367 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(675)) - Updating YARN's HSI Kerberos Descriptor ....
> 2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(687)) - Retrieved HIVE->HIVE_SERVER kerberos descriptor. Name = hive_server_hive
> 2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(707)) - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_zk_hive
> 2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(712)) - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
> 2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(715)) - Updated 'llap_zk_hive' principal descriptor value = 'null'
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(720)) - Updated 'llap_zk_hive' keytab descriptor file = 'null'
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(723)) - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(725)) - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(727)) - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(729)) - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(733)) - Updated 'yarnKerberosDescUpdatedList' = [llap_zk_hive]
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(707)) - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_task_hive
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(712)) - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(715)) - Updated 'llap_zk_hive' principal descriptor value = 'null'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(720)) - Updated 'llap_zk_hive' keytab descriptor file = 'null'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(723)) - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(725)) - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(727)) - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(729)) - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(733)) - [hive.llap.zk.sm.keytab.file, hive.llap.task.keytab.file]
>
>
> **UpgradeCatalog260Test::testUpdateHiveConfigs()**
>
> (AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(573)) - Applying configuration with tag 'version1511212185535' and configType 'hive-interactive-site' to cluster 'null'
> 2017-11-20 13:09:45,536 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:updateHiveConfigs(778)) - Updated HSI config(s) : [hive.llap.task.keytab.file, hive.llap.zk.sm.keytab.file] with values = [/etc/security/keytabs/hive.service.keytab, /etc/security/keytabs/hive.service.keytab]
>
>
> Thanks,
>
> Swapan Shridhar
>
>
Re: Review Request 63937: AMBARI-22472. Ambari Upgrade 2.5 -> 2.6 :
Update
NodeManager's HSI identity 'llap_zk_hive' and 'llap_task_hive' to use
'/HIVE/HIVE_SERVER/hive_server_hive' reference instead of creating the same
identity again.
Posted by Swapan Shridhar <ss...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63937/
-----------------------------------------------------------
(Updated Nov. 22, 2017, 12:13 a.m.)
Review request for Ambari, Jayush Luniya, Madhuvanthi Radhakrishnan, and Robert Levas.
Changes
-------
Updated UT.
Bugs: AMBARI-22472
https://issues.apache.org/jira/browse/AMBARI-22472
Repository: ambari
Description
-------
**Background:**
YARN NodeManager currently has:
- 2 identities in 2.5 stack, namely : **'/HIVE/HIVE_SERVER/hive_server_hive'** and **'llap_zk_hive'**.
-- **/HIVE/HIVE_SERVER/hive_server_hive** is a reference from HIVE_SERVER, whereas
-- **llap_zk_hive** creates same principal as above in a separate keytab file.
- and 3 identities in 2.6 stack:
*'/HIVE/HIVE_SERVER/hive_server_hive'* and *'llap_zk_hive'*.
-- **/HIVE/HIVE_SERVER/hive_server_hive** is a reference from HIVE_SERVER, whereas
-- **llap_zk_hive** and **llap_task_hive** creates same principal as above in a separate keytab file.
**Issue:** Recreating same identities in different files creates issues while AMbari upgrade from 2.5 to 2.6, as the *llap_zk_hive* are not refreshed/updated after the upgrade. Thus, HSI fails to come up.
**Fix:**
**For HDP 2.5:** Make **llap_zk_hive** point as a reference pointing to /HIVE/HIVE_SERVER/hive_server_hive, so that we have one identity getting created only at one place and one keytab file.
**For HDP 2.6:** Make **llap_zk_hive** and **llap_task_hive** point as a reference pointing to /HIVE/HIVE_SERVER/hive_server_hive, so that we have one identity getting created only at one place and one keytab file.
Diffs (updated)
-----
ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java 96ce807
ambari-server/src/main/resources/stacks/HDP/2.5/services/YARN/kerberos.json af6bda6
ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json e0417bf
ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java be04cd5
ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_ranger_kms.json e17e121
Diff: https://reviews.apache.org/r/63937/diff/3/
Changes: https://reviews.apache.org/r/63937/diff/2-3/
Testing
-------
**TESTING:**
|||||||||||||||||||||||||| Ambari 2.5, HDP 2.5 before upgrade: ||||||||||||||||||||||||||
{code:title=From /etc/hive2/cong/conf.server/hive-site.xml}
<property>
<name>hive.llap.daemon.keytab.file</name>
<value>/etc/security/keytabs/hive.service.keytab</value>
</property>
<property>
<name>hive.llap.daemon.service.principal</name>
<value>hive/_HOST@EXAMPLE.COM</value>
</property>
<property>
<name>hive.llap.zk.sm.keytab.file</name>
<value>/etc/security/keytabs/hive.llap.zk.sm.keytab</value>
</property>
<property>
<name>hive.llap.zk.sm.principal</name>
<value>hive/_HOST@EXAMPLE.COM</value>
</property>
{code}
|||||||||||||||||||||||||| Upgrade to Ambari-2.6 ||||||||||||||||||||||||||
**Logs: Ambari Server Upgrade**
[root@swap-qqq-1 ~]# ambari-server upgrade
Using python /usr/bin/python
Upgrading ambari-server
INFO: Upgrade Ambari Server
INFO: Updating Ambari Server properties in ambari.properties ...
INFO: Updating Ambari Server properties in ambari-env.sh ...
WARNING: Original file ambari-env.sh kept
INFO: Fixing database objects owner
Ambari Server configured for Embedded Postgres. Confirm you have made a backup of the Ambari Server database [y/n] (y)? y
INFO: Upgrading database schema
INFO: Return code from schema upgrade command, retcode = 0
INFO: Schema upgrade completed
Adjusting ambari-server permissions and ownership...
Ambari Server 'upgrade' completed successfully.
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]# ambari-server --version
2.6.0.0-267
[root@swap-qqq-1 ~]#
**Logs : Updating Kerberos descriptors**
21 Nov 2017 01:01:20,438 INFO [main] UpgradeCatalog260:675 - Updating YARN's HSI Kerberos Descriptor ....
21 Nov 2017 01:01:20,438 INFO [main] UpgradeCatalog260:687 - Retrieved HIVE->HIVE_SERVER kerberos descriptor. Name = hive_server_hive
21 Nov 2017 01:01:20,438 INFO [main] UpgradeCatalog260:707 - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_zk_hive
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:712 - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:715 - Updated 'llap_zk_hive' principal descriptor value = 'null'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:720 - Updated 'llap_zk_hive' keytab descriptor file = 'null'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:723 - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:725 - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:727 - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:729 - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:733 - Updated 'yarnKerberosDescUpdatedList' = [hive.llap.zk.sm.keytab.file, hive.llap.task.keytab.file]
**Logs : Updated HSI config 'hive.llap.zk.sm.keytab.file'**
18 Nov 2017 07:25:54,073 INFO [main] UpgradeCatalog260:767 - Updated HSI config 'hive.llap.zk.sm.keytab.file' = /etc/security/keytabs/hive.service.keytab
**From UI**:
Changed hive.llap.zk.sm.keytab.file :
https://issues.apache.org/jira/secure/attachment/12898329/Screen%20Shot%202017-11-17%20at%2011.44.41%20PM.png
HSI up :
https://issues.apache.org/jira/secure/attachment/12898328/Screen%20Shot%202017-11-17%20at%2011.44.55%20PM.png
------------------------------------
UT test runs for Ambari 2.6 and HDP 2.6 (which includes **llap_zk_hive** and **llap_task_hive**):
**UpgradeCatalog260Test::testUpdateKerberosDescriptorArtifact()**
2017-11-20 13:09:45,366 INFO [main] upgrade.AbstractUpgradeCatalog (AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(573)) - Applying configuration with tag 'version1511212185365' and configType 'ranger-kms-audit' to cluster 'cl1'
2017-11-20 13:09:45,367 INFO [main] upgrade.AbstractUpgradeCatalog (AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(595)) - cluster 'cl1' changed by: 'ambari-upgrade'; type='ranger-kms-audit' tag='version2' from='version1'
2017-11-20 13:09:45,367 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(675)) - Updating YARN's HSI Kerberos Descriptor ....
2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(687)) - Retrieved HIVE->HIVE_SERVER kerberos descriptor. Name = hive_server_hive
2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(707)) - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_zk_hive
2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(712)) - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(715)) - Updated 'llap_zk_hive' principal descriptor value = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(720)) - Updated 'llap_zk_hive' keytab descriptor file = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(723)) - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(725)) - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(727)) - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(729)) - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(733)) - Updated 'yarnKerberosDescUpdatedList' = [llap_zk_hive]
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(707)) - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_task_hive
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(712)) - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(715)) - Updated 'llap_zk_hive' principal descriptor value = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(720)) - Updated 'llap_zk_hive' keytab descriptor file = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(723)) - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(725)) - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(727)) - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(729)) - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(733)) - [hive.llap.zk.sm.keytab.file, hive.llap.task.keytab.file]
**UpgradeCatalog260Test::testUpdateHiveConfigs()**
(AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(573)) - Applying configuration with tag 'version1511212185535' and configType 'hive-interactive-site' to cluster 'null'
2017-11-20 13:09:45,536 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:updateHiveConfigs(778)) - Updated HSI config(s) : [hive.llap.task.keytab.file, hive.llap.zk.sm.keytab.file] with values = [/etc/security/keytabs/hive.service.keytab, /etc/security/keytabs/hive.service.keytab]
Thanks,
Swapan Shridhar
Re: Review Request 63937: AMBARI-22472. Ambari Upgrade 2.5 -> 2.6 :
Update
NodeManager's HSI identity 'llap_zk_hive' and 'llap_task_hive' to use
'/HIVE/HIVE_SERVER/hive_server_hive' reference instead of creating the same
identity again.
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63937/#review191596
-----------------------------------------------------------
Ship it!
Ship It!
- Robert Levas
On Nov. 21, 2017, 2:28 a.m., Swapan Shridhar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/63937/
> -----------------------------------------------------------
>
> (Updated Nov. 21, 2017, 2:28 a.m.)
>
>
> Review request for Ambari, Jayush Luniya, Madhuvanthi Radhakrishnan, and Robert Levas.
>
>
> Bugs: AMBARI-22472
> https://issues.apache.org/jira/browse/AMBARI-22472
>
>
> Repository: ambari
>
>
> Description
> -------
>
> **Background:**
> YARN NodeManager currently has:
>
> - 2 identities in 2.5 stack, namely : **'/HIVE/HIVE_SERVER/hive_server_hive'** and **'llap_zk_hive'**.
> -- **/HIVE/HIVE_SERVER/hive_server_hive** is a reference from HIVE_SERVER, whereas
> -- **llap_zk_hive** creates same principal as above in a separate keytab file.
>
> - and 3 identities in 2.6 stack:
> *'/HIVE/HIVE_SERVER/hive_server_hive'* and *'llap_zk_hive'*.
> -- **/HIVE/HIVE_SERVER/hive_server_hive** is a reference from HIVE_SERVER, whereas
> -- **llap_zk_hive** and **llap_task_hive** creates same principal as above in a separate keytab file.
>
> **Issue:** Recreating same identities in different files creates issues while AMbari upgrade from 2.5 to 2.6, as the *llap_zk_hive* are not refreshed/updated after the upgrade. Thus, HSI fails to come up.
>
> **Fix:**
>
> **For HDP 2.5:** Make **llap_zk_hive** point as a reference pointing to /HIVE/HIVE_SERVER/hive_server_hive, so that we have one identity getting created only at one place and one keytab file.
>
> **For HDP 2.6:** Make **llap_zk_hive** and **llap_task_hive** point as a reference pointing to /HIVE/HIVE_SERVER/hive_server_hive, so that we have one identity getting created only at one place and one keytab file.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java 96ce807
> ambari-server/src/main/resources/stacks/HDP/2.5/services/YARN/kerberos.json af6bda6
> ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json e0417bf
> ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java be04cd5
> ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_ranger_kms.json e17e121
>
>
> Diff: https://reviews.apache.org/r/63937/diff/2/
>
>
> Testing
> -------
>
> **TESTING:**
>
> |||||||||||||||||||||||||| Ambari 2.5, HDP 2.5 before upgrade: ||||||||||||||||||||||||||
>
>
> {code:title=From /etc/hive2/cong/conf.server/hive-site.xml}
> <property>
> <name>hive.llap.daemon.keytab.file</name>
> <value>/etc/security/keytabs/hive.service.keytab</value>
> </property>
>
> <property>
> <name>hive.llap.daemon.service.principal</name>
> <value>hive/_HOST@EXAMPLE.COM</value>
> </property>
>
> <property>
> <name>hive.llap.zk.sm.keytab.file</name>
> <value>/etc/security/keytabs/hive.llap.zk.sm.keytab</value>
> </property>
>
> <property>
> <name>hive.llap.zk.sm.principal</name>
> <value>hive/_HOST@EXAMPLE.COM</value>
> </property>
> {code}
>
>
> |||||||||||||||||||||||||| Upgrade to Ambari-2.6 ||||||||||||||||||||||||||
>
>
> **Logs: Ambari Server Upgrade**
>
> [root@swap-qqq-1 ~]# ambari-server upgrade
> Using python /usr/bin/python
> Upgrading ambari-server
> INFO: Upgrade Ambari Server
> INFO: Updating Ambari Server properties in ambari.properties ...
> INFO: Updating Ambari Server properties in ambari-env.sh ...
> WARNING: Original file ambari-env.sh kept
> INFO: Fixing database objects owner
> Ambari Server configured for Embedded Postgres. Confirm you have made a backup of the Ambari Server database [y/n] (y)? y
> INFO: Upgrading database schema
> INFO: Return code from schema upgrade command, retcode = 0
> INFO: Schema upgrade completed
> Adjusting ambari-server permissions and ownership...
> Ambari Server 'upgrade' completed successfully.
> [root@swap-qqq-1 ~]#
> [root@swap-qqq-1 ~]#
> [root@swap-qqq-1 ~]#
> [root@swap-qqq-1 ~]#
> [root@swap-qqq-1 ~]# ambari-server --version
> 2.6.0.0-267
> [root@swap-qqq-1 ~]#
>
>
> **Logs : Updating Kerberos descriptors**
>
> 21 Nov 2017 01:01:20,438 INFO [main] UpgradeCatalog260:675 - Updating YARN's HSI Kerberos Descriptor ....
> 21 Nov 2017 01:01:20,438 INFO [main] UpgradeCatalog260:687 - Retrieved HIVE->HIVE_SERVER kerberos descriptor. Name = hive_server_hive
> 21 Nov 2017 01:01:20,438 INFO [main] UpgradeCatalog260:707 - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_zk_hive
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:712 - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:715 - Updated 'llap_zk_hive' principal descriptor value = 'null'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:720 - Updated 'llap_zk_hive' keytab descriptor file = 'null'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:723 - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:725 - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:727 - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:729 - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:733 - Updated 'yarnKerberosDescUpdatedList' = [hive.llap.zk.sm.keytab.file, hive.llap.task.keytab.file]
>
> **Logs : Updated HSI config 'hive.llap.zk.sm.keytab.file'**
>
> 18 Nov 2017 07:25:54,073 INFO [main] UpgradeCatalog260:767 - Updated HSI config 'hive.llap.zk.sm.keytab.file' = /etc/security/keytabs/hive.service.keytab
>
>
> **From UI**:
>
> Changed hive.llap.zk.sm.keytab.file :
> https://issues.apache.org/jira/secure/attachment/12898329/Screen%20Shot%202017-11-17%20at%2011.44.41%20PM.png
>
> HSI up :
> https://issues.apache.org/jira/secure/attachment/12898328/Screen%20Shot%202017-11-17%20at%2011.44.55%20PM.png
>
>
> ------------------------------------
>
>
> UT test runs for Ambari 2.6 and HDP 2.6 (which includes **llap_zk_hive** and **llap_task_hive**):
>
>
> **UpgradeCatalog260Test::testUpdateKerberosDescriptorArtifact()**
>
> 2017-11-20 13:09:45,366 INFO [main] upgrade.AbstractUpgradeCatalog (AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(573)) - Applying configuration with tag 'version1511212185365' and configType 'ranger-kms-audit' to cluster 'cl1'
> 2017-11-20 13:09:45,367 INFO [main] upgrade.AbstractUpgradeCatalog (AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(595)) - cluster 'cl1' changed by: 'ambari-upgrade'; type='ranger-kms-audit' tag='version2' from='version1'
> 2017-11-20 13:09:45,367 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(675)) - Updating YARN's HSI Kerberos Descriptor ....
> 2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(687)) - Retrieved HIVE->HIVE_SERVER kerberos descriptor. Name = hive_server_hive
> 2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(707)) - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_zk_hive
> 2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(712)) - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
> 2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(715)) - Updated 'llap_zk_hive' principal descriptor value = 'null'
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(720)) - Updated 'llap_zk_hive' keytab descriptor file = 'null'
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(723)) - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(725)) - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(727)) - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(729)) - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(733)) - Updated 'yarnKerberosDescUpdatedList' = [llap_zk_hive]
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(707)) - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_task_hive
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(712)) - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(715)) - Updated 'llap_zk_hive' principal descriptor value = 'null'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(720)) - Updated 'llap_zk_hive' keytab descriptor file = 'null'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(723)) - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(725)) - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(727)) - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(729)) - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(733)) - [hive.llap.zk.sm.keytab.file, hive.llap.task.keytab.file]
>
>
> **UpgradeCatalog260Test::testUpdateHiveConfigs()**
>
> (AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(573)) - Applying configuration with tag 'version1511212185535' and configType 'hive-interactive-site' to cluster 'null'
> 2017-11-20 13:09:45,536 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:updateHiveConfigs(778)) - Updated HSI config(s) : [hive.llap.task.keytab.file, hive.llap.zk.sm.keytab.file] with values = [/etc/security/keytabs/hive.service.keytab, /etc/security/keytabs/hive.service.keytab]
>
>
> Thanks,
>
> Swapan Shridhar
>
>
Re: Review Request 63937: AMBARI-22472. Ambari Upgrade 2.5 -> 2.6 :
Update
NodeManager's HSI identity 'llap_zk_hive' and 'llap_task_hive' to use
'/HIVE/HIVE_SERVER/hive_server_hive' reference instead of creating the same
identity again.
Posted by Swapan Shridhar <ss...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63937/
-----------------------------------------------------------
(Updated Nov. 21, 2017, 7:28 a.m.)
Review request for Ambari, Jayush Luniya, Madhuvanthi Radhakrishnan, and Robert Levas.
Bugs: AMBARI-22472
https://issues.apache.org/jira/browse/AMBARI-22472
Repository: ambari
Description
-------
**Background:**
YARN NodeManager currently has:
- 2 identities in 2.5 stack, namely : **'/HIVE/HIVE_SERVER/hive_server_hive'** and **'llap_zk_hive'**.
-- **/HIVE/HIVE_SERVER/hive_server_hive** is a reference from HIVE_SERVER, whereas
-- **llap_zk_hive** creates same principal as above in a separate keytab file.
- and 3 identities in 2.6 stack:
*'/HIVE/HIVE_SERVER/hive_server_hive'* and *'llap_zk_hive'*.
-- **/HIVE/HIVE_SERVER/hive_server_hive** is a reference from HIVE_SERVER, whereas
-- **llap_zk_hive** and **llap_task_hive** creates same principal as above in a separate keytab file.
**Issue:** Recreating same identities in different files creates issues while AMbari upgrade from 2.5 to 2.6, as the *llap_zk_hive* are not refreshed/updated after the upgrade. Thus, HSI fails to come up.
**Fix:**
**For HDP 2.5:** Make **llap_zk_hive** point as a reference pointing to /HIVE/HIVE_SERVER/hive_server_hive, so that we have one identity getting created only at one place and one keytab file.
**For HDP 2.6:** Make **llap_zk_hive** and **llap_task_hive** point as a reference pointing to /HIVE/HIVE_SERVER/hive_server_hive, so that we have one identity getting created only at one place and one keytab file.
Diffs
-----
ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java 96ce807
ambari-server/src/main/resources/stacks/HDP/2.5/services/YARN/kerberos.json af6bda6
ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json e0417bf
ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java be04cd5
ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_ranger_kms.json e17e121
Diff: https://reviews.apache.org/r/63937/diff/2/
Testing (updated)
-------
**TESTING:**
|||||||||||||||||||||||||| Ambari 2.5, HDP 2.5 before upgrade: ||||||||||||||||||||||||||
{code:title=From /etc/hive2/cong/conf.server/hive-site.xml}
<property>
<name>hive.llap.daemon.keytab.file</name>
<value>/etc/security/keytabs/hive.service.keytab</value>
</property>
<property>
<name>hive.llap.daemon.service.principal</name>
<value>hive/_HOST@EXAMPLE.COM</value>
</property>
<property>
<name>hive.llap.zk.sm.keytab.file</name>
<value>/etc/security/keytabs/hive.llap.zk.sm.keytab</value>
</property>
<property>
<name>hive.llap.zk.sm.principal</name>
<value>hive/_HOST@EXAMPLE.COM</value>
</property>
{code}
|||||||||||||||||||||||||| Upgrade to Ambari-2.6 ||||||||||||||||||||||||||
**Logs: Ambari Server Upgrade**
[root@swap-qqq-1 ~]# ambari-server upgrade
Using python /usr/bin/python
Upgrading ambari-server
INFO: Upgrade Ambari Server
INFO: Updating Ambari Server properties in ambari.properties ...
INFO: Updating Ambari Server properties in ambari-env.sh ...
WARNING: Original file ambari-env.sh kept
INFO: Fixing database objects owner
Ambari Server configured for Embedded Postgres. Confirm you have made a backup of the Ambari Server database [y/n] (y)? y
INFO: Upgrading database schema
INFO: Return code from schema upgrade command, retcode = 0
INFO: Schema upgrade completed
Adjusting ambari-server permissions and ownership...
Ambari Server 'upgrade' completed successfully.
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]# ambari-server --version
2.6.0.0-267
[root@swap-qqq-1 ~]#
**Logs : Updating Kerberos descriptors**
21 Nov 2017 01:01:20,438 INFO [main] UpgradeCatalog260:675 - Updating YARN's HSI Kerberos Descriptor ....
21 Nov 2017 01:01:20,438 INFO [main] UpgradeCatalog260:687 - Retrieved HIVE->HIVE_SERVER kerberos descriptor. Name = hive_server_hive
21 Nov 2017 01:01:20,438 INFO [main] UpgradeCatalog260:707 - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_zk_hive
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:712 - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:715 - Updated 'llap_zk_hive' principal descriptor value = 'null'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:720 - Updated 'llap_zk_hive' keytab descriptor file = 'null'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:723 - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:725 - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:727 - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:729 - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:733 - Updated 'yarnKerberosDescUpdatedList' = [hive.llap.zk.sm.keytab.file, hive.llap.task.keytab.file]
**Logs : Updated HSI config 'hive.llap.zk.sm.keytab.file'**
18 Nov 2017 07:25:54,073 INFO [main] UpgradeCatalog260:767 - Updated HSI config 'hive.llap.zk.sm.keytab.file' = /etc/security/keytabs/hive.service.keytab
**From UI**:
Changed hive.llap.zk.sm.keytab.file :
https://issues.apache.org/jira/secure/attachment/12898329/Screen%20Shot%202017-11-17%20at%2011.44.41%20PM.png
HSI up :
https://issues.apache.org/jira/secure/attachment/12898328/Screen%20Shot%202017-11-17%20at%2011.44.55%20PM.png
------------------------------------
UT test runs for Ambari 2.6 and HDP 2.6 (which includes **llap_zk_hive** and **llap_task_hive**):
**UpgradeCatalog260Test::testUpdateKerberosDescriptorArtifact()**
2017-11-20 13:09:45,366 INFO [main] upgrade.AbstractUpgradeCatalog (AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(573)) - Applying configuration with tag 'version1511212185365' and configType 'ranger-kms-audit' to cluster 'cl1'
2017-11-20 13:09:45,367 INFO [main] upgrade.AbstractUpgradeCatalog (AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(595)) - cluster 'cl1' changed by: 'ambari-upgrade'; type='ranger-kms-audit' tag='version2' from='version1'
2017-11-20 13:09:45,367 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(675)) - Updating YARN's HSI Kerberos Descriptor ....
2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(687)) - Retrieved HIVE->HIVE_SERVER kerberos descriptor. Name = hive_server_hive
2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(707)) - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_zk_hive
2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(712)) - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(715)) - Updated 'llap_zk_hive' principal descriptor value = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(720)) - Updated 'llap_zk_hive' keytab descriptor file = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(723)) - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(725)) - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(727)) - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(729)) - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(733)) - Updated 'yarnKerberosDescUpdatedList' = [llap_zk_hive]
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(707)) - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_task_hive
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(712)) - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(715)) - Updated 'llap_zk_hive' principal descriptor value = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(720)) - Updated 'llap_zk_hive' keytab descriptor file = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(723)) - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(725)) - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(727)) - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(729)) - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(733)) - [hive.llap.zk.sm.keytab.file, hive.llap.task.keytab.file]
**UpgradeCatalog260Test::testUpdateHiveConfigs()**
(AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(573)) - Applying configuration with tag 'version1511212185535' and configType 'hive-interactive-site' to cluster 'null'
2017-11-20 13:09:45,536 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:updateHiveConfigs(778)) - Updated HSI config(s) : [hive.llap.task.keytab.file, hive.llap.zk.sm.keytab.file] with values = [/etc/security/keytabs/hive.service.keytab, /etc/security/keytabs/hive.service.keytab]
Thanks,
Swapan Shridhar
Re: Review Request 63937: AMBARI-22472. Ambari Upgrade 2.5 -> 2.6 :
Update
NodeManager's HSI identity 'llap_zk_hive' and 'llap_task_hive' to use
'/HIVE/HIVE_SERVER/hive_server_hive' reference instead of creating the same
identity again.
