Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Cannot run "keytrustee-orgtool list"

Cannot run "keytrustee-orgtool list"

Expert Contributor

sudo keytrustee-orgtool list
(sudo) Password on xxxx:
Dropped privileges to www-data
Traceback (most recent call last):
File "/it/sfw/cloudera/parcels/KEYTRUSTEE_SERVER-6.1.0-1.keytrustee6.1.0.p0.592761/bin/../bin/keytrustee-orgtool", line 7, in <module>
__import__('pkg_resources').run_script('keytrustee==6.1.0', 'keytrustee-orgtool')
File "/it/sfw/cloudera/parcels/KEYTRUSTEE_SERVER-6.1.0-1.keytrustee6.1.0.p0.592761/lib/python2.7/site-packages/pkg_resources/__init__.py", line 748, in run_script
self.require(requires)[0].run_script(script_name, ns)
File "/it/sfw/cloudera/parcels/KEYTRUSTEE_SERVER-6.1.0-1.keytrustee6.1.0.p0.592761/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1517, in run_script
exec(code, namespace, namespace)
File "/it/sfw/cloudera/parcels/KEYTRUSTEE_SERVER-6.1.0-1.keytrustee6.1.0.p0.592761/lib/python2.7/site-packages/keytrustee-6.1.0-py2.7.egg/EGG-INFO/scripts/keytrustee-orgtool", line 59, in <module>
main()
File "/it/sfw/cloudera/parcels/KEYTRUSTEE_SERVER-6.1.0-1.keytrustee6.1.0.p0.592761/lib/python2.7/site-packages/keytrustee-6.1.0-py2.7.egg/EGG-INFO/scripts/keytrustee-orgtool", line 34, in main
org = orgtool.OrgTool(options.CONFDIR)
File "/it/sfw/cloudera/parcels/KEYTRUSTEE_SERVER-6.1.0-1.keytrustee6.1.0.p0.592761/lib/python2.7/site-packages/keytrustee-6.1.0-py2.7.egg/keytrustee/server/orgtool.py", line 40, in __init__
BaseServer.__init__(self, confdir)
File "/it/sfw/cloudera/parcels/KEYTRUSTEE_SERVER-6.1.0-1.keytrustee6.1.0.p0.592761/lib/python2.7/site-packages/keytrustee-6.1.0-py2.7.egg/keytrustee/server/flaskapp.py", line 30, in __init__
Context.__init__(self, confdir)
File "/it/sfw/cloudera/parcels/KEYTRUSTEE_SERVER-6.1.0-1.keytrustee6.1.0.p0.592761/lib/python2.7/site-packages/keytrustee-6.1.0-py2.7.egg/keytrustee/context.py", line 115, in __init__
config = self.new_config(confdir, **config_kwargs)
File "/it/sfw/cloudera/parcels/KEYTRUSTEE_SERVER-6.1.0-1.keytrustee6.1.0.p0.592761/lib/python2.7/site-packages/keytrustee-6.1.0-py2.7.egg/keytrustee/server/flaskapp.py", line 42, in new_config
return ServerConfig(*args, **kwargs)
File "/it/sfw/cloudera/parcels/KEYTRUSTEE_SERVER-6.1.0-1.keytrustee6.1.0.p0.592761/lib/python2.7/site-packages/keytrustee-6.1.0-py2.7.egg/keytrustee/config.py", line 40, in __init__
self.load_config(initial_config, create)
File "/it/sfw/cloudera/parcels/KEYTRUSTEE_SERVER-6.1.0-1.keytrustee6.1.0.p0.592761/lib/python2.7/site-packages/keytrustee-6.1.0-py2.7.egg/keytrustee/config.py", line 129, in load_config
self.save_config()
File "/it/sfw/cloudera/parcels/KEYTRUSTEE_SERVER-6.1.0-1.keytrustee6.1.0.p0.592761/lib/python2.7/site-packages/keytrustee-6.1.0-py2.7.egg/keytrustee/config.py", line 151, in save_config
with closing(open(self.conffile, "w")) as f:
IOError: [Errno 13] Permission denied: '/var/lib/keytrustee/.keytrustee/keytrustee.conf'
$ Connection reset by 10.120.xxx.xxx

4 REPLIES 4
Highlighted

Re: Cannot run "keytrustee-orgtool list"

Expert Contributor

What is the ownership and permission set on /var/lib/keytrustee/.keytrustee/keytrustee.conf.

