Support Questions

avijeetd · ‎09-21-2016

Hi All,

I have set up Amabri views on kerberised ambari-server and hadoop cluster, the hive-view work fine for user ambari-server

However for any other users in local store (such as hr1, mktg1) etc. The hive views don't work properly.

How does ambari views work? Does it kinit for the user who has logged in?

Looks like it is taking the user who has done kinit on ambari server. How do we have multiple users kinit in same node?

If we integrate Amabri with AD - will this problem be solved?

Thanks,

Avijeet

VR46 · ‎09-25-2016

Hello @Avijeet Dash,

> How does ambari views work? Does it kinit for the user who has logged in? Once Kerberos is enabled for Hadoop services, any client connecting to these services need to carry a Kerberos ticket (TGT). Since Ambari views are actually client, they'd also need a Kerberos ticket. And becuase Ambari don't (yet) accept Kerberos user login, there is no ticket available with the logged in user. Therefore, we need to "setup Ambari Server for Kerberos", so that Ambari server can acquire a Kerberos ticket upon startup. The Ambari views (not all views though) use this Kerberos ticket to connect to a Kerberized Hadoop service.

> If we integrate Amabri with AD - will this problem be solved? Yes, that's correct and will solve this issue.

> How do we have multiple users kinit in same node? The Kerberos ticket acquired by running kinit are stored in credential cache file named after user's UID (e.g. /tmp/krb5cc_501). Thus, by default, multiple users can login and have their own tickets without any conflict. Alternatively one can override the default credential cache location by exporting an environment variable KRB5_CCNAME=<path-to-cc-file>. In this case, the onus of conflict resolution will be upon system admin.

Hope this helps.

View solution in original post

VR46 · ‎09-25-2016

Hello @Avijeet Dash,

> How does ambari views work? Does it kinit for the user who has logged in? Once Kerberos is enabled for Hadoop services, any client connecting to these services need to carry a Kerberos ticket (TGT). Since Ambari views are actually client, they'd also need a Kerberos ticket. And becuase Ambari don't (yet) accept Kerberos user login, there is no ticket available with the logged in user. Therefore, we need to "setup Ambari Server for Kerberos", so that Ambari server can acquire a Kerberos ticket upon startup. The Ambari views (not all views though) use this Kerberos ticket to connect to a Kerberized Hadoop service.

> If we integrate Amabri with AD - will this problem be solved? Yes, that's correct and will solve this issue.

> How do we have multiple users kinit in same node? The Kerberos ticket acquired by running kinit are stored in credential cache file named after user's UID (e.g. /tmp/krb5cc_501). Thus, by default, multiple users can login and have their own tickets without any conflict. Alternatively one can override the default credential cache location by exporting an environment variable KRB5_CCNAME=<path-to-cc-file>. In this case, the onus of conflict resolution will be upon system admin.

Hope this helps.

avijeetd · ‎09-29-2016

Hi @Vipin Rathor

I setup ambari-server for AD, It synced all users/groups fine.

However the ambari-hive-views not enforcing Ranger hive policies as expected

I have policy to give access for a table to a group

However the other users are also able to see/query those tables.

please suggest.

Thanks,

Avijeet

VR46 · ‎10-01-2016

Hi @Avijeet Dash Couple of things to question:

1. Is user based policy working for Hive view?

2. If only group policy is not working, then user's group membership resolution needs to be checked. Can Ranger & HiveServer2 (in that order) resolve that a user belongs to what all groups?

3. Hadoop services generally depends on operating system's ability to resolve user/group membership. Have you configured your system to resolve AD user/group information?

avijeetd · ‎10-03-2016

Hi @Vipin Rathor

It doesn't work for users as well. Only for user 'ambari-server' it works. So I believe the SPENGO browser login has to be enabled for other users to work. Is there a work-around this SPENGO browser login.

Thanks,

Avijeet

VR46 · ‎10-03-2016

Hello @Avijeet Dash,

If Hive view is not working even for AD users, then we'd like to see a screenshot of the Hive view configuration from Ambari. Please attach the same and we'll review the configuration. Thanks.

avijeetd · ‎10-03-2016

@Vipin Rathor please find below, let me know if more info required.

VR46 · ‎10-03-2016

Hello @Avijeet Dash,

Can you please change the value of 'Hive authentication' to this:

auth=KERBEROS;principal=hive/_HOST@HCLBASIT.local;hive.server2.proxy.user=${username}

Save the changes and let us know if view is working now for users 'hr1', 'legal1' and 'mktg1'.

Hope this helps.

avijeetd · ‎10-03-2016

Hi @Vipin Rathor

It worked, Thanks a lot for prompt help.

Cloudera Community

Support Questions

Ambari Views - kerberized hadoop cluster