Robert Levas created AMBARI-12636:
-------------------------------------
Summary: Kerberos: fails check during enable Kerb with SLES
Key: AMBARI-12636
URL: https://issues.apache.org/jira/browse/AMBARI-12636
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: 2.0.0
Environment: Ambari 2.1.1 Build #107
HDP 2.3 GA
ZK + AMS + Kafka
SLES 11 SP3
MIT KDC, all single node
Register hosts / bootstrap agents via SSH
Reporter: Robert Levas
Assignee: Robert Levas
Priority: Critical
Fix For: 2.2.0
When executing the Kerberos service check, the following error occurs:
{code}
stderr: /var/lib/ambari-agent/data/errors-24.txt
Traceback (most recent call last):
File
"/var/lib/ambari-agent/cache/common-services/KERBEROS/1.10.3-10/package/scripts/service_check.py",
line 81, in <module>
KerberosServiceCheck().execute()
File
"/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py",
line 218, in execute
method(env)
File
"/var/lib/ambari-agent/cache/common-services/KERBEROS/1.10.3-10/package/scripts/service_check.py",
line 64, in service_check
user=params.smoke_user
File "/usr/lib/python2.6/site-packages/resource_management/core/base.py",
line 157, in __init__
self.env.run()
File
"/usr/lib/python2.6/site-packages/resource_management/core/environment.py",
line 152, in run
self.run_action(resource, action)
File
"/usr/lib/python2.6/site-packages/resource_management/core/environment.py",
line 118, in run_action
provider_action()
File
"/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py",
line 258, in action_run
tries=self.resource.tries, try_sleep=self.resource.try_sleep)
File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py",
line 70, in inner
result = function(command, **kwargs)
File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py",
line 92, in checked_call
tries=tries, try_sleep=try_sleep)
File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py",
line 140, in _call_wrapper
result = _call(command, **kwargs_copy)
File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py",
line 291, in _call
raise Fail(err_msg)
resource_management.core.exceptions.Fail: Execution of '/usr/bin/kinit -c
/var/lib/ambari-agent/data/tmp/kerberos_service_check_cc_dd529fe1e15538ddfe9ce0347604d64c
-kt /etc/security/keytabs/kerberos.service_check.080315.keytab
[email protected]' returned 1. kinit(v5): Credentials cache
permissions incorrect when initializing cache
/var/lib/ambari-agent/data/tmp/kerberos_service_check_cc_dd529fe1e15538ddfe9ce0347604d64c
stdout: /var/lib/ambari-agent/data/output-24.txt
Performing kinit using [email protected]
2015-08-03 19:11:57,085 - Execute['/usr/bin/kinit -c
/var/lib/ambari-agent/data/tmp/kerberos_service_check_cc_dd529fe1e15538ddfe9ce0347604d64c
-kt /etc/security/keytabs/kerberos.service_check.080315.keytab
[email protected]'] {'user': 'jambari-qa'}
2015-08-03 19:11:57,179 -
File['/var/lib/ambari-agent/data/tmp/kerberos_service_check_cc_dd529fe1e15538ddfe9ce0347604d64c']
{'action': ['delete']}
{code}
This error happens only on SLES, however the cause exists on all platforms.
The other platforms silently ignore the condition; which, however, does not
have any bearing on the results of the _kinit_ test.
*Cause*
The "Credentials cache permissions incorrect when initializing cache" issue is
caused by the inability to write the Kerberos ticket cache file to the
specified location. In the case it is
/var/lib/ambari-agent/data/tmp/kerberos_service_check_cc_dd529fe1e15538ddfe9ce0347604d64c.
The reason for the write failure is that /var/lib/ambari-agent/data/tmp is
not writable by the user executing the _kinit_ call - which is the Ambari smoke
test user (typically ambari-qa). The directory's permissions are
{noformat}
drwxr-xr-x. 4 root root 4096 Aug 3 22:20 /var/lib/ambari-agent/data/tmp/
{noformat}
*Solution*
In order for the ambari smoke test user to be able to write to the relevant
directory (/var/lib/ambari-agent/data/tmp), the permissions must be set at
least as follows
{noformat}
drwxrwxr-x. 4 root hadoop 4096 Aug 3 22:20 /var/lib/ambari-agent/data/tmp/
{noformat}
However, at the time this directory is created, it is not known what the name
of the _hadoop_ group is, so the next best solution is to set the permissions
as
{noformat}
drwxrwxrwx. 4 root root 4096 Aug 3 22:20 /var/lib/ambari-agent/data/tmp/
{noformat}
If the ambari-agent is installed manually via the relevant package manager, the
directory is created with the open permissions (777, drwxrwxrwx) via the
packages install_helper.sh post install script. However if Ambari installs the
agent via SSH, the directory is created with the more restrictive permissions
(755, drwxr-xr-x) via the agent bootstrap.py script.
To make these consistent, the following needs to be changed
{code:title=bootstrap.py:650}
command = "sudo mkdir -p {0} ; sudo chown -R {1} {0} ; sudo chmod 755 {3} ;
sudo chmod 755 {2} ; sudo chmod 755 {0}".format(
self.TEMP_FOLDER, quote_bash_args(params.user),
DEFAULT_AGENT_DATA_FOLDER, DEFAULT_AGENT_LIB_FOLDER)
{code}
to
{code:title=bootstrap.py (change)}
command = "sudo mkdir -p {0} ; sudo chown -R {1} {0} ; sudo chmod 755 {3} ;
sudo chmod 755 {2} ; sudo chmod 777 {0}".format(
self.TEMP_FOLDER, quote_bash_args(params.user),
DEFAULT_AGENT_DATA_FOLDER, DEFAULT_AGENT_LIB_FOLDER)
{code}
*Note:* self.TEMP_FOLDER contains the path to the Ambari agent temp folder
(typically, /var/lib/ambari-agent/data/tmp).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