The default permission expected is 600

 

ls -al /var/lib/keytrustee/.keytrustee/keytrustee.conf
-rw------- 1 keytrustee keytrustee 589 Jan 17 02:25 /var/lib/keytrustee/.keytrustee/keytrustee.conf

 

 Please correct them if its wrong. If you do see right permission, check if the parent directories are having right permission too

 

 

namei -l /var/lib/keytrustee/.keytrustee/keytrustee.conf
f: /var/lib/keytrustee/.keytrustee/keytrustee.conf
dr-xr-xr-x root       root       /
drwxr-xr-x root       root       var
drwxr-xr-x root       root       lib
drwxr-xr-x keytrustee keytrustee keytrustee
drwx------ keytrustee keytrustee .keytrustee
-rw------- keytrustee keytrustee keytrustee.conf

 

 

If the above also is good. Then check if id keytrustee results matches the id set on directories

Example:

 

ls -ln /var/lib/keytrustee/.keytrustee/keytrustee.conf
-rw------- 1 478 476 589 Jan 17 02:25 /var/lib/keytrustee/.keytrustee/keytrustee.conf

[root ~]# id keytrustee
uid=478(keytrustee) gid=476(keytrustee) groups=476(keytrustee)

 

Highlighted

Re: Cannot run "keytrustee-orgtool list"

Expert Contributor

Everything is exactly what you described. Permissions are correct. 

FYI - I am running this command on the primary KTS . 

 

[desind@PrimaryktsServe ~]$ sudo ls -l /var/lib/keytrustee/.keytrustee/keytrustee.conf
-rw------- 1 keytrustee keytrustee 451 Feb 19 12:53 /var/lib/keytrustee/.keytrustee/keytrustee.conf

 

[desind@PrimaryktsServer~]$ sudo namei -l /var/lib/keytrustee/.keytrustee/keytrustee.conf
f: /var/lib/keytrustee/.keytrustee/keytrustee.conf
dr-xr-xr-x root root /
drwxr-xr-x root root var
drwxr-xr-x root root lib
drwxr-xr-x keytrustee keytrustee keytrustee
drwx------ keytrustee keytrustee .keytrustee
-rw------- keytrustee keytrustee keytrustee.conf

[desind@PrimaryktsServer~]$ sudo ls -ln /var/lib/keytrustee/.keytrustee/keytrustee.conf
-rw------- 1 985 970 451 Feb 19 12:53 /var/lib/keytrustee/.keytrustee/keytrustee.conf


[desind@PrimaryktsServer ~]$ id keytrustee
uid=985(keytrustee) gid=970(keytrustee) groups=970(keytrustee)

 

I also restarted the active KTS server. 

Cluster is kerberized so i ensured i have a active ticket. 

My CDH version is 6.3.2 - I am not sure if there are known issues here 

Highlighted

Re: Cannot run "keytrustee-orgtool list"

Expert Contributor

When i run the command a sudo i dont know why does it say this 

 

"Dropped privileges to www-data" 

 

Nost sure why its dropping privileges

Highlighted

Re: Cannot run "keytrustee-orgtool list"

Expert Contributor

Upon checking the code I see script switches to www-data user if it exists however the configuration files dont have permission to allow access to it. When I deliberately create that user (www-data) I hit the same error. Can you delete the user www-data and then retry the command?

Don't have an account?
Coming from Hortonworks? Activate your account here