Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Disabling Kerberos

Solved Go to solution

Disabling Kerberos

Contributor

Hi all,

 
We have a Kerberized cluster,but at the moment we would disable it.
 
How is it possible ?
 
I performed the following steps:
  • Zookeeper -> enableSecurity (Enable Kerberos Authentication)-> false
  • HDFS -> hadoop.security.authentication -> Simple
  • HDFS -> hadoop.security.authorization -> false
  • HDFS -> dfs.datanode.address -> from 1004 (for Kerberos) to 50010 (default)
  • HDFS -> dfs.datanode.http.address  -> from 1006 (for Kerberos) to 50075 (default)
  • HDFS -> Data Directory Permissions -> from 700 to 755
  • HBASE -> hbase.security.authentication -> Simple
  • HBASE -> hbase.security.authorization -> false
 
But when I start the cluster I have problems on Hue and Solr
 
Hue: It seems that Kerberos is still configured for Hue 
        -> The Kerberos Ticket Renewer is not running. How can i disable it? 
        ->  Impala e Oozie don't run from Hue
 
 
Solr:  
Caused by: java.io.IOException: Failed on local exception: java.io.IOException: Server asks us to fall back to SIMPLE auth, but this client is configured to only allow secure connections.;
 
 
I noticed that Hue and Solr run in secure mode. How can I disable them ?
 
Thanks
Alessio
 

 

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Disabling Kerberos

Super Collaborator

You would work your way back through the security guide discussion on enabling kerberos:

 

http://www.cloudera.com/content/cloudera/en/documentation/cloudera-manager/v5-latest/Configuring-Had...

 

Note that if HBASE, or NN HA or JT HA was configured after enabling security, the cleanup can be difficult, the Znode paths within zookeeper might require manual removal of the ACL statements.

 

Todd

15 REPLIES 15

Re: Disabling Kerberos

Expert Contributor
Just like other services. Pls look carefully ,you will find the botton. I have done this many times.

Re: Disabling Kerberos

Expert Contributor
Don't forget redeploy client. It's important

Re: Disabling Kerberos

Contributor

Hi, 

 

I didn't find the button on CDH 5.1.2 but i removed the Kerberos Ticket Renewer and redeployed client.

 

I missed this for Solr

 

SOLR -> Solr Secure Authentication -> Simple

 

 

Thanks 

Re: Disabling Kerberos

Super Collaborator

You would work your way back through the security guide discussion on enabling kerberos:

 

http://www.cloudera.com/content/cloudera/en/documentation/cloudera-manager/v5-latest/Configuring-Had...

 

Note that if HBASE, or NN HA or JT HA was configured after enabling security, the cleanup can be difficult, the Znode paths within zookeeper might require manual removal of the ACL statements.

 

Todd

Re: Disabling Kerberos

Contributor

Thanks,

 

I followed the instructions in reverse order, present on the link.

 

When I disabled Kerberos, I had the two Namenodes (HA) both in stand-by state and I removed manually entries in Zookeeper.

 

 

Now it works!!!

 

Thanks

Alessio

Re: Disabling Kerberos

Contributor

Hi,

 

 

I have another question about this.

 

when you said :

Note that if HBASE, or NN HA or JT HA was configured after enabling security, the cleanup can be difficult, the Znode paths within zookeeper might require manual removal of the ACL statements.

 

The same problem can be present for Yarn (HA).

I tried to find the 'yarn.resourcemanager.zk-auth' in the yarn-site.xml (/var/run/cloudera-scm-agent/process) in order to auth with Zookeper and remove the ACL statement but is not present this parameter.

 

I searched it into all folders XXX-yarn-RESOURCEMANAGER (also in the most recent) but I cannot find it

 

How can i solve this? At the moment I have Yarn not in HA and when I try to enable the HA, both ResourceManagers stay in Stand-by

 

Thanks

Alessio

Highlighted

Re: Disabling Kerberos

Contributor

Solved !!! 

 

Thanks

Alessio

Re: Disabling Kerberos

New Contributor

How so? i have the same problem!   Both my Yarn HA services went into standby.

Re: Disabling Kerberos

New Contributor
Looking for how you removed it from zk..
Don't have an account?
Coming from Hortonworks? Activate your account here