Robert Levas created AMBARI-15645:
-------------------------------------
Summary: Upgrading Kerberized JournalNode requires HDFS principal
to perform 'role edits' task
Key: AMBARI-15645
URL: https://issues.apache.org/jira/browse/AMBARI-15645
Project: Ambari
Issue Type: Bug
Components: ambari-server
Affects Versions: 2.1.2
Reporter: Robert Levas
Assignee: Robert Levas
Fix For: 2.2.2
After upgrading HDP in Ambari version 2.1.2.1 a task a performed to _role
edits_ while restarting JournalNodes. If Kerberos is enabled, the JN Kerberos
identity is established before making this call when really the HDFS identity
should be established - since this is an administrative HDFS call that requires
the HDFS administrator user to perform.
Because of this, the following error is generated and seen in the :
{noformat}
Fail: Execution of 'hdfs dfsadmin -rollEdits' returned 255. rollEdits: Access
denied for user jn. Superuser privilege is required
{noformat}
The offending code is
{code:title=common-services/HDFS/2.1.0.2.0/package/scripts/journalnode_upgrade.py}
if params.security_enabled:
Execute(params.jn_kinit_cmd, user=params.hdfs_user)
time.sleep(5)
hdfs_roll_edits()
time.sleep(5)
{code}
It should probably be something like:
{code:title=common-services/HDFS/2.1.0.2.0/package/scripts/journalnode_upgrade.py}
if params.security_enabled:
Execute(params.hdfs_kinit_cmd, user=params.hdfs_user)
time.sleep(5)
hdfs_roll_edits()
time.sleep(5)
{code}
*Note the change from jn to hdfs in the kinit command line.*
This issue has also been posted in
https://issues.apache.org/jira/browse/AMBARI-10519.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