Posted by Swapan Shridhar <ss...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63937/
-----------------------------------------------------------
(Updated Nov. 21, 2017, 7:25 a.m.)
Review request for Ambari, Jayush Luniya, Madhuvanthi Radhakrishnan, and Robert Levas.
Changes
-------
- Updated the kerberos descriptor filed as null instead of "", wherever applicable.
- Added code path for "llap_zk_hive", which is there in HDP 2.6.
- Added files HDP/2.5/services/YARN/kerberos.json and HDP/2.6/services/YARN/kerberos.json for "llap_zk_hive" and "llap_task_hive" changes.
Summary (updated)
-----------------
AMBARI-22472. Ambari Upgrade 2.5 -> 2.6 : Update NodeManager's HSI identity 'llap_zk_hive' and 'llap_task_hive' to use '/HIVE/HIVE_SERVER/hive_server_hive' reference instead of creating the same identity again.
Bugs: AMBARI-22472
https://issues.apache.org/jira/browse/AMBARI-22472
Repository: ambari
Description (updated)
-------
**Background:**
YARN NodeManager currently has:
- 2 identities in 2.5 stack, namely : **'/HIVE/HIVE_SERVER/hive_server_hive'** and **'llap_zk_hive'**.
-- **/HIVE/HIVE_SERVER/hive_server_hive** is a reference from HIVE_SERVER, whereas
-- **llap_zk_hive** creates same principal as above in a separate keytab file.
- and 3 identities in 2.6 stack:
*'/HIVE/HIVE_SERVER/hive_server_hive'* and *'llap_zk_hive'*.
-- **/HIVE/HIVE_SERVER/hive_server_hive** is a reference from HIVE_SERVER, whereas
-- **llap_zk_hive** and **llap_task_hive** creates same principal as above in a separate keytab file.
**Issue:** Recreating same identities in different files creates issues while AMbari upgrade from 2.5 to 2.6, as the *llap_zk_hive* are not refreshed/updated after the upgrade. Thus, HSI fails to come up.
**Fix:**
**For HDP 2.5:** Make **llap_zk_hive** point as a reference pointing to /HIVE/HIVE_SERVER/hive_server_hive, so that we have one identity getting created only at one place and one keytab file.
**For HDP 2.6:** Make **llap_zk_hive** and **llap_task_hive** point as a reference pointing to /HIVE/HIVE_SERVER/hive_server_hive, so that we have one identity getting created only at one place and one keytab file.
Diffs (updated)
-----
ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java 96ce807
ambari-server/src/main/resources/stacks/HDP/2.5/services/YARN/kerberos.json af6bda6
ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json e0417bf
ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java be04cd5
ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_ranger_kms.json e17e121
Diff: https://reviews.apache.org/r/63937/diff/2/
Changes: https://reviews.apache.org/r/63937/diff/1-2/
Testing (updated)
-------
**TESTING:**
|||||||||||||||||||||||||| Ambari 2.5, HDP 2.5 before upgrade: ||||||||||||||||||||||||||
{code:title=From /etc/hive2/cong/conf.server/hive-site.xml}
<property>
<name>hive.llap.daemon.keytab.file</name>
<value>/etc/security/keytabs/hive.service.keytab</value>
</property>
<property>
<name>hive.llap.daemon.service.principal</name>
<value>hive/_HOST@EXAMPLE.COM</value>
</property>
<property>
<name>hive.llap.zk.sm.keytab.file</name>
<value>/etc/security/keytabs/hive.llap.zk.sm.keytab</value>
</property>
<property>
<name>hive.llap.zk.sm.principal</name>
<value>hive/_HOST@EXAMPLE.COM</value>
</property>
{code}
|||||||||||||||||||||||||| Upgrade to Ambari-2.6 ||||||||||||||||||||||||||
**Logs: Ambari Server Upgrade**
[root@swap-qqq-1 ~]# ambari-server upgrade
Using python /usr/bin/python
Upgrading ambari-server
INFO: Upgrade Ambari Server
INFO: Updating Ambari Server properties in ambari.properties ...
INFO: Updating Ambari Server properties in ambari-env.sh ...
WARNING: Original file ambari-env.sh kept
INFO: Fixing database objects owner
Ambari Server configured for Embedded Postgres. Confirm you have made a backup of the Ambari Server database [y/n] (y)? y
INFO: Upgrading database schema
INFO: Return code from schema upgrade command, retcode = 0
INFO: Schema upgrade completed
Adjusting ambari-server permissions and ownership...
Ambari Server 'upgrade' completed successfully.
