Re: Review Request 59520: Custom RM principal causes zookeeper HA state store to be inaccessible

Fri, 26 May 2017 09:44:40 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59520/
-----------------------------------------------------------

(Updated May 26, 2017, 4:44 p.m.)


Review request for Ambari, Balázs Bence Sári, Laszlo Puskas, Nate Cole, Robert 
Levas, and Sebastian Toader.


Changes
-------

The previous patch doesn't always work because webhcat regenerates yarn-site at 
every startup, overwriting the placeholders with an empty string.
I uploaded a new patch that replaces the placeholders at the server side. 
The principal names are collected from the kerberos descriptor and they're put 
into the replacementMap under the "principals" key.
The kerberos.json can refer to a principal name using the following format 
${principals/resource_manager_rm|principalPrimary()}


Bugs: AMBARI-20877
    https://issues.apache.org/jira/browse/AMBARI-20877


Repository: ambari


Description
-------

HDP 2.6 stack introduced settings for ACLs on the Yarn Resource Manager HA 
state store. In `yarn-site/yarn.resourcemanager.zk-acl` the ACL user is set to 
`rm`.
If this user name does not match the primary component of the Yarn RM Kerberos 
principal in `yarn-site/yarn.resourcemanager.principal`, then Yarn is unable to 
access the state store and RM will stop immediately after start.
During the Kerberos wizard there needs to be a check to see if these settings 
are out of sync. Or, the zk-acl setting needs to somehow reference the 
principal and extract the primary root through a variable.


Diffs (updated)
-----

  
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
 5c4728a 
  
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosDescriptor.java
 a1b9e5c 
  
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java
 b9e2841 
  ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/kerberos.json 
ae4db4f 
  ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json 
ae4db4f 
  
ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java
 f00f694 


Diff: https://reviews.apache.org/r/59520/diff/2/

Changes: https://reviews.apache.org/r/59520/diff/1-2/


Testing
-------

- Create a cluster with yarn, hdfs
- enabled kerberos using custom principal names
- checked custom principal names in hadoop.registry.system.accounts and 
yarn.resourcemanager.zk-acl properties in yarn config


Tests: PENDING


Thanks,

Attila Magyar

Reply via email to