Yes that is a bug. Go ahead and log a jira for it. We had logged one for falcon and we are not testing Prism so never ran into it.
-- Arpit Gupta Hortonworks Inc. http://hortonworks.com/ On Jul 15, 2014, at 2:36 PM, Venkatr <[email protected]> wrote: > Hi Arpit, > > Looks like Prism does not expand _HOST in the principals, where as Falcon > expands it -- see the security audit logs. > When I switched the principal to use machine name instead of _HOST, the > server starts up and I'm able to ping port 16000 via browser. > > Wondering both Falcon and Prism should use the same code for hadoop > authentication. if so, why does it behave this way? is this a bug? > > Thanks > Venkat > > [dm@eat1-hcl0758 logs]$ cat falcon.security.audit.log > 2014-07-15 20:56:00,778 Login successful for user dm/ > [email protected] using keytab file > /export/apps/hadoop/keytabs/dm.keytab > 2014-07-15 20:56:02,134 Login using keytab > /export/apps/hadoop/keytabs/dm.keytab, for principal HTTP/ > [email protected] > > [dm@eat1-hcl0758 logs]$ cat prism.security.audit.log > 2014-07-15 20:56:02,138 Initialized, principal [HTTP/ > [email protected]] from keytab > [/export/apps/hadoop/keytabs/dm.keytab] > 2014-07-15 20:49:53,427 Login using keytab > /export/apps/hadoop/keytabs/dm.keytab, for principal HTTP/_ > [email protected] > > > > On Tue, Jul 15, 2014 at 1:46 PM, Arpit Gupta <[email protected]> wrote: > >> Can you make the same curl call to port 15000 then? >> >> -- >> Arpit Gupta >> Hortonworks Inc. >> http://hortonworks.com/ >> >> On Jul 15, 2014, at 1:09 PM, Venkat R <[email protected]> wrote: >> >>> Prism and Falcon for colo-1 are running on the same machine and Falcon >> for colo-2 is running on a different machine. >>> >>> So, I'm sharing the config files with Prisim and Falcon colo-1. >>> I think it should be okay? >>> >>> >>> On Tuesday, July 15, 2014 1:03 PM, Arpit Gupta <[email protected]> >> wrote: >>> >>> >>> >>> you cant use the same config for falcon and prism servers they are >> running on different hosts at least from the hostname you mention. >>> >>> The falcon service principal and spnego principal both have to have >> hostnames as part of them. For example if your host is " >> eat1-server1.grid.example.com" >>> >>> then your falcon service principal would be >> "falcon/eat1-server1.grid.example.com@REALM" and spnego would be >> "HTTP/eat1-server1.grid.example.com@REALM" >>> >>> >>> If you are using _HOST in the configs instead of the real hostname then >> you have to make sure the appropriate principal's are available in keytabs. >>> >>> -- >>> Arpit Gupta >>> Hortonworks Inc. >>> http://hortonworks.com/ >>> >>> On Jul 15, 2014, at 12:16 PM, Venkat R <[email protected]> >> wrote: >>> >>>> Hi Arpit, >>>> >>>> curl --negotiate -u : "http://eat1-server1.grid.example.com:16000/"; >>>> <html> >>>> <head> >>>> <meta http-equiv="Content-Type" content="text/html; >> charset=ISO-8859-1"/> >>>> <title>Error 503 SERVICE_UNAVAILABLE</title> >>>> </head> >>>> <body> >>>> <h2>HTTP ERROR: 503</h2> >>>> <p>Problem accessing /. Reason: >>>> <pre> SERVICE_UNAVAILABLE</pre></p> >>>> <hr /><i><small>Powered by Jetty://</small></i> >>>> </body> >>>> </html> >>>> >>>> The startup.properties points to the correct keytabs containing both >> the falcon user and HTTP principals. The Falcon server starts without any >> issue (or exception). >>>> >>>> Command to start prism: >>>> $ bin/prism-start -port 16000 >>>> $ bin/prism-status >>>> Hadoop is installed, adding hadoop classpath to falcon classpath >>>> Falcon server is running (on >> http://eat1-hcl0758.grid.linkedin.com:15000/) >>>> >>>> runtime.properties >>>> >>>> *.all.colos=eat-1, lva-1 >>>> *.falcon.eat-1.endpoint=http://eat1-server1.grid.example.com:15000 >>>> *.falcon.lva-1.endpoint=http://lva1-server1.grid.example.com:15000 >>>> #falcon server should have the following properties >>>> falcon.current.colo=eat-1 >>>> ######### Authentication Properties ######### >>>> falcon.enableTLS=false >>>> >>>> The startup properties remains the same as the one I used for >> standalone version (nothing changed). >>>> >>>> is there something else in the config I'm missing? >>>> >>>> Thanks >>>> >>>> >>>> >>>> On Tuesday, July 15, 2014 9:17 AM, Arpit Gupta <[email protected]> >> wrote: >>>> >>>> >>>> >>>> Then check your service principal and spnego principal properties and >> make sure the keytab location and the principal configured are correct. >>>> >>>> From the exception it could not log in using the keytab provided. >>>> >>>> -- >>>> Arpit Gupta >>>> Hortonworks Inc. >>>> http://hortonworks.com/ >>>> >>>> On Jul 15, 2014, at 9:14 AM, [email protected] >> <[email protected]> wrote: >>>> >>>>> Arpit >>>>> >>>>> Will try, but the exception I see is in the prism.application.log and >> so the service is not up. >>>>> >>>>> Sent from my HTC >>>>> >>>>> ----- Reply message ----- >>>>> From: "Arpit Gupta" <[email protected]> >>>>> To: "[email protected]" <[email protected]>, >> "Venkat R" <[email protected]> >>>>> Subject: Prism server setup >>>>> Date: Tue, Jul 15, 2014 8:46 AM >>>>> >>>>> If you are running secure falcon than the browser will need spnego >> support >>>>> in order to show the UI. The error message the user sees can be >> improved >>>>> but you will need to configure your browser to do spnego negotiate. >>>>> >>>>> After kinit run the following call >>>>> >>>>> curl --negotiate -u : "http://eat1-hcl0758.grid.linkedin.com:16000/ " >> and >>>>> see if it goes through. >>>>> >>>>> Arpit >>>>> >>>>> >>>>> On Mon, Jul 14, 2014 at 6:28 PM, Venkat R <[email protected] >>> >>>>> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> I followed the instructions here >>>>>> >> https://blogs.apache.org/falcon/entry/starting_falcon_in_distributed_mode >> and >>>>>> made the necessary changes to the conf/runtime.properties as below: >>>>>> >>>>>> <verbatim> >>>>>> >>>>>> *.all.colos=eat-1, lva-1 >>>>>> *.falcon.eat-1.endpoint=http://eat1-server1.grid.example.com:15000 >>>>>> *.falcon.lva-1.endpoint=http://lva1-server2.grid.example.com:15000 >>>>>> >>>>>> #falcon server should have the following properties >>>>>> falcon.current.colo=eat-1 >>>>>> >>>>>> </verbatim> >>>>>> >>>>>> I started the prism server as follows: >>>>>> >>>>>> bin/prism-start -port 16000 >>>>>> >>>>>> and the status report ok. But browser reports error when I try to >> access >>>>>> http://eat1-hcl0758.grid.linkedin.com:16000/ >>>>>> >>>>>> return ERROR 503. >>>>>> >>>>>> And the prims log has the following exception: >>>>>> >>>>>> Not sure what this password being asked. >>>>>> >>>>>> The use lannching the Prism server has kerberos TGT in the cache. >>>>>> >>>>>> Thanks >>>>>> --Venkat >>>>>> >>>>>> >>>>>> 2014-07-15 01:19:21,426 WARN - [main:] ~ Nested in >>>>>> javax.servlet.ServletException: >> javax.security.auth.login.LoginException: >>>>>> Unable to obtain password from user >>>>>> : (log:89) >>>>>> javax.security.auth.login.LoginException: Unable to obtain password >> from >>>>>> user >>>>>> >>>>>> at >>>>>> >> com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:789) >>>>>> at >>>>>> >> com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:654) >>>>>> at >>>>>> >> com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:542) >>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native >> Method) >>>>>> at >>>>>> >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>>>>> at >>>>>> >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>>>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>>>> at >>>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) >>>>>> at >>>>>> >> javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) >>>>>> at >>>>>> javax.security.auth.login.LoginContext$5.run(LoginContext.java:706) >>>>>> at java.security.AccessController.doPrivileged(Native Method) >>>>>> at >>>>>> >> javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703) >>>>>> at >>>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:575) >>>>>> at >>>>>> >> org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler.init(KerberosAuthenticationHandler.java:187) >>>>>> at >>>>>> >> org.apache.hadoop.security.authentication.server.AuthenticationFilter.init(AuthenticationFilter.java:146) >>>>>> at >>>>>> >> org.apache.falcon.security.BasicAuthFilter.init(BasicAuthFilter.java:82) >>>>>> at >>>>>> org.mortbay.jetty.servlet.FilterHolder.doStart(FilterHolder.java:97) >>>>>> at >>>>>> >> org.mortbay.component.AbstractLifeCycle.start(AbstractLifeCycle.java:50) >>>>>> at >>>>>> >> org.mortbay.jetty.servlet.ServletHandler.initialize(ServletHandler.java:713) >>>>>> at >> org.mortbay.jetty.servlet.Context.startContext(Context.java:140) >>>>>> at >>>>>> >> org.mortbay.jetty.webapp.WebAppContext.startContext(WebAppContext.java:1282) >>>>>> >>>>> >>>>> -- >>>>> CONFIDENTIALITY NOTICE >>>>> NOTICE: This message is intended for the use of the individual or >> entity to >>>>> which it is addressed and may contain information that is confidential, >>>>> privileged and exempt from disclosure under applicable law. If the >> reader >>>>> of this message is not the intended recipient, you are hereby notified >> that >>>>> any printing, copying, dissemination, distribution, disclosure or >>>>> forwarding of this communication is strictly prohibited. If you have >>>>> received this communication in error, please contact the sender >> immediately >>>>> and delete it from your system. Thank You. >>> >>>> >>>> >>>> >>>> -- >>>> CONFIDENTIALITY NOTICE >>>> NOTICE: This message is intended for the use of the individual or >> entity to >>>> which it is addressed and may contain information that is confidential, >>>> privileged and exempt from disclosure under applicable law. If the >> reader >>>> of this message is not the intended recipient, you are hereby notified >> that >>>> any printing, copying, dissemination, distribution, disclosure or >>>> forwarding of this communication is strictly prohibited. If you have >>>> received this communication in error, please contact the sender >> immediately >>>> and delete it from your system. Thank You. >>> >>> >>> -- >>> CONFIDENTIALITY NOTICE >>> NOTICE: This message is intended for the use of the individual or entity >> to >>> which it is addressed and may contain information that is confidential, >>> privileged and exempt from disclosure under applicable law. If the reader >>> of this message is not the intended recipient, you are hereby notified >> that >>> any printing, copying, dissemination, distribution, disclosure or >>> forwarding of this communication is strictly prohibited. If you have >>> received this communication in error, please contact the sender >> immediately >>> and delete it from your system. Thank You. >> >> >> -- >> CONFIDENTIALITY NOTICE >> NOTICE: This message is intended for the use of the individual or entity to >> which it is addressed and may contain information that is confidential, >> privileged and exempt from disclosure under applicable law. If the reader >> of this message is not the intended recipient, you are hereby notified that >> any printing, copying, dissemination, distribution, disclosure or >> forwarding of this communication is strictly prohibited. If you have >> received this communication in error, please contact the sender immediately >> and delete it from your system. Thank You. >> -- CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