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]#
[root@swap-qqq-1 ~]# ambari-server --version
2.6.0.0-267
[root@swap-qqq-1 ~]#
**Logs : Updating Kerberos descriptors**
21 Nov 2017 01:01:20,438 INFO [main] UpgradeCatalog260:675 - Updating YARN's HSI Kerberos Descriptor ....
21 Nov 2017 01:01:20,438 INFO [main] UpgradeCatalog260:687 - Retrieved HIVE->HIVE_SERVER kerberos descriptor. Name = hive_server_hive
21 Nov 2017 01:01:20,438 INFO [main] UpgradeCatalog260:707 - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_zk_hive
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:712 - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:715 - Updated 'llap_zk_hive' principal descriptor value = 'null'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:720 - Updated 'llap_zk_hive' keytab descriptor file = 'null'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:723 - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:725 - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:727 - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:729 - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:733 - Updated 'yarnKerberosDescUpdatedList' = [hive.llap.zk.sm.keytab.file, hive.llap.task.keytab.file]
**Logs : Updated HSI config 'hive.llap.zk.sm.keytab.file'**
18 Nov 2017 07:25:54,073 INFO [main] UpgradeCatalog260:767 - Updated HSI config 'hive.llap.zk.sm.keytab.file' = /etc/security/keytabs/hive.service.keytab
**From UI**:
Changed hive.llap.zk.sm.keytab.file :
https://issues.apache.org/jira/secure/attachment/12898329/Screen%20Shot%202017-11-17%20at%2011.44.41%20PM.png
HSI up :
https://issues.apache.org/jira/secure/attachment/12898328/Screen%20Shot%202017-11-17%20at%2011.44.55%20PM.png
------------------------------------
UT test runs for Ambari 2.6 and HDP 2.6 (which includes **llap_zk_hive** and **llap_task_hive**):
**UpgradeCatalog260Test::testUpdateKerberosDescriptorArtifact()**
2017-11-20 13:09:45,366 INFO [main] upgrade.AbstractUpgradeCatalog (AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(573)) - Applying configuration with tag 'version1511212185365' and configType 'ranger-kms-audit' to cluster 'cl1'
2017-11-20 13:09:45,367 INFO [main] upgrade.AbstractUpgradeCatalog (AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(595)) - cluster 'cl1' changed by: 'ambari-upgrade'; type='ranger-kms-audit' tag='version2' from='version1'
2017-11-20 13:09:45,367 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(675)) - Updating YARN's HSI Kerberos Descriptor ....
2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(687)) - Retrieved HIVE->HIVE_SERVER kerberos descriptor. Name = hive_server_hive
2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(707)) - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_zk_hive
2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(712)) - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(715)) - Updated 'llap_zk_hive' principal descriptor value = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(720)) - Updated 'llap_zk_hive' keytab descriptor file = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(723)) - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(725)) - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(727)) - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(729)) - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(733)) - Updated 'yarnKerberosDescUpdatedList' = [llap_zk_hive]
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(707)) - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_task_hive
2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(712)) - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(715)) - Updated 'llap_zk_hive' principal descriptor value = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(720)) - Updated 'llap_zk_hive' keytab descriptor file = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(723)) - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(725)) - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(727)) - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(729)) - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(733)) - Updated 'yarnKerberosDescUpdatedList' = [llap_zk_hive, llap_task_hive]
**UpgradeCatalog260Test::testUpdateHiveConfigs()**
(AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(573)) - Applying configuration with tag 'version1511212185535' and configType 'hive-interactive-site' to cluster 'null'
2017-11-20 13:09:45,536 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:updateHiveConfigs(778)) - Updated HSI config(s) : [hive.llap.task.keytab.file, hive.llap.zk.sm.keytab.file] with values = [/etc/security/keytabs/hive.service.keytab, /etc/security/keytabs/hive.service.keytab]
Thanks,
Swapan Shridhar
Re: Review Request 63937: AMBARI-22472. Ambari Upgrade 2.5 -> 2.6 :
Update
NodeManager's HSI identity 'llap_zk_hive' and 'llap_task_hive' to use
'/HIVE/HIVE_SERVER/hive_server_hive' reference instead of creating the same
identity again.
Posted by Swapan Shridhar <ss...@hortonworks.com>.
> On Nov. 18, 2017, 12:11 p.m., Robert Levas wrote:
> > Shouldn't there be at least one updated kerberos.json file?
Missed on adding them.
- Added files HDP/2.5/services/YARN/kerberos.json and HDP/2.6/services/YARN/kerberos.json for "llap_zk_hive" and "llap_task_hive" changes.
> On Nov. 18, 2017, 12:11 p.m., Robert Levas wrote:
> > ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java
> > Lines 711 (patched)
> > <https://reviews.apache.org/r/63937/diff/1/?file=1897371#file1897371line711>
> >
> > I suspect that this should be set to `null` rather than an empty string. But if it works, I am ok with it.
This worked for me, but nonetheless null makes more sense. Updated the code with using null.
> On Nov. 18, 2017, 12:11 p.m., Robert Levas wrote:
> > ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java
> > Lines 716 (patched)
> > <https://reviews.apache.org/r/63937/diff/1/?file=1897371#file1897371line716>
> >
> > I suspect that this should be set to `null` rather than an empty string. But if it works, I am ok with it.
This worked for me, but nonetheless null makes more sense. Updated the code with using null.
- Swapan
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63937/#review191443
-----------------------------------------------------------
On Nov. 21, 2017, 7:25 a.m., Swapan Shridhar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/63937/
> -----------------------------------------------------------
>
> (Updated Nov. 21, 2017, 7:25 a.m.)
>
>
> Review request for Ambari, Jayush Luniya, Madhuvanthi Radhakrishnan, and Robert Levas.
>
>
> Bugs: AMBARI-22472
> https://issues.apache.org/jira/browse/AMBARI-22472
>
>
> Repository: ambari
>
>
> Description
> -------
>
> **Background:**
> YARN NodeManager currently has:
>
> - 2 identities in 2.5 stack, namely : **'/HIVE/HIVE_SERVER/hive_server_hive'** and **'llap_zk_hive'**.
> -- **/HIVE/HIVE_SERVER/hive_server_hive** is a reference from HIVE_SERVER, whereas
> -- **llap_zk_hive** creates same principal as above in a separate keytab file.
>
> - and 3 identities in 2.6 stack:
> *'/HIVE/HIVE_SERVER/hive_server_hive'* and *'llap_zk_hive'*.
> -- **/HIVE/HIVE_SERVER/hive_server_hive** is a reference from HIVE_SERVER, whereas
> -- **llap_zk_hive** and **llap_task_hive** creates same principal as above in a separate keytab file.
>
> **Issue:** Recreating same identities in different files creates issues while AMbari upgrade from 2.5 to 2.6, as the *llap_zk_hive* are not refreshed/updated after the upgrade. Thus, HSI fails to come up.
>
> **Fix:**
>
> **For HDP 2.5:** Make **llap_zk_hive** point as a reference pointing to /HIVE/HIVE_SERVER/hive_server_hive, so that we have one identity getting created only at one place and one keytab file.
