[
https://issues.apache.org/jira/browse/AMBARI-21577?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16101877#comment-16101877
]
Eric Yang edited comment on AMBARI-21577 at 7/26/17 4:26 PM:
-------------------------------------------------------------
The proper setup for secure HBase REST is documented at:
https://developer.ibm.com/hadoop/2016/05/12/hbase-rest-gateway-security/
It looks like improper use of local_username is causing the proxy user
statement to be generated unintentionally.
What would be the proper method to generate hbase as proxy user, and also
describe that the service should use HTTP for incoming requests for Ambari's
kerberos descriptor file?
was (Author: eyang):
The proper setup for secure HBase REST is documented at:
https://developer.ibm.com/hadoop/2016/05/12/hbase-rest-gateway-security/
It looks like IOP Kerberos descriptor file skip one step that instead of HTTP
is proxy user, it should setup hbase as proxy user.
> Hive-Service check failing in post EU validation (IOP-HDP)
> ----------------------------------------------------------
>
> Key: AMBARI-21577
> URL: https://issues.apache.org/jira/browse/AMBARI-21577
> Project: Ambari
> Issue Type: Bug
> Components: stacks
> Affects Versions: 2.5.2
> Environment: OS:- RHEL 7
> Ambari Upgraded 2.2.0 to 2.5.2.0-174
> Express Upgrade:- BigInsights-4.2.0.0 to HDP-2.6.2.0-107
> Reporter: Eric Yang
> Assignee: Siddharth Wagle
> Fix For: 2.5.2
>
>
> Steps to reproduce:-
> 1. Installed a IOP cluster ambari-version:-
> 2.2.0/20160616_1658,BigInsights-4.2.0.0
> 2. Upgrade the ambari from 2.2.0 to 2.5.2.0-174(IOP Clusters)
> 3. Remove IOP Select.
> 4. Register HDP Stack to HDP-2.6.2.0-107.
> 5. EU
> 6. Post EU
> Hive- Service check is failing :-
> {code}
> HTTP/[email protected] is not allowed to
> impersonate ambari-qa
> {code}
> stderr:-
> {code}
> Traceback (most recent call last):
> File
> "/var/lib/ambari-agent/cache/common-services/HIVE/0.12.0.2.0/package/scripts/service_check.py",
> line 194, in <module>
> HiveServiceCheck().execute()
> File
> "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py",
> line 329, in execute
> method(env)
> File
> "/var/lib/ambari-agent/cache/common-services/HIVE/0.12.0.2.0/package/scripts/service_check.py",
> line 99, in service_check
> webhcat_service_check()
> File "/usr/lib/python2.6/site-packages/ambari_commons/os_family_impl.py",
> line 89, in thunk
> return fn(*args, **kwargs)
> File
> "/var/lib/ambari-agent/cache/common-services/HIVE/0.12.0.2.0/package/scripts/webhcat_service_check.py",
> line 125, in webhcat_service_check
> logoutput=True)
> File "/usr/lib/python2.6/site-packages/resource_management/core/base.py",
> line 166, in __init__
> self.env.run()
> File
> "/usr/lib/python2.6/site-packages/resource_management/core/environment.py",
> line 160, in run
> self.run_action(resource, action)
> File
> "/usr/lib/python2.6/site-packages/resource_management/core/environment.py",
> line 124, in run_action
> provider_action()
> File
> "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py",
> line 262, in action_run
> tries=self.resource.tries, try_sleep=self.resource.try_sleep)
> File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py",
> line 72, in inner
> result = function(command, **kwargs)
> File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py",
> line 102, in checked_call
> tries=tries, try_sleep=try_sleep,
> timeout_kill_strategy=timeout_kill_strategy)
> File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py",
> line 150, in _call_wrapper
> result = _call(command, **kwargs_copy)
> File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py",
> line 303, in _call
> raise ExecutionFailed(err_msg, code, out, err)
> resource_management.core.exceptions.ExecutionFailed: Execution of
> '/var/lib/ambari-agent/tmp/templetonSmoke.sh
> vs-iop420tofnsec-re-2.openstacklocal ambari-qa 20111
> idtest.ambari-qa.1500877355.88.pig
> /etc/security/keytabs/smokeuser.headless.keytab true /usr/bin/kinit
> [email protected] /var/lib/ambari-agent/tmp' returned 1. Templeton Smoke
> Test (ddl cmd): Failed. : {"error":"User:
> HTTP/[email protected] is not allowed to
> impersonate ambari-qa"}http_code <500>
> {code}
> Screenshot:- !Screen Shot 2017-07-24 at 12.04.44 PM.png|thumbnail!
> Live-Server:- http://172.22.115.63:8080.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
