Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-12356

kinit of hdfs Kerberos identity fails when starting added service(s) after upgrade to Ambari 2.1.0

    XMLWordPrintableJSON

Details

    Description

      STR:
      1. Install old version of ambari (2.0.1)
      2. Enable security
      3. Do Ambari only upgrade to ambari2.1.0
      4. Add some component - HiveServer2 or Ooozie server
      5. Try to start added component

      Actual result:
      Start have been failed.

      Traceback (most recent call last):
        File "/var/lib/ambari-agent/cache/common-
      
      services/HIVE/0.12.0.2.0/package/scripts/hive_server.py", line 182, in <module>
          HiveServer().execute()
        File "/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py", 
      
      line 216, in execute
          method(env)
        File "/var/lib/ambari-agent/cache/common-
      
      services/HIVE/0.12.0.2.0/package/scripts/hive_server.py", line 83, in start
          self.configure(env) # FOR SECURITY
        File "/var/lib/ambari-agent/cache/common-
      
      services/HIVE/0.12.0.2.0/package/scripts/hive_server.py", line 54, in configure
          hive(name='hiveserver2')
        File "/usr/lib/python2.6/site-packages/ambari_commons/os_family_impl.py", line 89, in 
      
      thunk
          return fn(*args, **kwargs)
        File "/var/lib/ambari-agent/cache/common-
      
      services/HIVE/0.12.0.2.0/package/scripts/hive.py", line 127, in hive
          mode=params.webhcat_hdfs_user_mode
        File "/usr/lib/python2.6/site-packages/resource_management/core/base.py", line 157, in 
      
      __init__
          self.env.run()
        File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 
      
      152, in run
          self.run_action(resource, action)
        File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 
      
      118, in run_action
          provider_action()
        File "/usr/lib/python2.6/site-
      
      packages/resource_management/libraries/providers/hdfs_resource.py", line 390, in 
      
      action_create_on_execute
          self.action_delayed("create")
        File "/usr/lib/python2.6/site-
      
      packages/resource_management/libraries/providers/hdfs_resource.py", line 387, in 
      
      action_delayed
          self.get_hdfs_resource_executor().action_delayed(action_name, self)
        File "/usr/lib/python2.6/site-
      
      packages/resource_management/libraries/providers/hdfs_resource.py", line 236, in 
      
      action_delayed
          main_resource.kinit()
        File "/usr/lib/python2.6/site-
      
      packages/resource_management/libraries/providers/hdfs_resource.py", line 416, in kinit
          user=user
        File "/usr/lib/python2.6/site-packages/resource_management/core/base.py", line 157, in 
      
      __init__
          self.env.run()
        File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 
      
      152, in run
          self.run_action(resource, action)
        File "/usr/lib/python2.6/site-packages/resource_management/core/environment.py", line 
      
      118, in run_action
          provider_action()
        File "/usr/lib/python2.6/site-packages/resource_management/core/providers/system.py", 
      
      line 254, in action_run
          tries=self.resource.tries, try_sleep=self.resource.try_sleep)
        File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 70, in 
      
      inner
          result = function(command, **kwargs)
        File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 92, in 
      
      checked_call
          tries=tries, try_sleep=try_sleep)
        File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 140, in 
      
      _call_wrapper
          result = _call(command, **kwargs_copy)
        File "/usr/lib/python2.6/site-packages/resource_management/core/shell.py", line 291, in 
      
      _call
          raise Fail(err_msg)
      resource_management.core.exceptions.Fail: Execution of '/usr/bin/kinit -kt 
      
      /etc/security/keytabs/hdfs.headless.keytab hdfs@EXAMPLE.COM' returned 1. kinit: Keytab 
      
      contains no suitable keys for hdfs@EXAMPLE.COM while getting initial credentials
      

      Expected results:
      Can start all added components.

      Cause
      The Kerberos Descriptor structure changed between Ambari 2.0 and Ambari 2.1. This change moved the "hdfs" Kerberos identity descriptor from the global scope to under the HDFS service. After upgrading from Ambari 2.0 to Ambari 2.1 an additional "hdfs" Kerberos identity descriptor was added with the new principal name pattern - ${hadoop-env/hdfs_user}-${cluster_name}@${realm}. This occurred because the stored Kerberos Descriptor contained the old structure, and when Ambari generated a composite Kerberos Descriptor made up of the Kerberos Descriptor compiled from the relevant stack definition with stored changes applied, that additional "hdfs" Kerberos identity descriptor was added. Because if this, the Kerberos logic became confused and overwrote the existing hdfs keytab file with one that contained the new principal name.

      Solution
      While migrating Ambari 2.0 to Ambari 2.1, fix the stored Kerberos Descriptor structure to match the new version's structure.

      Attachments

        1. AMBARI-12356_01.patch
          40 kB
          Robert Levas

        Issue Links

          Activity

            People

              rlevas Robert Levas
              rlevas Robert Levas
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: