Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-11179

Kerberos: Oozie auth rules do not look correct

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.1.0
    • 2.1.0
    • ambari-server

    Description

      0) create cluster, hDP 2.2, build 1203
      1) Kerb cluster (hdfs, yarn,zk)
      2) add ozzie
      3) add hbase
      4) everything seems ok.
      5) I went and looked at oozie configs, oozie.authentication.kerberos.name.rules property looks like this...is this correct?

      RULE:[1:$1@$0](ambari-qa-MyCluster@EXAMPLE.COM)s/.*/ambari-qa/
RULE:[1:$1@$0](hbase-MyCluster@EXAMPLE.COM)s/.*/hbase/
RULE:[1:$1@$0](hdfs-MyCluster@EXAMPLE.COM)s/.*/hdfs/
RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//
RULE:[1:$1@$0](.*@.*TODO-KERBEROS-DOMAIN)s/@.*//
RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUSER/
RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/
RULE:[2:$1@$0](hbase@EXAMPLE.COM)s/.*/hbase/
RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/
RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/
RULE:[2:$1@$0](nm@EXAMPLE.COM)s/.*/yarn/
RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/
RULE:[2:$1@$0](oozie@EXAMPLE.COM)s/.*/oozie/
RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/
RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
RULE:[2:$1@$0](yarn@EXAMPLE.COM)s/.*/yarn/
DEFAULT

      Solution
      Remove the following values for oozie-site/oozie.authentication.kerberos.name.rules

      common-services/OOZIE/4.0.0.2.0/configuration/oozie-site.xml:145
            RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUxSER/
      RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
      RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
      RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
      DEFAULT
      common-services/OOZIE/5.0.0.2.3/configuration/oozie-site.xml:24
            RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUxSER/
      RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
      RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
      RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
      DEFAULT

      Attachments

        Issue Links

        relates to

        Bug - A problem which impairs or prevents the functions of the product. AMBARI-11882 Kerberos: Oozie auth rules do not look correct

        • Major - Major loss of function.
        • Resolved
        links to

        Web Link ReviewBoard

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            rlevas Robert Levas
            rlevas Robert Levas
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment