> On Июль 23, 2015, 11:49 п.п., Sid Wagle wrote:
> > What about "amszk/_HOST@${realm}" in
> > common-services/AMBARI_METRICS/0.1.0/kerberos.json? This would create a
> > wrong keytab if cluster ZK is not co-hosted right.
The root cause of this issue is using "zookeeper/_HOST@_REALM" principal as
zookeeper service principal by default, any zookeeper client tries to
authenticate zookeeper service with this principal name, but for AMS case
clients should use "amszk/_HOST@_REALM" (or any other custom principal name,
set by user). The default principal can be overridden by setting system
property "-Dzookeeper.sasl.client.username=amszk", so clients will be
authenticating AMS-ZOOKEEPER with "amszk/_HOST@_REALM".
My patch allows to use any custom principal name or keytab name for zookeeper
service. Tested on cluster, where AMS Collector isn't co-hosted with zookeeper.
Keytabs on AMS collector node
[root@c6403 ambari-metrics-collector]# ll /etc/security/keytabs/
total 32
-r-------- 1 ams hadoop 433 ??? 24 08:37 ams.collector.keytab
-r-------- 1 ams hadoop 433 ??? 24 08:37 ams-hbase.master.keytab
-r-------- 1 ams hadoop 433 ??? 24 08:37 ams-hbase.regionserver.keytab
-r-------- 1 ams hadoop 418 ??? 24 08:37 ams-zk.service.keytab
-r-------- 1 hdfs hadoop 403 ??? 24 08:37 dn.service.keytab
-r--r----- 1 hdfs hadoop 303 ??? 24 08:37 hdfs.headless.keytab
-r--r----- 1 ambari-qa hadoop 328 ??? 24 08:37 smokeuser.headless.keytab
-r--r----- 1 root hadoop 413 ??? 24 08:37 spnego.service.keytab
- Dmytro
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/36752/#review92836
-----------------------------------------------------------
On Июль 23, 2015, 11:37 п.п., Dmytro Sen wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/36752/
> -----------------------------------------------------------
>
> (Updated Июль 23, 2015, 11:37 п.п.)
>
>
> Review request for Ambari, Myroslav Papirkovskyy and Sid Wagle.
>
>
> Bugs: AMBARI-12347
> https://issues.apache.org/jira/browse/AMBARI-12347
>
>
> Repository: ambari
>
>
> Description
> -------
>
> STR:
> Setup AMS in distributed mode
> Enable Kerberos using the Security wizard
> AMS fails to start with following log messages:
> /var/log/ambari-metrics-collector/ambari-metrics-collector.log:
> 22:36:44,699 ERROR [main] ConnectionManager$HConnectionImplementation:879 -
> The node /ams-hbase-secure is not in ZooKeeper. It should have been written
> by the master. Check the value configured in 'zookeeper.znode.parent'. There
> could be a mismatch with the one configured in the master.
> /var/log/ambari-metrics-collector/hbase-ams-master-h1.log:
> 2015-07-08 22:51:08,626 WARN [main] zookeeper.RecoverableZooKeeper: Possibly
> transient ZooKeeper, quorum=h1:61181,
> exception=org.apache.zookeeper.KeeperException$ConnectionLossException:
> KeeperErrorCode = ConnectionLoss for /ams-hbase-secure
> 2015-07-08 22:51:08,626 ERROR [main] zookeeper.RecoverableZooKeeper:
> ZooKeeper create failed after 4 attempts
> 2015-07-08 22:51:08,626 ERROR [main] master.HMasterCommandLine: Master exiting
> java.lang.RuntimeException: Failed construction of Master: class
> org.apache.hadoop.hbase.master.HMaster
>
>
> Diffs
> -----
>
>
> ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-env.xml
> a3ddb6a
>
> ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/configuration/ams-hbase-env.xml
> 6325a50
>
> ambari-server/src/main/resources/common-services/AMBARI_METRICS/0.1.0/package/scripts/params.py
> 5e4da80
>
> Diff: https://reviews.apache.org/r/36752/diff/
>
>
> Testing
> -------
>
> OK
> ----------------------------------------------------------------------
> Total run:806
> Total errors:0
> Total failures:0
> OK
>
>
> Thanks,
>
> Dmytro Sen
>
>
