Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-13058

Kerberos: failures / issues w/ add host when using "manual kerb" option

Attach filesAttach ScreenshotVotersStop watchingWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Fixed
    • 2.1.1
    • 2.1.2
    • ambari-web
    • None

    Description

      PART I

      >> I recently added a manually-administered kerberos service to Ambari.
>> This is where nodes are all kerberized, but Ambari doesn't administer
>> the kerberos server (had to download the csv & create the keytabs
>> myself). This is ambari 2.1.1.
>>
>> I'm now trying to add a new host to the cluster using the "Ambari
>> add-host" wizard.
>>
>> Ambari gets through to the "review" step (step5), but when trying to
>> move forward to "Deploy" it fails.
>>
>> A browser console trace shows that it tries to fetch:
>> https://{ambari
>> server}/api/v1/clusters/{cluster}/services/KERBEROS?fields=Services/attributes/kdc_validation_result,Services/attributes/kdc_validation_failure_details&_=1441379573009
>>
>> and gets a 404 back.  (This 404 seems correct to me as there is no
>> "kerberos" service administered by Ambari.  However, it doesn't appear
>> Ambari's add-host wizard understands this).
>>
>> Is this a known issue, or am I doing something incorrect somewhere?  I
>> looked through the opened JIRAs and didn't see anything for this.
>>

      PART II

      >I was able to fix this by using the API to create the KERBEROS service
>and KERBEROS_CLIENT host component (but not assigning any hosts to
>that component):
>curl ... -X POST ...services/KERBEROS
>curl ... -X PUT '{"ServiceInfo": {"state" : "INSTALLED"}}' ...services/KERBEROS
>curl ... -X POST ...services/KERBEROS/components/KERBEROS_CLIENT
>
>I ran into other bugs after that:
> - Ambari install tried to modify user "ambari-qa". However, this user
>is a kerberos user and ambari tried to run usermod which failed
>complaining that ambari-qa is not in /etc/passwd.  To get around this
>I deleted this user in kerberos, allow ambari to create the user in
>/etc/passwd, then once the setup was done I had to recreate the
>kerberos user so that the headless keytab would work.
> - Ambari install also tried to create the local user hdfs, which
>didn't work very well because hdfs is a kerberos user (due to the
>headless keytab).  I just created this user in /etc/password which
>allowed the host install to continue.
>
>Every time I ran into a failure I ended up deleting the host services
>and host via the api, making adjustments, and going back through the
>wizard.
>
>With these workarounds I was able to get the hosts added into the
>cluster. These are the only hosts now with the "KERBEROS_CLIENT"
>service - I'm not sure what the expected state is there.

      Attachments

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            aantonenko Antonenko Alexander
            aantonenko Antonenko Alexander
            Votes:
            0 Vote for this issue
            Watchers:
            4 Stop watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment