Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-12356

kinit of hdfs Kerberos identity fails when starting added service(s) after upgrade to Ambari 2.1.0

    XMLWordPrintableJSON

Details

    Description

      STR:
      1. Install old version of ambari (2.0.1)
      2. Enable security
      3. Do Ambari only upgrade to ambari2.1.0
      4. Add some component - HiveServer2 or Ooozie server
      5. Try to start added component

      Actual result:
      Start have been failed. 

      Traceback (most recent call last):
  File "/var/lib/ambari-agent/cache/common-

services/HIVE/0.12.0.2.0/package/scripts/hive_server.py", line 182, in <module>
    HiveServer().execute()
  File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py", 

line 216, in execute
    method(env)
  File "/var/lib/ambari-agent/cache/common-

services/HIVE/0.12.0.2.0/package/scripts/hive_server.py", line 83, in start
    self.configure(env) # FOR SECURITY
  File "/var/lib/ambari-agent/cache/common-

services/HIVE/0.12.0.2.0/package/scripts/hive_server.py", line 54, in configure
    hive(name='hiveserver2')
  File "/usr/lib/python2.6/site-packages/ambari_commons/os_family_impl.py", line 89, in 

thunk
    return fn(*args, **kwargs)
  File "/var/lib/ambari-agent/cache/common-

services/HIVE/0.12.0.2.0/package/scripts/hive.py", line 127, in hive
    mode=params.webhcat_hdfs_user_mode
  File "/usr/lib/python2.6/site-packages/resource_management/core/base.py", line 157, in 

__init__
    self.env.run()
  File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 

152, in run
    self.run_action(resource, action)
  File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 

118, in run_action
    provider_action()
  File "/usr/lib/python2.6/site-

packages/resource_management/libraries/providers/hdfs_resource.py", line 390, in 

action_create_on_execute
    self.action_delayed("create")
  File "/usr/lib/python2.6/site-

packages/resource_management/libraries/providers/hdfs_resource.py", line 387, in 

action_delayed
    self.get_hdfs_resource_executor().action_delayed(action_name, self)
  File "/usr/lib/python2.6/site-

packages/resource_management/libraries/providers/hdfs_resource.py", line 236, in 

action_delayed
    main_resource.kinit()
  File "/usr/lib/python2.6/site-

packages/resource_management/libraries/providers/hdfs_resource.py", line 416, in kinit
    user=user
  File "/usr/lib/python2.6/site-packages/resource_management/core/base.py", line 157, in 

__init__
    self.env.run()
  File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 

152, in run
    self.run_action(resource, action)
  File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 

118, in run_action
    provider_action()
  File "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py", 

line 254, in action_run
    tries=self.resource.tries, try_sleep=self.resource.try_sleep)
  File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 70, in 

inner
    result = function(command, **kwargs)
  File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 92, in 

checked_call
    tries=tries, try_sleep=try_sleep)
  File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 140, in 

_call_wrapper
    result = _call(command, **kwargs_copy)
  File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 291, in 

_call
    raise Fail(err_msg)
resource_management.core.exceptions.Fail: Execution of '/usr/bin/kinit -kt 

/etc/security/keytabs/hdfs.headless.keytab hdfs@EXAMPLE.COM' returned 1. kinit: Keytab 

contains no suitable keys for hdfs@EXAMPLE.COM while getting initial credentials

      Expected results:
      Can start all added components.

      Cause
      The Kerberos Descriptor structure changed between Ambari 2.0 and Ambari 2.1. This change moved the "hdfs" Kerberos identity descriptor from the global scope to under the HDFS service. After upgrading from Ambari 2.0 to Ambari 2.1 an additional "hdfs" Kerberos identity descriptor was added with the new principal name pattern - ${hadoop-env/hdfs_user}-${cluster_name}@${realm}. This occurred because the stored Kerberos Descriptor contained the old structure, and when Ambari generated a composite Kerberos Descriptor made up of the Kerberos Descriptor compiled from the relevant stack definition with stored changes applied, that additional "hdfs" Kerberos identity descriptor was added. Because if this, the Kerberos logic became confused and overwrote the existing hdfs keytab file with one that contained the new principal name.

      Solution
      While migrating Ambari 2.0 to Ambari 2.1, fix the stored Kerberos Descriptor structure to match the new version's structure.

      Attachments

        1. AMBARI-12356_01.patch
          40 kB
          Robert Levas

        Issue Links

          links to

          Web Link ReviewBoard

          Activity

            People

              rlevas Robert Levas
              rlevas Robert Levas
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: