[
https://issues.apache.org/jira/browse/AMBARI-21577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16101850#comment-16101850
]
Eric Yang commented on AMBARI-21577:
------------------------------------
Quote from Hortonworks internal bug tracker by Robert Levas:
The problem the existence of the following rule in the auth-to-local rule set
(core-site/hadoop.security.auth_to_local):
{code}
RULE:[2:$1@$0]([email protected])s/.*/cstm-hbase/
{code}
This rule was added due to an Kerberos identity descriptor from the BigInsight
stack definition:
{code}
/HBASE/HBASE_REST_SERVER
{code}
{code}
{
"keytab" : {
"configuration" :
"hbase-site/hbase.rest.authentication.kerberos.keytab",
"file" : "${keytab_dir}/hbase.service.keytab",
"group" : {
"access" : "",
"name" : "${cluster-env/user_group}"
},
"owner" : {
"access" : "r",
"name" : "${hbase-env/hbase_user}"
}
},
"name" : "hbase_rest_server_spnego",
"principal" : {
"configuration" :
"hbase-site/hbase.rest.authentication.kerberos.principal",
"local_username" : "${hbase-env/hbase_user}",
"type" : "service",
"value" : "HTTP/_HOST@${realm}"
}
}
{code}
I am not sure what purpose this definition has since it seems to be messing up
at least Hive and probably a few other things since this forces the SPNEGO
identity to translate to the local user cstm-hbase (in this case). Generally it
is expected that the SPNEGO identities has no explicit translation and by
default will translate to HTTP. One way this is relevant is when the proxyuser
configurations are considered. In this cluster, there are no
hadoop.proxyuser.cstm-hbase configurations. However, the hadoop.proxyuser.HTTP
configurations are set properly.... thus allowing the Hive service check to
work when the rule in question is removed.
How do we want to proceed? Since BigInsights is going away, I guess there is no
need to address the problem in that stack. So maybe upon upgrade, we try to
figure out which rules should be removed and fix the auth-to-local rule set(s).
There appears to be other issues with the rule set:
{code}
RULE:[2:$1@$0]([email protected])s/.*/cstm-ams/
RULE:[2:$1@$0]([email protected])s/.*/cstm-hbase/
{code}
In the above case, the 2nd rule will never get executed since the first
matching rule wins. So amshbase/*@EXAMPLE.COM will always translate to cstm-ams.
Programmatically fixing this may be difficult since we wont be able to tell
which rules were added by Ambari and which were custom. So the rules that do
not belong will appear to Ambari as custom rules, so they can not be removed.
Maybe we can document this issue and have the user manually fix it after the
upgrade to HDP?
In any case, I made the necessary change to the cluster at
http://172.22.120.154:8080 and the Hive service check now works.
> Hive-Service check failing in post EU validation (IOP-HDP)
> ----------------------------------------------------------
>
> Key: AMBARI-21577
> URL: https://issues.apache.org/jira/browse/AMBARI-21577
> Project: Ambari
> Issue Type: Bug
> Components: stacks
> Affects Versions: 2.5.2
> Environment: OS:- RHEL 7
> Ambari Upgraded 2.2.0 to 2.5.2.0-174
> Express Upgrade:- BigInsights-4.2.0.0 to HDP-2.6.2.0-107
> Reporter: Eric Yang
> Fix For: 2.5.2
>
>
> Steps to reproduce:-
> 1. Installed a IOP cluster ambari-version:-
> 2.2.0/20160616_1658,BigInsights-4.2.0.0
> 2. Upgrade the ambari from 2.2.0 to 2.5.2.0-174(IOP Clusters)
> 3. Remove IOP Select.
> 4. Register HDP Stack to HDP-2.6.2.0-107.
> 5. EU
> 6. Post EU
> Hive- Service check is failing :-
> {code}
> HTTP/[email protected] is not allowed to
> impersonate ambari-qa
> {code}
> stderr:-
> {code}
> Traceback (most recent call last):
> File
> "/var/lib/ambari-agent/cache/common-services/HIVE/0.12.0.2.0/package/scripts/service_check.py",
> line 194, in <module>
> HiveServiceCheck().execute()
> File
> "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py",
> line 329, in execute
> method(env)
> File
> "/var/lib/ambari-agent/cache/common-services/HIVE/0.12.0.2.0/package/scripts/service_check.py",
> line 99, in service_check
> webhcat_service_check()
> File "/usr/lib/python2.6/site-packages/ambari_commons/os_family_impl.py",
> line 89, in thunk
> return fn(*args, **kwargs)
> File
> "/var/lib/ambari-agent/cache/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat_service_check.py",
> line 125, in webhcat_service_check
> logoutput=True)
> File "/usr/lib/python2.6/site-packages/resource_management/core/base.py",
> line 166, in __init__
> self.env.run()
> File
> "/usr/lib/python2.6/site-packages/resource_management/core/environment.py",
> line 160, in run
> self.run_action(resource, action)
> File
> "/usr/lib/python2.6/site-packages/resource_management/core/environment.py",
> line 124, in run_action
> provider_action()
> File
> "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py",
> line 262, in action_run
> tries=self.resource.tries, try_sleep=self.resource.try_sleep)
> File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py",
> line 72, in inner
> result = function(command, **kwargs)
> File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py",
> line 102, in checked_call
> tries=tries, try_sleep=try_sleep,
> timeout_kill_strategy=timeout_kill_strategy)
> File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py",
> line 150, in _call_wrapper
> result = _call(command, **kwargs_copy)
> File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py",
> line 303, in _call
> raise ExecutionFailed(err_msg, code, out, err)
> resource_management.core.exceptions.ExecutionFailed: Execution of
> '/var/lib/ambari-agent/tmp/templetonSmoke.sh
> vs-iop420tofnsec-re-2.openstacklocal ambari-qa 20111
> idtest.ambari-qa.1500877355.88.pig
> /etc/security/keytabs/smokeuser.headless.keytab true /usr/bin/kinit
> [email protected] /var/lib/ambari-agent/tmp' returned 1. Templeton Smoke
> Test (ddl cmd): Failed. : {"error":"User:
> HTTP/[email protected] is not allowed to
> impersonate ambari-qa"}http_code <500>
> {code}
> Screenshot:- !Screen Shot 2017-07-24 at 12.04.44 PM.png|thumbnail!
> Live-Server:- http://172.22.115.63:8080.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
