Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Disabling Kerberos

avatar
author-rank Alessio
Rising Star

Created on ‎10-03-2014 03:06 AM - edited ‎09-16-2022 02:09 AM

Hi all,

 
We have a Kerberized cluster,but at the moment we would disable it.
 
How is it possible ?
 
I performed the following steps:
  • Zookeeper -> enableSecurity (Enable Kerberos Authentication)-> false
  • HDFS -> hadoop.security.authentication -> Simple
  • HDFS -> hadoop.security.authorization -> false
  • HDFS -> dfs.datanode.address -> from 1004 (for Kerberos) to 50010 (default)
  • HDFS -> dfs.datanode.http.address  -> from 1006 (for Kerberos) to 50075 (default)
  • HDFS -> Data Directory Permissions -> from 700 to 755
  • HBASE -> hbase.security.authentication -> Simple
  • HBASE -> hbase.security.authorization -> false
 
But when I start the cluster I have problems on Hue and Solr
 
Hue: It seems that Kerberos is still configured for Hue 
        -> The Kerberos Ticket Renewer is not running. How can i disable it? 
        ->  Impala e Oozie don't run from Hue
 
 
Solr:  
Caused by: java.io.IOException: Failed on local exception: java.io.IOException: Server asks us to fall back to SIMPLE auth, but this client is configured to only allow secure connections.;
 
 
I noticed that Hue and Solr run in secure mode. How can I disable them ?
 
Thanks
Alessio
 

 

51,189 Views
1
1 ACCEPTED SOLUTION

avatar
author-rank Grizzly author-rank
Master Collaborator

Created ‎10-09-2014 10:54 AM

You would work your way back through the security guide discussion on enabling kerberos:

 

http://www.cloudera.com/content/cloudera/en/documentation/cloudera-manager/v5-latest/Configuring-Had...

 

Note that if HBASE, or NN HA or JT HA was configured after enabling security, the cleanup can be difficult, the Znode paths within zookeeper might require manual removal of the ACL statements.

 

Todd

View solution in original post

51,087 Views
2
15 REPLIES 15

avatar
author-rank iamfromsky
Expert Contributor

Created ‎10-03-2014 01:32 PM

Just like other services. Pls look carefully ,you will find the botton. I have done this many times.
48,980 Views
0 Kudos

avatar
author-rank iamfromsky
Expert Contributor

Created ‎10-03-2014 01:33 PM

Don't forget redeploy client. It's important
48,977 Views
0 Kudos

avatar
author-rank Alessio
Rising Star

Created ‎10-09-2014 01:46 AM

Hi, 

 

I didn't find the button on CDH 5.1.2 but i removed the Kerberos Ticket Renewer and redeployed client.

 

I missed this for Solr

 

SOLR -> Solr Secure Authentication -> Simple

 

 

Thanks 

48,950 Views
0 Kudos

avatar
author-rank Grizzly author-rank
Master Collaborator

Created ‎10-09-2014 10:54 AM

You would work your way back through the security guide discussion on enabling kerberos:

 

http://www.cloudera.com/content/cloudera/en/documentation/cloudera-manager/v5-latest/Configuring-Had...

 

Note that if HBASE, or NN HA or JT HA was configured after enabling security, the cleanup can be difficult, the Znode paths within zookeeper might require manual removal of the ACL statements.

 

Todd

51,088 Views
2

avatar
author-rank Alessio
Rising Star

Created ‎10-10-2014 01:58 AM

Thanks,

 

I followed the instructions in reverse order, present on the link.

 

When I disabled Kerberos, I had the two Namenodes (HA) both in stand-by state and I removed manually entries in Zookeeper.

 

 

Now it works!!!

 

Thanks

Alessio

48,943 Views
0 Kudos

avatar
author-rank Alessio
Rising Star

Created ‎10-20-2014 02:23 AM

Hi,

 

 

I have another question about this.

 

when you said :

Note that if HBASE, or NN HA or JT HA was configured after enabling security, the cleanup can be difficult, the Znode paths within zookeeper might require manual removal of the ACL statements.

 

The same problem can be present for Yarn (HA).

I tried to find the 'yarn.resourcemanager.zk-auth' in the yarn-site.xml (/var/run/cloudera-scm-agent/process) in order to auth with Zookeper and remove the ACL statement but is not present this parameter.

 

I searched it into all folders XXX-yarn-RESOURCEMANAGER (also in the most recent) but I cannot find it

 

How can i solve this? At the moment I have Yarn not in HA and when I try to enable the HA, both ResourceManagers stay in Stand-by

 

Thanks

Alessio

48,919 Views

avatar
author-rank Alessio
Rising Star

Created ‎02-23-2015 08:04 AM

Solved !!! 

 

Thanks

Alessio

48,591 Views
0 Kudos

avatar
author-rank Bobby Perry
New Contributor

Created ‎03-18-2015 07:47 AM

How so? i have the same problem!   Both my Yarn HA services went into standby.

48,441 Views
0 Kudos

avatar
author-rank Bobby Perry
New Contributor

Created ‎03-18-2015 08:48 AM

Looking for how you removed it from zk..
48,438 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements