Re: Review Request 59520: Custom RM principal causes zookeeper HA state store to be inaccessible

Sun, 28 May 2017 23:18:48 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59520/#review176256
-----------------------------------------------------------




ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
Lines 1233 (patched)
<https://reviews.apache.org/r/59520/#comment249630>

    Add some comment that explains how this works with the constructs stored in 
```kerberos.json``` files


- Sebastian Toader


On May 26, 2017, 6:44 p.m., Attila Magyar wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/59520/
> -----------------------------------------------------------
> 
> (Updated May 26, 2017, 6:44 p.m.)
> 
> 
> Review request for Ambari, Balázs Bence Sári, Laszlo Puskas, Nate Cole, 
> Robert Levas, and Sebastian Toader.
> 
> 
> Bugs: AMBARI-20877
>     https://issues.apache.org/jira/browse/AMBARI-20877
> 
> 
> Repository: ambari
> 
> 
> Description
> -------
> 
> HDP 2.6 stack introduced settings for ACLs on the Yarn Resource Manager HA 
> state store. In `yarn-site/yarn.resourcemanager.zk-acl` the ACL user is set 
> to `rm`.
> If this user name does not match the primary component of the Yarn RM 
> Kerberos principal in `yarn-site/yarn.resourcemanager.principal`, then Yarn 
> is unable to access the state store and RM will stop immediately after start.
> During the Kerberos wizard there needs to be a check to see if these settings 
> are out of sync. Or, the zk-acl setting needs to somehow reference the 
> principal and extract the primary root through a variable.
> 
> 
> Diffs
> -----
> 
>   
> ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
>  5c4728a 
>   
> ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosDescriptor.java
>  a1b9e5c 
>   
> ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java
>  b9e2841 
>   
> ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/kerberos.json 
> ae4db4f 
>   ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json 
> ae4db4f 
>   
> ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java
>  f00f694 
> 
> 
> Diff: https://reviews.apache.org/r/59520/diff/2/
> 
> 
> Testing
> -------
> 
> - Create a cluster with yarn, hdfs
> - enabled kerberos using custom principal names
> - checked custom principal names in hadoop.registry.system.accounts and 
> yarn.resourcemanager.zk-acl properties in yarn config
> 
> 
> Tests: PENDING
> 
> 
> Thanks,
> 
> Attila Magyar
> 
>

Reply via email to