[
https://issues.apache.org/jira/browse/AMBARI-21577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16101854#comment-16101854
]
Eric Yang edited comment on AMBARI-21577 at 7/26/17 4:06 PM:
-------------------------------------------------------------
[~eyang], This is a stack issue since the Hive Kerberos descriptor declares the
offending identity entry.
See:
{code}
stacks/BigInsights/4.2.5/services/HBASE/kerberos.json:173
stacks/BigInsights/4.0/services/HBASE/kerberos.json:134
stacks/BigInsights/4.2/services/HBASE/kerberos.json:137
{code}
Each reference above points to code like
{code}
{
"name": "hbase_rest_server_spnego",
"principal": {
"value": "HTTP/_HOST@${realm}",
"type" : "service",
"configuration":
"hbase-site/hbase.rest.authentication.kerberos.principal",
"local_username": "${hbase-env/hbase_user}"
},
"keytab": {
"file": "${keytab_dir}/hbase.service.keytab",
"owner": {
"name": "${hbase-env/hbase_user}",
"access": "r"
},
"group": {
"name": "${cluster-env/user_group}",
"access": ""
},
"configuration":
"hbase-site/hbase.rest.authentication.kerberos.keytab"
}
}
{code}
The main issue here is the line that reads:
{code}
"local_username": "${hbase-env/hbase_user}"
{code}
This tells Ambari to create an auth-to-local rule to map
{code}
HTTP@${realm} to ${hbase-env/hbase_user}.
{code}
was (Author: eyang):
[~eyang], This is a stack issue since the Hive Kerberos descriptor declares the
offending identity entry.
See:
{code}
stacks/BigInsights/4.2.5/services/HBASE/kerberos.json:173
stacks/BigInsights/4.0/services/HBASE/kerberos.json:134
stacks/BigInsights/4.2/services/HBASE/kerberos.json:137
{code}
Each reference above points to code like
{code}
{
"name": "hbase_rest_server_spnego",
"principal": {
"value": "HTTP/_HOST@${realm}",
"type" : "service",
"configuration":
"hbase-site/hbase.rest.authentication.kerberos.principal",
"local_username": "${hbase-env/hbase_user}"
},
"keytab": {
"file": "${keytab_dir}/hbase.service.keytab",
"owner": {
"name": "${hbase-env/hbase_user}",
"access": "r"
},
"group": {
"name": "${cluster-env/user_group}",
"access": ""
},
"configuration":
"hbase-site/hbase.rest.authentication.kerberos.keytab"
}
}
{code}
The main issue here is the line that reads:
{code}
"local_username": "${hbase-env/hbase_user}"
{code}
This tells Ambari to create an auth-to-local rule to map HTTP@${realm} to
${hbase-env/hbase_user}.
> Hive-Service check failing in post EU validation (IOP-HDP)
> ----------------------------------------------------------
>
> Key: AMBARI-21577
> URL: https://issues.apache.org/jira/browse/AMBARI-21577
> Project: Ambari
> Issue Type: Bug
> Components: stacks
> Affects Versions: 2.5.2
> Environment: OS:- RHEL 7
> Ambari Upgraded 2.2.0 to 2.5.2.0-174
> Express Upgrade:- BigInsights-4.2.0.0 to HDP-2.6.2.0-107
> Reporter: Eric Yang
> Fix For: 2.5.2
>
>
> Steps to reproduce:-
> 1. Installed a IOP cluster ambari-version:-
> 2.2.0/20160616_1658,BigInsights-4.2.0.0
> 2. Upgrade the ambari from 2.2.0 to 2.5.2.0-174(IOP Clusters)
> 3. Remove IOP Select.
> 4. Register HDP Stack to HDP-2.6.2.0-107.
> 5. EU
> 6. Post EU
> Hive- Service check is failing :-
> {code}
> HTTP/[email protected] is not allowed to
> impersonate ambari-qa
> {code}
> stderr:-
> {code}
> Traceback (most recent call last):
> File
> "/var/lib/ambari-agent/cache/common-services/HIVE/0.12.0.2.0/package/scripts/service_check.py",
> line 194, in <module>
> HiveServiceCheck().execute()
> File
> "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py",
> line 329, in execute
> method(env)
> File
> "/var/lib/ambari-agent/cache/common-services/HIVE/0.12.0.2.0/package/scripts/service_check.py",
> line 99, in service_check
> webhcat_service_check()
> File "/usr/lib/python2.6/site-packages/ambari_commons/os_family_impl.py",
> line 89, in thunk
> return fn(*args, **kwargs)
> File
> "/var/lib/ambari-agent/cache/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat_service_check.py",
> line 125, in webhcat_service_check
> logoutput=True)
> File "/usr/lib/python2.6/site-packages/resource_management/core/base.py",
> line 166, in __init__
> self.env.run()
> File
> "/usr/lib/python2.6/site-packages/resource_management/core/environment.py",
> line 160, in run
> self.run_action(resource, action)
> File
> "/usr/lib/python2.6/site-packages/resource_management/core/environment.py",
> line 124, in run_action
> provider_action()
> File
> "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py",
> line 262, in action_run
> tries=self.resource.tries, try_sleep=self.resource.try_sleep)
> File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py",
> line 72, in inner
> result = function(command, **kwargs)
> File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py",
> line 102, in checked_call
> tries=tries, try_sleep=try_sleep,
> timeout_kill_strategy=timeout_kill_strategy)
> File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py",
> line 150, in _call_wrapper
> result = _call(command, **kwargs_copy)
> File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py",
> line 303, in _call
> raise ExecutionFailed(err_msg, code, out, err)
> resource_management.core.exceptions.ExecutionFailed: Execution of
> '/var/lib/ambari-agent/tmp/templetonSmoke.sh
> vs-iop420tofnsec-re-2.openstacklocal ambari-qa 20111
> idtest.ambari-qa.1500877355.88.pig
> /etc/security/keytabs/smokeuser.headless.keytab true /usr/bin/kinit
> [email protected] /var/lib/ambari-agent/tmp' returned 1. Templeton Smoke
> Test (ddl cmd): Failed. : {"error":"User:
> HTTP/[email protected] is not allowed to
> impersonate ambari-qa"}http_code <500>
> {code}
> Screenshot:- !Screen Shot 2017-07-24 at 12.04.44 PM.png|thumbnail!
> Live-Server:- http://172.22.115.63:8080.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
