Hi Rob,
thank you very much.
I wasn't aware Ambari is running as non-root as I always started Ambaris
as root user.
I changed the user setting in ambari.properties and was able to activate
kerberos.
Is there already a date for the Ambari Update to be availabe?
Best regards
Frank
Am 18.04.2015 um 01:22 schrieb Robert Levas:
Hi FrankŠ
It seems like Ambari is running as ambari-server, not root. This isn¹t
typically an issue, but in this case the problem from
https://issues.apache.org/jira/browse/AMBARI-10266 is coming into play.
The solution will be in the next releases of Ambari (2.0.1 and 2.1), but
for now it appears that you need to run Ambari as root to get around this
issue.
Essentially, unless you are root, the directory must be executable in
order to write files in it. There is a bug in Ambari where when it
attempts to protect temporary files created while enabling Kerberos, it
fails to properly set the executable flag on relevant directories. Thus
the error condition. For some reason, the root user does not have this
restriction and the bug is avoided.
Is it possible to run Ambari as root? I think you need to edit
/etc/ambari-server/conf/ambari.properties and set ambari-server.user to
root:
ambari-server.user=root
Then restart Ambari.
I am sorry that this is the only solution that I can think of until the
next release. I hope it helps,
Rob
On 4/17/15, 5:34 PM, "Frank Eisenhauer" <[email protected]> wrote:
Hi Rob,
the direcory "/var/lib/ambari-server/data/tmp/" exists and has the
following permissions:
drwx------ 2 ambari-server root 4096 Apr 13 20:28 cache
drwxrwxrwx 10 ambari-server root 4096 Apr 17 21:41 tmp
I changed the permissions to 777 just to exclude permissions as a root
cause.
But unfortunately changing the permissions has no effect on the issue.
After executing "Install and Test Kerberos Client" via Ambari Kerberos
wizard, two new folders are beeing created in the tmp directory, with
the following permissions:
drwxr-xr-x 3 ambari-server ambari-server 4096 Apr 17 23:35
.ambari_1429306535296-0.d
drwxr-xr-x 2 ambari-server ambari-server 4096 Apr 17 23:35
.ambari_1429306535374-0.d
Disk space and available inodes is not an issue. I really don't see a
reason why the files cannot be writen to that directory.
Inside of the first folder mentioned above, ther's is another folder
with the hostname:
drw------- 2 ambari-server ambari-server 4096 Apr 17 23:35
HADOOP01.BIGDATA.LOCAL
-rw-r--r-- 1 ambari-server ambari-server 765 Apr 17 23:35 index.dat
The ambari log states, that the kerberos keytab is exported to the host
directory. Might the missing execute flag be a cause for the permission
denied error?
The installation runs on CentOS 6.6 and Java Version is 1.7.0_71
Am 17.04.2015 um 23:14 schrieb Robert Levas:
Hi Frank,
Can you check to see if /var/lib/ambari-server/data/tmp/ exists on the
Ambari server host? If so, what permissions does it have?
Ideally, /var/lib/ambari-server/data/tmp/ exists and all directories in
the path are executable by the user that Ambari runs as.
Both of these are essentially covered in
https://issues.apache.org/jira/browse/AMBARI-10266 and I saw that you
acknowledged the solution in the ticket, but I just wanted to make sure
we
covered all of the bases.
Other than this, I am not sure while the file cannot be written.
Obvious
things like being out of disk space or memory could cause the issue, but
you would be seeing other issues if this was the case.
What OS and Java VM are you running Ambari on?
Rob
On 4/17/15, 4:03 PM, "Frank Eisenhauer" <[email protected]> wrote:
Hi Jeff,
Ambari is running as root.
Am 17.04.2015 um 21:50 schrieb Jeff Sposetti:
Hi, Are you running your Ambari Server as non-root?
https://issues.apache.org/jira/browse/AMBARI-10266
You might be hitting that BUG.
On 4/17/15, 3:41 PM, "Frank Eisenhauer" <[email protected]>
wrote:
Hi All,
I'm trying to enable Kerberos in Ambari 2.0.0 after upgrade from
Ambari
1.7.
During "Test Kerberos Client" I'm getting the error "Failed to create
keytab file for [email protected] - Failed to export
keytab
file"
The ambari-server.log states:
17 Apr 2015 21:41:29,601 INFO [Server Action Executor Worker 4215]
CreateKeytabFilesServerAction:170 - Creating keytab file for
ambari-qa_idheyfiu@BIGDATA$
17 Apr 2015 21:41:29,636 ERROR [Server Action Executor Worker 4215]
KerberosOperationHandler:433 - Failed to export keytab file
java.io.FileNotFoundException:
/var/lib/ambari-server/data/tmp/.ambari_1429299679291-0.d/HADOOP-SRV01
/4
e6
d850833d0d36946b1c5c5b260bec371c5247c
(Pe$
at java.io.FileOutputStream.open(Native Method)
at
java.io.FileOutputStream.<init>(FileOutputStream.java:221)
at
org.apache.directory.server.kerberos.shared.keytab.Keytab.writeFile(Ke
yt
ab
.java:273)
at
org.apache.directory.server.kerberos.shared.keytab.Keytab.write(Keytab
.j
av
a:133)
at
org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandle
r.
cr
eateKeytabFile(KerberosOperationHandler.java:429)
at
org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServer
Ac
ti
on.processIdentity(CreateKeytabFilesServerAction.java:276)
at
org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.pr
oc
es
sRecord(KerberosServerAction.java:494)
at
org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.pr
oc
es
sIdentities(KerberosServerAction.java:386)
at
org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServer
Ac
ti
on.execute(CreateKeytabFilesServerAction.java:99)
at
org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.exec
ut
e(
ServerActionExecutor.java:504)
at
org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(
Se
rv
erActionExecutor.java:441)
at java.lang.Thread.run(Thread.java:744)
17 Apr 2015 21:41:29,637 ERROR [Server Action Executor Worker 4215]
CreateKeytabFilesServerAction:290 - Failed to create keytab file for
ambari-qa_idheyfiu$
org.apache.ambari.server.serveraction.kerberos.KerberosOperationExcept
io
n:
Failed to export keytab file
at
org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandle
r.
cr
eateKeytabFile(KerberosOperationHandler.java:439)
at
org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServer
Ac
ti
on.processIdentity(CreateKeytabFilesServerAction.java:276)
at
org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.pr
oc
es
sRecord(KerberosServerAction.java:494)
at
org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.pr
oc
es
sIdentities(KerberosServerAction.java:386)
at
org.apache.ambari.server.serveraction.kerberos.CreateKeytabFilesServer
Ac
ti
on.execute(CreateKeytabFilesServerAction.java:99)
at
org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.exec
ut
e(
ServerActionExecutor.java:504)
at
org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(
Se
rv
erActionExecutor.java:441)
at java.lang.Thread.run(Thread.java:744)
Caused by: java.io.FileNotFoundException:
/var/lib/ambari-server/data/tmp/.ambari_1429299679291-0.d/HADOOP-SRV01
/4
e6
d850833d0d36946b1c5c5b260bec37$
at java.io.FileOutputStream.open(Native Method)
at
java.io.FileOutputStream.<init>(FileOutputStream.java:221)
at
org.apache.directory.server.kerberos.shared.keytab.Keytab.writeFile(Ke
yt
ab
.java:273)
at
org.apache.directory.server.kerberos.shared.keytab.Keytab.write(Keytab
.j
av
a:133)
at
org.apache.ambari.server.serveraction.kerberos.KerberosOperationHandle
r.
cr
eateKeytabFile(KerberosOperationHandler.java:429)
... 7 more
I've found a Jira Log
"https://issues.apache.org/jira/browse/AMBARI-10266"; but the
mentioned
solution does not solve the issue. The permission denied exception
still
occurs.
Ambari Server is running as root.
