Re: Review Request 59520: Custom RM principal causes zookeeper HA state store to be inaccessible

Tue, 30 May 2017 06:15:54 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/59520/
-----------------------------------------------------------

(Updated May 30, 2017, 1:15 p.m.)


Review request for Ambari, Balázs Bence Sári, Laszlo Puskas, Nate Cole, Robert 
Levas, and Sebastian Toader.


Bugs: AMBARI-20877
    https://issues.apache.org/jira/browse/AMBARI-20877


Repository: ambari


Description
-------

HDP 2.6 stack introduced settings for ACLs on the Yarn Resource Manager HA 
state store. In `yarn-site/yarn.resourcemanager.zk-acl` the ACL user is set to 
`rm`.
If this user name does not match the primary component of the Yarn RM Kerberos 
principal in `yarn-site/yarn.resourcemanager.principal`, then Yarn is unable to 
access the state store and RM will stop immediately after start.
During the Kerberos wizard there needs to be a check to see if these settings 
are out of sync. Or, the zk-acl setting needs to somehow reference the 
principal and extract the primary root through a variable.


Diffs (updated)
-----

  ambari-server/docs/security/kerberos/kerberos_descriptor.md 54af50f 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelperImpl.java
 6a403c6 
  
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosDescriptor.java
 a1b9e5c 
  
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelper.java
 b9e2841 
  ambari-server/src/main/resources/common-services/YARN/3.0.0.3.0/kerberos.json 
ae4db4f 
  ambari-server/src/main/resources/stacks/HDP/2.6/services/YARN/kerberos.json 
ae4db4f 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/KerberosHelperTest.java
 e654c72 
  
ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosDescriptorTest.java
 a63da61 
  
ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/VariableReplacementHelperTest.java
 f00f694 


Diff: https://reviews.apache.org/r/59520/diff/4/

Changes: https://reviews.apache.org/r/59520/diff/3-4/


Testing
-------

- Create a cluster with yarn, hdfs
- enabled kerberos using custom principal names
- checked custom principal names in hadoop.registry.system.accounts and 
yarn.resourcemanager.zk-acl properties in yarn config


Tests: PENDING


Thanks,

Attila Magyar

Reply via email to