----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/35970/#review89621 -----------------------------------------------------------
Ship it! Ship It! - Tom Beerbower On June 27, 2015, 11:14 a.m., Robert Levas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/35970/ > ----------------------------------------------------------- > > (Updated June 27, 2015, 11:14 a.m.) > > > Review request for Ambari, Emil Anca, Mahadev Konar, Sumit Mohanty, and Tom > Beerbower. > > > Bugs: AMBARI-12180 > https://issues.apache.org/jira/browse/AMBARI-12180 > > > Repository: ambari > > > Description > ------- > > In a cluster where AMS is installed but HDFS is _not_ installed, enabling > Kerberos fails due to the inability for the server-side Kerberos logic to > replace ${hadoop-env/hdfs_user} when generating the metadata used to create > principals and distribute keytab files. > > This condition yields the following principal (when the cluster name is > AMSNOHDFS and the realm is EXAMPLE.COM) > ``` > ${hadoop-env/hdfs_user}[email protected] > ``` > > This is successfully created in the (MIT) KDC. Also, the relative keytab file > appears to have been successfully created as well. > > However, when distributing the keytab file and setting the ownership > attributes, the agent-side script fails with > ``` > Traceback (most recent call last): > File > "/var/lib/ambari-agent/cache/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py", > line 77, in <module> > KerberosClient().execute() > File > "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py", > line 216, in execute > method(env) > File > "/var/lib/ambari-agent/cache/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_client.py", > line 67, in set_keytab > self.write_keytab_file() > File > "/var/lib/ambari-agent/cache/common-services/KERBEROS/1.10.3-10/package/scripts/kerberos_common.py", > line 397, in write_keytab_file > group=group) > File "/usr/lib/python2.6/site-packages/resource_management/core/base.py", > line 157, in __init__ > self.env.run() > File > "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", > line 152, in run > self.run_action(resource, action) > File > "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", > line 118, in run_action > provider_action() > File > "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py", > line 108, in action_create > self.resource.group, mode=self.resource.mode, > cd_access=self.resource.cd_access) > File > "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py", > line 44, in _ensure_metadata > _user_entity = pwd.getpwnam(user) > KeyError: 'getpwnam(): name not found: ${hadoop-env/hdfs_user}' > ``` > > #Solution: > Remove the HDFS identity reference in AMS and assume the hdfs keytab file > will be on the appropriate host(s) when HDFS is installed > > > Diffs > ----- > > > ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/kerberos.json > 6010b2f > > Diff: https://reviews.apache.org/r/35970/diff/ > > > Testing > ------- > > Manually tested in cluster with Zookeeper and AMS, not HDFS > > #Local tests results: > [INFO] > ------------------------------------------------------------------------ > [INFO] BUILD SUCCESS > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 46:29.766s > [INFO] Finished at: Fri Jun 26 22:23:21 EDT 2015 > [INFO] Final Memory: 65M/1251M > [INFO] > ------------------------------------------------------------------------ > > #Jenkins test results: PENDING > > > Thanks, > > Robert Levas > >
