Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-12245

HCat Service Check warns keytab contains no suitable keys when Kerberos is enabled

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.1.0
    • 2.1.0
    • ambari-server

    • ambari-server --hash: 82c5c6a183041dcbdbc46f3029937ccde8869fba
      HDP: HDP 2.3
      OS: CentOS 6.5

    Description

      HCat Service Check (part of the Hive Service Check) fails in cluster where Kerberos is enabled:

      Test connectivity to hive server
Waiting for the Hive server to start...
2015-07-01 18:39:17,173 - Execute['/usr/bin/kinit -kt /etc/security/keytabs/smokeuser.headless.keytab ambari-qa-tezview@EXAMPLE.COM; '] {'user': 'ambari-qa'}
2015-07-01 18:39:17,321 - Execute['! beeline -u 'jdbc:hive2://c6502.ambari.apache.org:10000/;transportMode=binary;principal=hive/_HOST@EXAMPLE.COM' -e '' 2>&1| awk '{print}'|grep -i -e 'Connection refused' -e 'Invalid URL''] {'path': ['/bin/', '/usr/bin/', '/usr/lib/hive/bin/', '/usr/sbin/'], 'user': 'ambari-qa', 'timeout': 30}
Successfully connected to c6502.ambari.apache.org on port 10000
Successfully connected to Hive at c6502.ambari.apache.org on port 10000 after 6 seconds
2015-07-01 18:39:23,313 - File['/var/lib/ambari-agent/data/tmp/hcatSmoke.sh'] {'content': StaticFile('hcatSmoke.sh'), 'mode': 0755}
2015-07-01 18:39:23,314 - Execute['/usr/bin/kinit -kt /etc/security/keytabs/smokeuser.headless.keytab ambari-qa; env JAVA_HOME=/usr/jdk64/jdk1.8.0_40 /var/lib/ambari-agent/data/tmp/hcatSmoke.sh hcatsmokeida8c06641_date390115 prepare'] {'logoutput': True, 'path': ['/usr/sbin', '/usr/local/bin', '/bin', '/usr/bin', '/usr/sbin:/sbin:/usr/lib/ambari-server/*:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/var/lib/ambari-agent:/usr/hdp/current/hive-client/bin:/usr/hdp/current/hadoop-client/bin'], 'tries': 3, 'user': 'ambari-qa', 'try_sleep': 5}
kinit: Keytab contains no suitable keys for ambari-qa@EXAMPLE.COM while getting initial credentials
WARNING: Use "yarn jar" to launch YARN applications.

      The issue appears to be the wrong principal name in the kinit command - note the missing cluster name and realm in the principal name value.

      /usr/bin/kinit -kt /etc/security/keytabs/smokeuser.headless.keytab ambari-qa

      Cause
      The error is caused by the use of the wrong variable when generating the kinit command at common-services/HIVE/0.12.0.2.0/package/scripts/hcat_service_check.py:44

              {kinit_path_local} -kt {smoke_user_keytab} {smokeuser}

      Solution
      At common-services/HIVE/0.12.0.2.0/package/scripts/hcat_service_check.py:44, change smokeuser to smokeuser_principal.

      Attachments

        1. AMBARI-12245_01.patch
          2 kB
          Robert Levas
        2. AMBARI-12245_02.patch
          2 kB
          Robert Levas

        Issue Links

          links to

          Web Link ReviewBoard

          Activity

            People

              rlevas Robert Levas
              rlevas Robert Levas
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: