Reply
Highlighted
Contributor
Posts: 31
Registered: ‎08-01-2014
Accepted Solution

Disabling Kerberos

Hi all,

 
We have a Kerberized cluster,but at the moment we would disable it.
 
How is it possible ?
 
I performed the following steps:
  • Zookeeper -> enableSecurity (Enable Kerberos Authentication)-> false
  • HDFS -> hadoop.security.authentication -> Simple
  • HDFS -> hadoop.security.authorization -> false
  • HDFS -> dfs.datanode.address -> from 1004 (for Kerberos) to 50010 (default)
  • HDFS -> dfs.datanode.http.address  -> from 1006 (for Kerberos) to 50075 (default)
  • HDFS -> Data Directory Permissions -> from 700 to 755
  • HBASE -> hbase.security.authentication -> Simple
  • HBASE -> hbase.security.authorization -> false
 
But when I start the cluster I have problems on Hue and Solr
 
Hue: It seems that Kerberos is still configured for Hue 
        -> The Kerberos Ticket Renewer is not running. How can i disable it? 
        ->  Impala e Oozie don't run from Hue
 
 
Solr:  
Caused by: java.io.IOException: Failed on local exception: java.io.IOException: Server asks us to fall back to SIMPLE auth, but this client is configured to only allow secure connections.;
 
 
I noticed that Hue and Solr run in secure mode. How can I disable them ?
 
Thanks
Alessio
 

 

Expert Contributor
Posts: 162
Registered: ‎09-29-2014

Re: Disabling Kerberos

Just like other services. Pls look carefully ,you will find the botton. I have done this many times.
Expert Contributor
Posts: 162
Registered: ‎09-29-2014

Re: Disabling Kerberos

Don't forget redeploy client. It's important
Contributor
Posts: 31
Registered: ‎08-01-2014

Re: Disabling Kerberos

Hi, 

 

I didn't find the button on CDH 5.1.2 but i removed the Kerberos Ticket Renewer and redeployed client.

 

I missed this for Solr

 

SOLR -> Solr Secure Authentication -> Simple

 

 

Thanks 

Cloudera Employee
Posts: 228
Registered: ‎09-23-2013

Re: Disabling Kerberos

You would work your way back through the security guide discussion on enabling kerberos:

 

http://www.cloudera.com/content/cloudera/en/documentation/cloudera-manager/v5-latest/Configuring-Had...

 

Note that if HBASE, or NN HA or JT HA was configured after enabling security, the cleanup can be difficult, the Znode paths within zookeeper might require manual removal of the ACL statements.

 

Todd

Contributor
Posts: 31
Registered: ‎08-01-2014

Re: Disabling Kerberos

Thanks,

 

I followed the instructions in reverse order, present on the link.

 

When I disabled Kerberos, I had the two Namenodes (HA) both in stand-by state and I removed manually entries in Zookeeper.

 

 

Now it works!!!

 

Thanks

Alessio

Contributor
Posts: 31
Registered: ‎08-01-2014

Re: Disabling Kerberos

Hi,

 

 

I have another question about this.

 

when you said :

Note that if HBASE, or NN HA or JT HA was configured after enabling security, the cleanup can be difficult, the Znode paths within zookeeper might require manual removal of the ACL statements.

 

The same problem can be present for Yarn (HA).

I tried to find the 'yarn.resourcemanager.zk-auth' in the yarn-site.xml (/var/run/cloudera-scm-agent/process) in order to auth with Zookeper and remove the ACL statement but is not present this parameter.

 

I searched it into all folders XXX-yarn-RESOURCEMANAGER (also in the most recent) but I cannot find it

 

How can i solve this? At the moment I have Yarn not in HA and when I try to enable the HA, both ResourceManagers stay in Stand-by

 

Thanks

Alessio

Contributor
Posts: 31
Registered: ‎08-01-2014

Re: Disabling Kerberos

Solved !!! 

 

Thanks

Alessio

New Contributor
Posts: 2
Registered: ‎09-29-2014

Re: Disabling Kerberos

How so? i have the same problem!   Both my Yarn HA services went into standby.

New Contributor
Posts: 2
Registered: ‎09-29-2014

Re: Disabling Kerberos

Looking for how you removed it from zk..
Announcements