Support Questions
Find answers, ask questions, and share your expertise

Cannot remove ${principal_suffix} from Ambari Smoke User kerberos settings

Contributor

I am having issues with changing Kerberos settings in Ambari 2.5.1.0 and hoping someone can help.

The Kerberos principal for the Ambari Smoke User, is set incorrectly in the Ambari Web UI to ${cluster-env/smokeuser}${principal_suffix}@${realm}.

In the keytab the actual principal is named ${cluster-env/smokeuser}@${realm}.

I have tried both removing the ${principal_suffix} section in Ambari Smoke User principal and also setting the principal_suffix to blank. However once I save the edits and then refresh the page, the configuration is back.

Looking in developer tools in Chrome, when the save button is pressed I get a 404 response from the following page, but this isn't showing in Ambari and looks to the user like it worked correctly.

http://ambari-server:8082/api/v1/clusters/<<cluster_name>>/artifacts/kerberos_descriptor

2 REPLIES 2

Re: Cannot remove ${principal_suffix} from Ambari Smoke User kerberos settings

@Aaron Harris

Why do you think that the following principal specification is incorrect? It seems fine to me

${cluster-env/smokeuser}${principal_suffix}@${realm}

If you want to get rid of the principal suffix value, which is intended to help make the principal name unique in an environment where multiple Hadoop clusters share the same KDC, you should be able to just remove it from the principal name:

${cluster-env/smokeuser}@${realm}

Or remove the content next to the "Principal Suffix" property. However, I think the UI may not like it if that value is empty.

If you are having issues with either, you may have found a bug in Ambari. If so, maybe create a JIRA in https://issues.apache.org/jira. If I get a chance, I will see if I can reproduce your issue.

A potential way to work around this is to manually update the user-suppled Kerberos descriptor and then regenerate the keytab files. If you want to try this route, take a look at Updating the User-specified Kerberos Descriptor.

Re: Cannot remove ${principal_suffix} from Ambari Smoke User kerberos settings

How about mapping the Principal by adding the rule in HDFS.

Whatever the Principal can map the username.

RULE:[1:$1@$0](${cluster-env/smokeuser}${principal_suffix}@${realm})s/.*/${smokeuser}

Eg:

RULE:[1:$1@$0](ambari-qa-mksd1-dev-lly@CORP.GLOBAL)s/.*/ambari-qa/