You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ambari.apache.org by Robert Levas <rl...@hortonworks.com> on 2015/03/04 20:20:09 UTC
Review Request 31738: Kerberos: Add Host did not generate keytabs
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31738/
-----------------------------------------------------------
Review request for Ambari, Emil Anca, Eugene Chekanskiy, John Speidel, and Robert Nettleton.
Bugs: AMBARI-9917
https://issues.apache.org/jira/browse/AMBARI-9917
Repository: ambari
Description
-------
1) using build 440
2) three node cluster, hdfs, yarn, mr, tez, hive, zk, pig, ams
3) setup nnha, rmha
4) enabled kerb
5) all is good
6) added second hive metastore
7) added second hiveserver2
8) all is good
9) added host with DN and clients
10) keytabs are not created on the new host. i was not prompted for kdc creds. basically, i did 1-9 all in one shot, never logging out.
As a workaround 1:
- Attempted to regen keytabs, with "missing only" checkbox checked. it looks like it remade all principals and keytabs for the cluster but didn't distribute the keytabs. That is concerning that this might be an additional issue for another JIRA maybe. Anycase: didn't result in getting keytabs on my new host.
As a workaround 2:
- Attempted regen keytabs all. Made all princs and keytabs and distributed for cluster hosts except my new host. So no lock here either.
# Solution
Force the Kerberos logic to not prune out hosts that _will_ have the Kerberos Client installed and in the approperiate state to receive requests. This scenarion only occurs when a new host is being added and the components (including the KERBEROS_CLIENT) are being mass installed and initialized.
Diffs
-----
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java ac91377
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java c4a5f4f
ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java 8e1c0e8
Diff: https://reviews.apache.org/r/31738/diff/
Testing
-------
Manually tested in test cluster verifying the following scenarios all work:
- adding hosts, adding services (in varioius orders)
- bringing a host up after being down before enabling Kerberos
-- regenerating keytabs before _fixing_ the Kerberos client
-- regenerating missing keytabs before _fixing_ the Kerberos client
-- regenerating keytabs after _fixing_ the Kerberos client
-- regenerating missing keytabs after _fixing_ the Kerberos client
# Local unit tests: PASSED
#Jenkins test results: PENDING (issues with Jenkins build)
Thanks,
Robert Levas
Re: Review Request 31738: Kerberos: Add Host did not generate keytabs
Posted by Robert Nettleton <rn...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31738/#review75225
-----------------------------------------------------------
Ship it!
Ship It!
- Robert Nettleton
On March 4, 2015, 7:26 p.m., Robert Levas wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/31738/
> -----------------------------------------------------------
>
> (Updated March 4, 2015, 7:26 p.m.)
>
>
> Review request for Ambari, Emil Anca, Eugene Chekanskiy, John Speidel, and Robert Nettleton.
>
>
> Bugs: AMBARI-9917
> https://issues.apache.org/jira/browse/AMBARI-9917
>
>
> Repository: ambari
>
>
> Description
> -------
>
> 1) using build 440
> 2) three node cluster, hdfs, yarn, mr, tez, hive, zk, pig, ams
> 3) setup nnha, rmha
> 4) enabled kerb
> 5) all is good
> 6) added second hive metastore
> 7) added second hiveserver2
> 8) all is good
> 9) added host with DN and clients
> 10) keytabs are not created on the new host. i was not prompted for kdc creds. basically, i did 1-9 all in one shot, never logging out.
>
> As a workaround 1:
> - Attempted to regen keytabs, with "missing only" checkbox checked. it looks like it remade all principals and keytabs for the cluster but didn't distribute the keytabs. That is concerning that this might be an additional issue for another JIRA maybe. Anycase: didn't result in getting keytabs on my new host.
>
> As a workaround 2:
> - Attempted regen keytabs all. Made all princs and keytabs and distributed for cluster hosts except my new host. So no lock here either.
>
> # Solution
> Force the Kerberos logic to not prune out hosts that _will_ have the Kerberos Client installed and in the approperiate state to receive requests. This scenarion only occurs when a new host is being added and the components (including the KERBEROS_CLIENT) are being mass installed and initialized.
>
>
> Diffs
> -----
>
> ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java ac91377
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java c4a5f4f
> ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java 8e1c0e8
>
> Diff: https://reviews.apache.org/r/31738/diff/
>
>
> Testing
> -------
>
> Manually tested in test cluster verifying the following scenarios all work:
> - adding hosts, adding services (in varioius orders)
> - bringing a host up after being down before enabling Kerberos
> -- regenerating keytabs before _fixing_ the Kerberos client
> -- regenerating missing keytabs before _fixing_ the Kerberos client
> -- regenerating keytabs after _fixing_ the Kerberos client
> -- regenerating missing keytabs after _fixing_ the Kerberos client
>
>
> # Local unit tests: PASSED
>
> #Jenkins test results: PENDING (issues with Jenkins build)
>
>
> Thanks,
>
> Robert Levas
>
>
Re: Review Request 31738: Kerberos: Add Host did not generate keytabs
Posted by Robert Levas <rl...@hortonworks.com>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/31738/
-----------------------------------------------------------
(Updated March 4, 2015, 2:26 p.m.)
Review request for Ambari, Emil Anca, Eugene Chekanskiy, John Speidel, and Robert Nettleton.
Bugs: AMBARI-9917
https://issues.apache.org/jira/browse/AMBARI-9917
Repository: ambari
Description
-------
1) using build 440
2) three node cluster, hdfs, yarn, mr, tez, hive, zk, pig, ams
3) setup nnha, rmha
4) enabled kerb
5) all is good
6) added second hive metastore
7) added second hiveserver2
8) all is good
9) added host with DN and clients
10) keytabs are not created on the new host. i was not prompted for kdc creds. basically, i did 1-9 all in one shot, never logging out.
As a workaround 1:
- Attempted to regen keytabs, with "missing only" checkbox checked. it looks like it remade all principals and keytabs for the cluster but didn't distribute the keytabs. That is concerning that this might be an additional issue for another JIRA maybe. Anycase: didn't result in getting keytabs on my new host.
As a workaround 2:
- Attempted regen keytabs all. Made all princs and keytabs and distributed for cluster hosts except my new host. So no lock here either.
# Solution
Force the Kerberos logic to not prune out hosts that _will_ have the Kerberos Client installed and in the approperiate state to receive requests. This scenarion only occurs when a new host is being added and the components (including the KERBEROS_CLIENT) are being mass installed and initialized.
Diffs (updated)
-----
ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java ac91377
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java c4a5f4f
ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java 8e1c0e8
Diff: https://reviews.apache.org/r/31738/diff/
Testing
-------
Manually tested in test cluster verifying the following scenarios all work:
- adding hosts, adding services (in varioius orders)
- bringing a host up after being down before enabling Kerberos
-- regenerating keytabs before _fixing_ the Kerberos client
-- regenerating missing keytabs before _fixing_ the Kerberos client
-- regenerating keytabs after _fixing_ the Kerberos client
-- regenerating missing keytabs after _fixing_ the Kerberos client
# Local unit tests: PASSED
#Jenkins test results: PENDING (issues with Jenkins build)
Thanks,
Robert Levas