>
> **For HDP 2.6:** Make **llap_zk_hive** and **llap_task_hive** point as a reference pointing to /HIVE/HIVE_SERVER/hive_server_hive, so that we have one identity getting created only at one place and one keytab file.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java 96ce807
> ambari-server/src/main/resources/stacks/HDP/2.5/services/YARN/kerberos.json af6bda6
> ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json e0417bf
> ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java be04cd5
> ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_ranger_kms.json e17e121
>
>
> Diff: https://reviews.apache.org/r/63937/diff/2/
>
>
> Testing
> -------
>
> **TESTING:**
>
> |||||||||||||||||||||||||| Ambari 2.5, HDP 2.5 before upgrade: ||||||||||||||||||||||||||
>
>
> {code:title=From /etc/hive2/cong/conf.server/hive-site.xml}
> <property>
> <name>hive.llap.daemon.keytab.file</name>
> <value>/etc/security/keytabs/hive.service.keytab</value>
> </property>
>
> <property>
> <name>hive.llap.daemon.service.principal</name>
> <value>hive/_HOST@EXAMPLE.COM</value>
> </property>
>
> <property>
> <name>hive.llap.zk.sm.keytab.file</name>
> <value>/etc/security/keytabs/hive.llap.zk.sm.keytab</value>
> </property>
>
> <property>
> <name>hive.llap.zk.sm.principal</name>
> <value>hive/_HOST@EXAMPLE.COM</value>
> </property>
> {code}
>
>
> |||||||||||||||||||||||||| Upgrade to Ambari-2.6 ||||||||||||||||||||||||||
>
>
> **Logs: Ambari Server Upgrade**
>
> [root@swap-qqq-1 ~]# ambari-server upgrade
> Using python /usr/bin/python
> Upgrading ambari-server
> INFO: Upgrade Ambari Server
> INFO: Updating Ambari Server properties in ambari.properties ...
> INFO: Updating Ambari Server properties in ambari-env.sh ...
> WARNING: Original file ambari-env.sh kept
> INFO: Fixing database objects owner
> Ambari Server configured for Embedded Postgres. Confirm you have made a backup of the Ambari Server database [y/n] (y)? y
> INFO: Upgrading database schema
> INFO: Return code from schema upgrade command, retcode = 0
> INFO: Schema upgrade completed
> Adjusting ambari-server permissions and ownership...
> Ambari Server 'upgrade' completed successfully.
> [root@swap-qqq-1 ~]#
> [root@swap-qqq-1 ~]#
> [root@swap-qqq-1 ~]#
> [root@swap-qqq-1 ~]#
> [root@swap-qqq-1 ~]# ambari-server --version
> 2.6.0.0-267
> [root@swap-qqq-1 ~]#
>
>
> **Logs : Updating Kerberos descriptors**
>
> 21 Nov 2017 01:01:20,438 INFO [main] UpgradeCatalog260:675 - Updating YARN's HSI Kerberos Descriptor ....
> 21 Nov 2017 01:01:20,438 INFO [main] UpgradeCatalog260:687 - Retrieved HIVE->HIVE_SERVER kerberos descriptor. Name = hive_server_hive
> 21 Nov 2017 01:01:20,438 INFO [main] UpgradeCatalog260:707 - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_zk_hive
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:712 - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:715 - Updated 'llap_zk_hive' principal descriptor value = 'null'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:720 - Updated 'llap_zk_hive' keytab descriptor file = 'null'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:723 - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:725 - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:727 - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:729 - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
> 21 Nov 2017 01:01:20,439 INFO [main] UpgradeCatalog260:733 - Updated 'yarnKerberosDescUpdatedList' = [hive.llap.zk.sm.keytab.file, hive.llap.task.keytab.file]
>
> **Logs : Updated HSI config 'hive.llap.zk.sm.keytab.file'**
>
> 18 Nov 2017 07:25:54,073 INFO [main] UpgradeCatalog260:767 - Updated HSI config 'hive.llap.zk.sm.keytab.file' = /etc/security/keytabs/hive.service.keytab
>
>
> **From UI**:
>
> Changed hive.llap.zk.sm.keytab.file :
> https://issues.apache.org/jira/secure/attachment/12898329/Screen%20Shot%202017-11-17%20at%2011.44.41%20PM.png
>
> HSI up :
> https://issues.apache.org/jira/secure/attachment/12898328/Screen%20Shot%202017-11-17%20at%2011.44.55%20PM.png
>
>
> ------------------------------------
>
>
> UT test runs for Ambari 2.6 and HDP 2.6 (which includes **llap_zk_hive** and **llap_task_hive**):
>
>
> **UpgradeCatalog260Test::testUpdateKerberosDescriptorArtifact()**
>
> 2017-11-20 13:09:45,366 INFO [main] upgrade.AbstractUpgradeCatalog (AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(573)) - Applying configuration with tag 'version1511212185365' and configType 'ranger-kms-audit' to cluster 'cl1'
> 2017-11-20 13:09:45,367 INFO [main] upgrade.AbstractUpgradeCatalog (AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(595)) - cluster 'cl1' changed by: 'ambari-upgrade'; type='ranger-kms-audit' tag='version2' from='version1'
> 2017-11-20 13:09:45,367 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(675)) - Updating YARN's HSI Kerberos Descriptor ....
> 2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(687)) - Retrieved HIVE->HIVE_SERVER kerberos descriptor. Name = hive_server_hive
> 2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(707)) - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_zk_hive
> 2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(712)) - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
> 2017-11-20 13:09:45,368 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(715)) - Updated 'llap_zk_hive' principal descriptor value = 'null'
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(720)) - Updated 'llap_zk_hive' keytab descriptor file = 'null'
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(723)) - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(725)) - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(727)) - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(729)) - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(733)) - Updated 'yarnKerberosDescUpdatedList' = [llap_zk_hive]
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(707)) - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_task_hive
> 2017-11-20 13:09:45,369 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(712)) - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(715)) - Updated 'llap_zk_hive' principal descriptor value = 'null'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(720)) - Updated 'llap_zk_hive' keytab descriptor file = 'null'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(723)) - Updated 'llap_zk_hive' keytab descriptor owner name = 'null'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(725)) - Updated 'llap_zk_hive' keytab descriptor owner access = 'null'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(727)) - Updated 'llap_zk_hive' keytab descriptor group name = 'null'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(729)) - Updated 'llap_zk_hive' keytab descriptor group access = 'null'
> 2017-11-20 13:09:45,370 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:fixYarnHsiKerberosDescriptorAndSiteConfig(733)) - Updated 'yarnKerberosDescUpdatedList' = [llap_zk_hive, llap_task_hive]
>
>
> **UpgradeCatalog260Test::testUpdateHiveConfigs()**
>
> (AbstractUpgradeCatalog.java:updateConfigurationPropertiesForCluster(573)) - Applying configuration with tag 'version1511212185535' and configType 'hive-interactive-site' to cluster 'null'
> 2017-11-20 13:09:45,536 INFO [main] upgrade.UpgradeCatalog260 (UpgradeCatalog260.java:updateHiveConfigs(778)) - Updated HSI config(s) : [hive.llap.task.keytab.file, hive.llap.zk.sm.keytab.file] with values = [/etc/security/keytabs/hive.service.keytab, /etc/security/keytabs/hive.service.keytab]
>
>
> Thanks,
>
> Swapan Shridhar
>
>
Re: Review Request 63937: AMBARI-22472. Ambari Upgrade 2.5 -> 2.6 :
Update NodeManager's HSI identity 'llap_zk_hive' to use
'/HIVE/HIVE_SERVER/hive_server_hive' reference instead of creating the same
identity again.
