Support Questions

Find answers, ask questions, and share your expertise

Disabling Kerberos

avatar
Rising Star

Hi all,

 
We have a Kerberized cluster,but at the moment we would disable it.
 
How is it possible ?
 
I performed the following steps:
  • Zookeeper -> enableSecurity (Enable Kerberos Authentication)-> false
  • HDFS -> hadoop.security.authentication -> Simple
  • HDFS -> hadoop.security.authorization -> false
  • HDFS -> dfs.datanode.address -> from 1004 (for Kerberos) to 50010 (default)
  • HDFS -> dfs.datanode.http.address  -> from 1006 (for Kerberos) to 50075 (default)
  • HDFS -> Data Directory Permissions -> from 700 to 755
  • HBASE -> hbase.security.authentication -> Simple
  • HBASE -> hbase.security.authorization -> false
 
But when I start the cluster I have problems on Hue and Solr
 
Hue: It seems that Kerberos is still configured for Hue 
        -> The Kerberos Ticket Renewer is not running. How can i disable it? 
        ->  Impala e Oozie don't run from Hue
 
 
Solr:  
Caused by: java.io.IOException: Failed on local exception: java.io.IOException: Server asks us to fall back to SIMPLE auth, but this client is configured to only allow secure connections.;
 
 
I noticed that Hue and Solr run in secure mode. How can I disable them ?
 
Thanks
Alessio
 

 

1 ACCEPTED SOLUTION

avatar
Master Collaborator

You would work your way back through the security guide discussion on enabling kerberos:

 

http://www.cloudera.com/content/cloudera/en/documentation/cloudera-manager/v5-latest/Configuring-Had...

 

Note that if HBASE, or NN HA or JT HA was configured after enabling security, the cleanup can be difficult, the Znode paths within zookeeper might require manual removal of the ACL statements.

 

Todd

View solution in original post

15 REPLIES 15

avatar
Expert Contributor
Just like other services. Pls look carefully ,you will find the botton. I have done this many times.

avatar
Expert Contributor
Don't forget redeploy client. It's important

avatar
Rising Star

Hi, 

 

I didn't find the button on CDH 5.1.2 but i removed the Kerberos Ticket Renewer and redeployed client.

 

I missed this for Solr

 

SOLR -> Solr Secure Authentication -> Simple

 

 

Thanks 

avatar
Master Collaborator

You would work your way back through the security guide discussion on enabling kerberos:

 

http://www.cloudera.com/content/cloudera/en/documentation/cloudera-manager/v5-latest/Configuring-Had...

 

Note that if HBASE, or NN HA or JT HA was configured after enabling security, the cleanup can be difficult, the Znode paths within zookeeper might require manual removal of the ACL statements.

 

Todd

avatar
Rising Star

Thanks,

 

I followed the instructions in reverse order, present on the link.

 

When I disabled Kerberos, I had the two Namenodes (HA) both in stand-by state and I removed manually entries in Zookeeper.

 

 

Now it works!!!

 

Thanks

Alessio

avatar
Rising Star

Hi,

 

 

I have another question about this.

 

when you said :

Note that if HBASE, or NN HA or JT HA was configured after enabling security, the cleanup can be difficult, the Znode paths within zookeeper might require manual removal of the ACL statements.

 

The same problem can be present for Yarn (HA).

I tried to find the 'yarn.resourcemanager.zk-auth' in the yarn-site.xml (/var/run/cloudera-scm-agent/process) in order to auth with Zookeper and remove the ACL statement but is not present this parameter.

 

I searched it into all folders XXX-yarn-RESOURCEMANAGER (also in the most recent) but I cannot find it

 

How can i solve this? At the moment I have Yarn not in HA and when I try to enable the HA, both ResourceManagers stay in Stand-by

 

Thanks

Alessio

avatar
Rising Star

Solved !!! 

 

Thanks

Alessio

avatar
New Contributor

How so? i have the same problem!   Both my Yarn HA services went into standby.

avatar
New Contributor
Looking for how you removed it from zk..