[jira] [Commented] (AMBARI-12356) kinit of hdfs Kerberos identity fails when starting added service(s) after upgrade to Ambari 2.1.0

Hudson (JIRA) Mon, 13 Jul 2015 08:30:04 -0700

    [ 
https://issues.apache.org/jira/browse/AMBARI-12356?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14624797#comment-14624797
 ]


Hudson commented on AMBARI-12356:
---------------------------------

SUCCESS: Integrated in Ambari-trunk-Commit #3108 (See 
[https://builds.apache.org/job/Ambari-trunk-Commit/3108/])
AMBARI-12356. kinit of hdfs Kerberos identity fails when starting added 
service(s) after upgrade to Ambari 2.1.0 (rlevas) (rlevas: 
http://git-wip-us.apache.org/repos/asf?p=ambari.git&a=commit&h=8d00616b16b19506a5bd10ba9ed2b5787aae978c)
* 
ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog210.java
* 
ambari-server/src/main/java/org/apache/ambari/server/orm/entities/ArtifactEntity.java
* ambari-server/src/main/java/org/apache/ambari/server/orm/dao/ArtifactDAO.java
* 
ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog210Test.java
* 
ambari-server/src/main/java/org/apache/ambari/server/controller/internal/ArtifactResourceProvider.java
* ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_simple.json
* 
ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_no_hdfs.json
* 
ambari-server/src/test/java/org/apache/ambari/server/controller/internal/ArtifactResourceProviderTest.java


> kinit of hdfs Kerberos identity fails when starting added service(s) after 
> upgrade to Ambari 2.1.0
> --------------------------------------------------------------------------------------------------
>
>                 Key: AMBARI-12356
>                 URL: https://issues.apache.org/jira/browse/AMBARI-12356
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>    Affects Versions: 2.1.0
>            Reporter: Robert Levas
>            Assignee: Robert Levas
>              Labels: kerberos, upgrade
>             Fix For: 2.1.0
>
>         Attachments: AMBARI-12356_01.patch
>
>
> STR:
> 1. Install old version of ambari (2.0.1)
> 2. Enable security
> 3. Do Ambari only upgrade to ambari2.1.0
> 4. Add some component - HiveServer2 or Ooozie server
> 5. Try to start added component
> Actual result:
> Start have been failed. 
> {code}
> Traceback (most recent call last):
>   File "/var/lib/ambari-agent/cache/common-
> services/HIVE/0.12.0.2.0/package/scripts/hive_server.py", line 182, in 
> <module>
>     HiveServer().execute()
>   File 
> "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py",
>  
> line 216, in execute
>     method(env)
>   File "/var/lib/ambari-agent/cache/common-
> services/HIVE/0.12.0.2.0/package/scripts/hive_server.py", line 83, in start
>     self.configure(env) # FOR SECURITY
>   File "/var/lib/ambari-agent/cache/common-
> services/HIVE/0.12.0.2.0/package/scripts/hive_server.py", line 54, in 
> configure
>     hive(name='hiveserver2')
>   File "/usr/lib/python2.6/site-packages/ambari_commons/os_family_impl.py", 
> line 89, in 
> thunk
>     return fn(*args, **kwargs)
>   File "/var/lib/ambari-agent/cache/common-
> services/HIVE/0.12.0.2.0/package/scripts/hive.py", line 127, in hive
>     mode=params.webhcat_hdfs_user_mode
>   File "/usr/lib/python2.6/site-packages/resource_management/core/base.py", 
> line 157, in 
> __init__
>     self.env.run()
>   File 
> "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", 
> line 
> 152, in run
>     self.run_action(resource, action)
>   File 
> "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", 
> line 
> 118, in run_action
>     provider_action()
>   File "/usr/lib/python2.6/site-
> packages/resource_management/libraries/providers/hdfs_resource.py", line 390, 
> in 
> action_create_on_execute
>     self.action_delayed("create")
>   File "/usr/lib/python2.6/site-
> packages/resource_management/libraries/providers/hdfs_resource.py", line 387, 
> in 
> action_delayed
>     self.get_hdfs_resource_executor().action_delayed(action_name, self)
>   File "/usr/lib/python2.6/site-
> packages/resource_management/libraries/providers/hdfs_resource.py", line 236, 
> in 
> action_delayed
>     main_resource.kinit()
>   File "/usr/lib/python2.6/site-
> packages/resource_management/libraries/providers/hdfs_resource.py", line 416, 
> in kinit
>     user=user
>   File "/usr/lib/python2.6/site-packages/resource_management/core/base.py", 
> line 157, in 
> __init__
>     self.env.run()
>   File 
> "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", 
> line 
> 152, in run
>     self.run_action(resource, action)
>   File 
> "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", 
> line 
> 118, in run_action
>     provider_action()
>   File 
> "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py",
>  
> line 254, in action_run
>     tries=self.resource.tries, try_sleep=self.resource.try_sleep)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", 
> line 70, in 
> inner
>     result = function(command, **kwargs)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", 
> line 92, in 
> checked_call
>     tries=tries, try_sleep=try_sleep)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", 
> line 140, in 
> _call_wrapper
>     result = _call(command, **kwargs_copy)
>   File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", 
> line 291, in 
> _call
>     raise Fail(err_msg)
> resource_management.core.exceptions.Fail: Execution of '/usr/bin/kinit -kt 
> /etc/security/keytabs/hdfs.headless.keytab [email protected]' returned 1. 
> kinit: Keytab 
> contains no suitable keys for [email protected] while getting initial 
> credentials
> {code}
> Expected results:
> Can start all added components.
> *Cause*
> The Kerberos Descriptor structure changed between Ambari 2.0 and Ambari 2.1.  
> This change moved the "hdfs" Kerberos identity descriptor from the _global_ 
> scope to under the HDFS service. After upgrading from Ambari 2.0 to Ambari 
> 2.1  an additional "hdfs" Kerberos identity descriptor was added with the new 
> principal name pattern - 
> $\{hadoop-env/hdfs_user\}-$\{cluster_name\}@$\{realm\}.  This occurred 
> because the stored Kerberos Descriptor contained the _old_ structure, and 
> when Ambari generated a composite Kerberos Descriptor made up of the Kerberos 
> Descriptor compiled from the relevant stack definition with stored changes 
> applied, that additional "hdfs" Kerberos identity descriptor was added.  
> Because if this, the Kerberos logic became _confused_ and overwrote the 
> existing hdfs keytab file with one that contained the new principal name.
> *Solution*
> While migrating Ambari 2.0 to Ambari 2.1, fix the stored Kerberos Descriptor 
> structure to match the new version's structure.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (AMBARI-12356) kinit of hdfs Kerberos identity fails when starting added service(s) after upgrade to Ambari 2.1.0

Reply via email to