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/63937/#review191443
-----------------------------------------------------------
Shouldn't there be at least one updated kerberos.json file?
ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java
Lines 711 (patched)
<https://reviews.apache.org/r/63937/#comment269257>
I suspect that this should be set to `null` rather than an empty string. But if it works, I am ok with it.
ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java
Lines 716 (patched)
<https://reviews.apache.org/r/63937/#comment269258>
I suspect that this should be set to `null` rather than an empty string. But if it works, I am ok with it.
- Robert Levas
On Nov. 18, 2017, 2:56 a.m., Swapan Shridhar wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/63937/
> -----------------------------------------------------------
>
> (Updated Nov. 18, 2017, 2:56 a.m.)
>
>
> Review request for Ambari, Jayush Luniya, Madhuvanthi Radhakrishnan, and Robert Levas.
>
>
> Bugs: AMBARI-22472
> https://issues.apache.org/jira/browse/AMBARI-22472
>
>
> Repository: ambari
>
>
> Description
> -------
>
> **Background:**
> YARN NodeManager currently have 2 identities in 2.5 and 2.6 stack, namely : *'/HIVE/HIVE_SERVER/hive_server_hive'* and *'llap_zk_hive'*.
> - */HIVE/HIVE_SERVER/hive_server_hive* is a reference from HIVE_SERVER, whereas
> - *llap_zk_hive* creates same principal as above in a separate keytab file.
>
> **Issue:** Recreating same identities in different files creates issues while AMbari upgrade from 2.5 to 2.6, as the *llap_zk_hive* are not refreshed/updated after the upgrade. Thus, HSI fails to come up.
>
> **Fix:** Make * llap_zk_hive* also point as a reference pointing to /HIVE/HIVE_SERVER/hive_server_hive, so that we have one identity getting created only at one place and one keytab file.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java 96ce807
> ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java be04cd5
> ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_ranger_kms.json e17e121
>
>
> Diff: https://reviews.apache.org/r/63937/diff/1/
>
>
> Testing
> -------
>
> **TESTING:**
>
> |||||||||||||||||||||||||| Ambari 2.5, before upgrade: ||||||||||||||||||||||||||
>
>
> {code:title=From /etc/hive2/cong/conf.server/hive-site.xml}
> <property>
> <name>hive.llap.daemon.keytab.file</name>
> <value>/etc/security/keytabs/hive.service.keytab</value>
> </property>
>
> <property>
> <name>hive.llap.daemon.service.principal</name>
> <value>hive/_HOST@EXAMPLE.COM</value>
> </property>
>
> <property>
> <name>hive.llap.zk.sm.keytab.file</name>
> <value>/etc/security/keytabs/hive.llap.zk.sm.keytab</value>
> </property>
>
> <property>
> <name>hive.llap.zk.sm.principal</name>
> <value>hive/_HOST@EXAMPLE.COM</value>
> </property>
> {code}
>
>
> |||||||||||||||||||||||||| Upgrade to Ambari-2.6 ||||||||||||||||||||||||||
>
>
> **Logs: Ambari Server Upgrade**
>
> [root@swap-qqq-1 ~]# ambari-server upgrade
> Using python /usr/bin/python
> Upgrading ambari-server
> INFO: Upgrade Ambari Server
> INFO: Updating Ambari Server properties in ambari.properties ...
> INFO: Updating Ambari Server properties in ambari-env.sh ...
> WARNING: Original file ambari-env.sh kept
> INFO: Fixing database objects owner
> Ambari Server configured for Embedded Postgres. Confirm you have made a backup of the Ambari Server database [y/n] (y)? y
> INFO: Upgrading database schema
> INFO: Return code from schema upgrade command, retcode = 0
> INFO: Schema upgrade completed
> Adjusting ambari-server permissions and ownership...
> Ambari Server 'upgrade' completed successfully.
> [root@swap-qqq-1 ~]#
> [root@swap-qqq-1 ~]#
> [root@swap-qqq-1 ~]#
> [root@swap-qqq-1 ~]#
> [root@swap-qqq-1 ~]# ambari-server --version
> 2.6.0.0-267
> [root@swap-qqq-1 ~]#
>
>
> **Logs : Updating Kerberos descriptors**
>
> 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:673 - Updating YARN's HSI Kerberos Descriptor ....
> 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:685 - Retrieved HIVE->HIVE_SERVER kerberos descriptor. Name = hive_server_hive
> 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:700 - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_zk_hive
> 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:709 - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive'
> 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:712 - Updated 'llap_zk_hive' principal descriptor value = ''
> 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:717 - Updated 'llap_zk_hive' keytab descriptor file = ''
> 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:720 - Updated 'llap_zk_hive' keytab descriptor owner name = ''
> 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:722 - Updated 'llap_zk_hive' keytab descriptor owner access = ''
> 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:724 - Updated 'llap_zk_hive' keytab descriptor group name = ''
> 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:726 - Updated 'llap_zk_hive' keytab descriptor group access = ''
> 18 Nov 2017 07:25:54,004 INFO [main] UpgradeCatalog260:730 - Updated 'isYarnKerberosDescUpdated' = true
>
>
> **Logs : Updated HSI config 'hive.llap.zk.sm.keytab.file'**
>
> 18 Nov 2017 07:25:54,073 INFO [main] UpgradeCatalog260:767 - Updated HSI config 'hive.llap.zk.sm.keytab.file' = /etc/security/keytabs/hive.service.keytab
>
>
> **From UI**:
>
> Changed hive.llap.zk.sm.keytab.file :
> https://issues.apache.org/jira/secure/attachment/12898329/Screen%20Shot%202017-11-17%20at%2011.44.41%20PM.png
>
> HSI up :
> https://issues.apache.org/jira/secure/attachment/12898328/Screen%20Shot%202017-11-17%20at%2011.44.55%20PM.png
>
>
> Thanks,
>
> Swapan Shridhar
>
>