----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/63937/ -----------------------------------------------------------
Review request for Ambari, Jayush Luniya, Madhuvanthi Radhakrishnan, and Robert Levas. Bugs: AMBARI-22472 https://issues.apache.org/jira/browse/AMBARI-22472 Repository: ambari Description ------- **Background:** YARN NodeManager currently have 2 identities in 2.5 and 2.6 stack, namely : *'/HIVE/HIVE_SERVER/hive_server_hive'* and *'llap_zk_hive'*. - */HIVE/HIVE_SERVER/hive_server_hive* is a reference from HIVE_SERVER, whereas - *llap_zk_hive* creates same principal as above in a separate keytab file. **Issue:** Recreating same identities in different files creates issues while AMbari upgrade from 2.5 to 2.6, as the *llap_zk_hive* are not refreshed/updated after the upgrade. Thus, HSI fails to come up. **Fix:** Make * llap_zk_hive* also point as a reference pointing to /HIVE/HIVE_SERVER/hive_server_hive, so that we have one identity getting created only at one place and one keytab file. Diffs ----- ambari-server/src/main/java/org/apache/ambari/server/upgrade/UpgradeCatalog260.java 96ce807 ambari-server/src/test/java/org/apache/ambari/server/upgrade/UpgradeCatalog260Test.java be04cd5 ambari-server/src/test/resources/kerberos/test_kerberos_descriptor_ranger_kms.json e17e121 Diff: https://reviews.apache.org/r/63937/diff/1/ Testing ------- **TESTING:** |||||||||||||||||||||||||| Ambari 2.5, before upgrade: |||||||||||||||||||||||||| {code:title=From /etc/hive2/cong/conf.server/hive-site.xml} <property> <name>hive.llap.daemon.keytab.file</name> <value>/etc/security/keytabs/hive.service.keytab</value> </property> <property> <name>hive.llap.daemon.service.principal</name> <value>hive/_h...@example.com</value> </property> <property> <name>hive.llap.zk.sm.keytab.file</name> <value>/etc/security/keytabs/hive.llap.zk.sm.keytab</value> </property> <property> <name>hive.llap.zk.sm.principal</name> <value>hive/_h...@example.com</value> </property> {code} |||||||||||||||||||||||||| Upgrade to Ambari-2.6 |||||||||||||||||||||||||| **Logs: Ambari Server Upgrade** [root@swap-qqq-1 ~]# ambari-server upgrade Using python /usr/bin/python Upgrading ambari-server INFO: Upgrade Ambari Server INFO: Updating Ambari Server properties in ambari.properties ... INFO: Updating Ambari Server properties in ambari-env.sh ... WARNING: Original file ambari-env.sh kept INFO: Fixing database objects owner Ambari Server configured for Embedded Postgres. Confirm you have made a backup of the Ambari Server database [y/n] (y)? y INFO: Upgrading database schema INFO: Return code from schema upgrade command, retcode = 0 INFO: Schema upgrade completed Adjusting ambari-server permissions and ownership... Ambari Server 'upgrade' completed successfully. [root@swap-qqq-1 ~]# [root@swap-qqq-1 ~]# [root@swap-qqq-1 ~]# [root@swap-qqq-1 ~]# [root@swap-qqq-1 ~]# ambari-server --version 2.6.0.0-267 [root@swap-qqq-1 ~]# **Logs : Updating Kerberos descriptors** 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:673 - Updating YARN's HSI Kerberos Descriptor .... 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:685 - Retrieved HIVE->HIVE_SERVER kerberos descriptor. Name = hive_server_hive 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:700 - Retrieved YARN->NODEMANAGER kerberos descriptor to be updated. Name = llap_zk_hive 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:709 - Updated 'llap_zk_hive' identity descriptor reference = '/HIVE/HIVE_SERVER/hive_server_hive' 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:712 - Updated 'llap_zk_hive' principal descriptor value = '' 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:717 - Updated 'llap_zk_hive' keytab descriptor file = '' 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:720 - Updated 'llap_zk_hive' keytab descriptor owner name = '' 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:722 - Updated 'llap_zk_hive' keytab descriptor owner access = '' 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:724 - Updated 'llap_zk_hive' keytab descriptor group name = '' 18 Nov 2017 07:25:54,003 INFO [main] UpgradeCatalog260:726 - Updated 'llap_zk_hive' keytab descriptor group access = '' 18 Nov 2017 07:25:54,004 INFO [main] UpgradeCatalog260:730 - Updated 'isYarnKerberosDescUpdated' = true **Logs : Updated HSI config 'hive.llap.zk.sm.keytab.file'** 18 Nov 2017 07:25:54,073 INFO [main] UpgradeCatalog260:767 - Updated HSI config 'hive.llap.zk.sm.keytab.file' = /etc/security/keytabs/hive.service.keytab **From UI**: Changed hive.llap.zk.sm.keytab.file : https://issues.apache.org/jira/secure/attachment/12898329/Screen%20Shot%202017-11-17%20at%2011.44.41%20PM.png HSI up : https://issues.apache.org/jira/secure/attachment/12898328/Screen%20Shot%202017-11-17%20at%2011.44.55%20PM.png Thanks, Swapan Shridhar