[AMBARI-14702] disabling kerberos does not remove auth to local rules - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.2.0
Fix Version/s: 2.2.2
Component/s: ambari-server
Labels:
- kerberos

Description

After disabling Kerberos to fix a user generated issue with a principal name pattern, the auth-to-local mapping(s) were not removed and thus not fixing the issues that were caused:

Invalid hadoop.security.auth_to_local value

 <property>
       <name>hadoop.security.auth_to_local</name>
       <value>RULE:[1:$1@$0](${hbase_user}@EXAMPLE.COM)s/.*/hbase/
 RULE:[1:$1@$0](${hdfs_user}@EXAMPLE.COM)s/.*/hdfs/
 RULE:[1:$1@$0](${smokeuser}@EXAMPLE.COM)s/.*/ambari-qa/
 RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//
 RULE:[2:$1@$0](amshbase@EXAMPLE.COM)s/.*/ams/
 RULE:[2:$1@$0](amszk@EXAMPLE.COM)s/.*/ams/
 RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/
 RULE:[2:$1@$0](hbase@EXAMPLE.COM)s/.*/hbase/
 RULE:[2:$1@$0](hive@EXAMPLE.COM)s/.*/hive/
 RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/
 RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/
 RULE:[2:$1@$0](nm@EXAMPLE.COM)s/.*/yarn/
 RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/
 RULE:[2:$1@$0](oozie@EXAMPLE.COM)s/.*/oozie/
 RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/
 RULE:[2:$1@$0](yarn@EXAMPLE.COM)s/.*/yarn/
 DEFAULT</value>
     </property>

Errors in log

2016-01-13 21:51:17,825 FATAL datanode.DataNode (DataNode.java:secureMain(2429)) - Exception in secureMain
java.util.regex.PatternSyntaxException: Illegal repetition near index 0
${hbase_user}@EXAMPLE.COM
^
        at java.util.regex.Pattern.error(Pattern.java:1924)
        at java.util.regex.Pattern.closure(Pattern.java:3104)
        at java.util.regex.Pattern.sequence(Pattern.java:2101)
        at java.util.regex.Pattern.expr(Pattern.java:1964)
        at java.util.regex.Pattern.compile(Pattern.java:1665)
        at java.util.regex.Pattern.<init>(Pattern.java:1337)
        at java.util.regex.Pattern.compile(Pattern.java:1022)
        at org.apache.hadoop.security.authentication.util.KerberosName$Rule.<init>(KerberosName.java:193)
        at org.apache.hadoop.security.authentication.util.KerberosName.parseRules(KerberosName.java:336)
        at org.apache.hadoop.security.authentication.util.KerberosName.setRules(KerberosName.java:397)
        at org.apache.hadoop.security.HadoopKerberosName.setConfiguration(HadoopKerberosName.java:75)
        at org.apache.hadoop.security.UserGroupInformation.initialize(UserGroupInformation.java:275)
        at org.apache.hadoop.security.UserGroupInformation.setConfiguration(UserGroupInformation.java:311)
        at org.apache.hadoop.hdfs.server.datanode.DataNode.instantiateDataNode(DataNode.java:2192)
        at org.apache.hadoop.hdfs.server.datanode.DataNode.createDataNode(DataNode.java:2242)
        at org.apache.hadoop.hdfs.server.datanode.DataNode.secureMain(DataNode.java:2422)
        at org.apache.hadoop.hdfs.server.datanode.DataNode.main(DataNode.java:2446)
2016-01-13 21:51:17,830 INFO  util.ExitUtil (ExitUtil.java:terminate(124)) - Exiting with status 1
2016-01-13 21:51:17,832 INFO  datanode.DataNode (LogAdapter.java:info(45)) - SHUTDOWN_MSG:
/************************************************************

The auth-to-local mappings should be removed when Kerberos is disabled.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

AMBARI-14702_branch-2.2_01.patch
25/Jan/16 21:30
9 kB
Robert Levas
AMBARI-14702_trunk_01.patch
25/Jan/16 21:30
9 kB
Robert Levas

Issue Links

links to

ReviewBoard

Activity

People

Assignee:: Robert Levas

Reporter:: Robert Levas

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 16/Jan/16 11:40

Updated:: 26/Jan/16 19:31

Resolved:: 26/Jan/16 17:03