Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-13058

Kerberos: failures / issues w/ add host when using "manual kerb" option



    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.1.1
    • Fix Version/s: 2.1.2
    • Component/s: ambari-web
    • Labels:


      PART I

      >> I recently added a manually-administered kerberos service to Ambari.
      >> This is where nodes are all kerberized, but Ambari doesn't administer
      >> the kerberos server (had to download the csv & create the keytabs
      >> myself). This is ambari 2.1.1.
      >> I'm now trying to add a new host to the cluster using the "Ambari
      >> add-host" wizard.
      >> Ambari gets through to the "review" step (step5), but when trying to
      >> move forward to "Deploy" it fails.
      >> A browser console trace shows that it tries to fetch:
      >> https://{ambari
      >> server}/api/v1/clusters/{cluster}/services/KERBEROS?fields=Services/attributes/kdc_validation_result,Services/attributes/kdc_validation_failure_details&_=1441379573009
      >> and gets a 404 back.  (This 404 seems correct to me as there is no
      >> "kerberos" service administered by Ambari.  However, it doesn't appear
      >> Ambari's add-host wizard understands this).
      >> Is this a known issue, or am I doing something incorrect somewhere?  I
      >> looked through the opened JIRAs and didn't see anything for this.

      PART II

      >I was able to fix this by using the API to create the KERBEROS service
      >and KERBEROS_CLIENT host component (but not assigning any hosts to
      >that component):
      >curl ... -X POST ...services/KERBEROS
      >curl ... -X PUT '{"ServiceInfo": {"state" : "INSTALLED"}}' ...services/KERBEROS
      >curl ... -X POST ...services/KERBEROS/components/KERBEROS_CLIENT
      >I ran into other bugs after that:
      > - Ambari install tried to modify user "ambari-qa". However, this user
      >is a kerberos user and ambari tried to run usermod which failed
      >complaining that ambari-qa is not in /etc/passwd.  To get around this
      >I deleted this user in kerberos, allow ambari to create the user in
      >/etc/passwd, then once the setup was done I had to recreate the
      >kerberos user so that the headless keytab would work.
      > - Ambari install also tried to create the local user hdfs, which
      >didn't work very well because hdfs is a kerberos user (due to the
      >headless keytab).  I just created this user in /etc/password which
      >allowed the host install to continue.
      >Every time I ran into a failure I ended up deleting the host services
      >and host via the api, making adjustments, and going back through the
      >With these workarounds I was able to get the hosts added into the
      >cluster. These are the only hosts now with the "KERBEROS_CLIENT"
      >service - I'm not sure what the expected state is there.


        1. AMBARI-13058.patch
          0.6 kB
          Antonenko Alexander



            • Assignee:
              aantonenko Antonenko Alexander
              aantonenko Antonenko Alexander
            • Votes:
              0 Vote for this issue
              4 Start watching this issue


              • Created: