----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/29459/#review66301 -----------------------------------------------------------
ambari-server/src/main/resources/stacks/HDP/2.2/services/OOZIE/kerberos.json <https://reviews.apache.org/r/29459/#comment109695> hadoop.security.auth_to_local property in core-site.xml should also have mapping for oozie server if oozie is an installed service. This translates to having local_username for oozie server principal. Same stands for falcon. - Jaimin Jetly On Dec. 29, 2014, 4:30 p.m., Robert Levas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/29459/ > ----------------------------------------------------------- > > (Updated Dec. 29, 2014, 4:30 p.m.) > > > Review request for Ambari, John Speidel, Robert Nettleton, and Yusaku Sako. > > > Bugs: AMBARI-8935 > https://issues.apache.org/jira/browse/AMBARI-8935 > > > Repository: ambari > > > Description > ------- > > JobHistoryServer Fails to pass service check in Kerberized cluster due to > kerberos to local account mapping failure > > ``` > org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException): > Permission denied: user=jhs, access=READ_EXECUTE, > inode="/mr-history/done/2014":mapred:hadoop:drwxrwx--- > ``` > > `core-site` `auth_to_local` fails to map `jhs/_HOST` to `mapred` user. > > The solution is to dynamically create auth_to_local configuration based on > kerberos descriptors. > > > Diffs > ----- > > > ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java > 562ce9e > > ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosPrincipalDescriptor.java > 70bd396 > > ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/kerberos.json > 4b6213e > ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/kerberos.json > 52c7d37 > > ambari-server/src/main/resources/stacks/HDP/2.2/services/OOZIE/kerberos.json > 9cb24ca > ambari-server/src/main/resources/stacks/HDP/2.2/services/YARN/kerberos.json > 7677a7a > > ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosPrincipalDescriptorTest.java > a35bad3 > ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json 64c7a8c > > ambari-server/src/test/resources/stacks/HDP/2.0.8/services/HDFS/kerberos.json > 7271b36 > > Diff: https://reviews.apache.org/r/29459/diff/ > > > Testing > ------- > > Manually tested on test cluster - JobHistoryServer sometimes fails the > service check, but appears to be unrelated to the auth_to_local mapping issue. > > Added new test case: > `org.apache.ambari.server.controller.AuthToLocalBuilderTest` > Updated existing test case: > `org.apache.ambari.server.state.kerberos.KerberosPrincipalDescriptorTest` > > Waiting for Jenkins server for test results - issues with rat check in truck > not related to this patch. > > Ran tests locally. > > Running org.apache.ambari.server.controller.AuthToLocalBuilderTest > Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.066 sec > > Running > org.apache.ambari.server.state.kerberos.KerberosPrincipalDescriptorTest > Tests run: 5, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.141 sec > > Ambari Server test results > Tests run: 2469, Failures: 0, Errors: 0, Skipped: 13 > > > [INFO] > ------------------------------------------------------------------------ > [INFO] BUILD SUCCESS > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 28:17.957s > [INFO] Finished at: Mon Dec 29 11:27:34 EST 2014 > [INFO] Final Memory: 40M/568M > [INFO] > ------------------------------------------------------------------------ > > > Thanks, > > Robert Levas > >
