> On Dec. 29, 2014, 9:15 p.m., Jaimin Jetly wrote: > > ambari-server/src/main/resources/stacks/HDP/2.2/services/OOZIE/kerberos.json, > > lines 18-27 > > <https://reviews.apache.org/r/29459/diff/1/?file=802481#file802481line18> > > > > hadoop.security.auth_to_local property in core-site.xml should also > > have mapping for oozie server if oozie is an installed service. This > > translates to having local_username for oozie server principal. > > > > Same stands for falcon. > > Robert Levas wrote: > This would be a Kerberos descriptor issue after this patch is applied. > Do you want this patch to contain the descriptor updates for that?
I just wanted to bring it to the attention. We can address it seperately in another task. In that case please create an Apache Ambari Jira to keep track of this issue. - Jaimin ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/29459/#review66301 ----------------------------------------------------------- On Dec. 29, 2014, 4:30 p.m., Robert Levas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/29459/ > ----------------------------------------------------------- > > (Updated Dec. 29, 2014, 4:30 p.m.) > > > Review request for Ambari, John Speidel, Robert Nettleton, and Yusaku Sako. > > > Bugs: AMBARI-8935 > https://issues.apache.org/jira/browse/AMBARI-8935 > > > Repository: ambari > > > Description > ------- > > JobHistoryServer Fails to pass service check in Kerberized cluster due to > kerberos to local account mapping failure > > ``` > org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException): > Permission denied: user=jhs, access=READ_EXECUTE, > inode="/mr-history/done/2014":mapred:hadoop:drwxrwx--- > ``` > > `core-site` `auth_to_local` fails to map `jhs/_HOST` to `mapred` user. > > The solution is to dynamically create auth_to_local configuration based on > kerberos descriptors. > > > Diffs > ----- > > > ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java > PRE-CREATION > > ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java > 562ce9e > > ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosPrincipalDescriptor.java > 70bd396 > > ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/kerberos.json > 4b6213e > ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/kerberos.json > 52c7d37 > > ambari-server/src/main/resources/stacks/HDP/2.2/services/OOZIE/kerberos.json > 9cb24ca > ambari-server/src/main/resources/stacks/HDP/2.2/services/YARN/kerberos.json > 7677a7a > > ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java > PRE-CREATION > > ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosPrincipalDescriptorTest.java > a35bad3 > ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json 64c7a8c > > ambari-server/src/test/resources/stacks/HDP/2.0.8/services/HDFS/kerberos.json > 7271b36 > > Diff: https://reviews.apache.org/r/29459/diff/ > > > Testing > ------- > > Manually tested on test cluster - JobHistoryServer sometimes fails the > service check, but appears to be unrelated to the auth_to_local mapping issue. > > Added new test case: > `org.apache.ambari.server.controller.AuthToLocalBuilderTest` > Updated existing test case: > `org.apache.ambari.server.state.kerberos.KerberosPrincipalDescriptorTest` > > Waiting for Jenkins server for test results - issues with rat check in truck > not related to this patch. > > Ran tests locally. > > Running org.apache.ambari.server.controller.AuthToLocalBuilderTest > Tests run: 1, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.066 sec > > Running > org.apache.ambari.server.state.kerberos.KerberosPrincipalDescriptorTest > Tests run: 5, Failures: 0, Errors: 0, Skipped: 0, Time elapsed: 0.141 sec > > Ambari Server test results > Tests run: 2469, Failures: 0, Errors: 0, Skipped: 13 > > > [INFO] > ------------------------------------------------------------------------ > [INFO] BUILD SUCCESS > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 28:17.957s > [INFO] Finished at: Mon Dec 29 11:27:34 EST 2014 > [INFO] Final Memory: 40M/568M > [INFO] > ------------------------------------------------------------------------ > > > Thanks, > > Robert Levas > >
