Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Error: Attempted to add a rule for a principal with no realm: ambari-qa

Solved Go to solution

Error: Attempted to add a rule for a principal with no realm: ambari-qa

I am trying to enable Kerberos on an HDP 2.3.2 Sandbox using FreeIPA on a standalone VM. After stopping all of the HDP services the Kerberos wizard has a "prepare" task and that task is failing with this error message:

13 Jan 2016 04:56:25,610  WARN [Server Action Executor Worker 495] ServerActionExecutor:479 - Task #495 failed to complete execution due to thrown exception: java.lang.IllegalArgumentException:Attempted to add a rule for a principal with no realm: ambari-qa
java.lang.IllegalArgumentException: Attempted to add a rule for a principal with no realm: ambari-qa
        at org.apache.ambari.server.controller.AuthToLocalBuilder.addRule(AuthToLocalBuilder.java:147)
        at org.apache.ambari.server.controller.KerberosHelperImpl.addIdentities(KerberosHelperImpl.java:1671)
        at org.apache.ambari.server.controller.KerberosHelperImpl.setAuthToLocalRules(KerberosHelperImpl.java:403)
        at org.apache.ambari.server.serveraction.kerberos.PrepareKerberosIdentitiesServerAction.processAuthToLocalRules(PrepareKerberosIdentitiesServerAction.java:177)
        at org.apache.ambari.server.serveraction.kerberos.PrepareEnableKerberosServerAction.execute(PrepareEnableKerberosServerAction.java:82)
        at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.execute(ServerActionExecutor.java:537)
        at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(ServerActionExecutor.java:474)
        at java.lang.Thread.run(Thread.java:745)

ambari-qa was not mentioned in the CSV file that the wizard generated, but after seeing the above error I created a service for it, but I'm still getting the same error.

Added service "ambari-qa/sandbox.hortonworks.com@HORTONWORKS.COM"
-----------------------------------------------------------------
  Principal: ambari-qa/sandbox.hortonworks.com@HORTONWORKS.COM
  Managed by: sandbox.hortonworks.com

What does the error message mean and what can I do to resolve it?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Error: Attempted to add a rule for a principal with no realm: ambari-qa

It seems like something may be wrong with the Kerberos Descriptor. Did you edit any of the principal names on the Configure Identities page of the Enable Kerberos Wizard or did you not set the realm name on the Configure Kerberos page of the Enable Kerberos Wizard?

Can you post or attach the response to

http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/artifacts/kerberos_descriptor 
  • Replacing AMBARI_SERVER with the hostname of your Ambari server
  • Replace CLUSTER_NAME with the name of your cluster

View solution in original post

4 REPLIES 4
Highlighted

Re: Error: Attempted to add a rule for a principal with no realm: ambari-qa

It seems like something may be wrong with the Kerberos Descriptor. Did you edit any of the principal names on the Configure Identities page of the Enable Kerberos Wizard or did you not set the realm name on the Configure Kerberos page of the Enable Kerberos Wizard?

Can you post or attach the response to

http://AMBARI_SERVER:8080/api/v1/clusters/CLUSTER_NAME/artifacts/kerberos_descriptor 
  • Replacing AMBARI_SERVER with the hostname of your Ambari server
  • Replace CLUSTER_NAME with the name of your cluster

View solution in original post

Highlighted

Re: Error: Attempted to add a rule for a principal with no realm: ambari-qa

Yes, I changed the identities as specified here. Realm was filled in during the first step of the Enable Kerberos Wizard.

The output of from the URL is very long, so I won't post it here. There is no mention of ambari-qa, and realm is a filled in property. Is there anything specific that I should investigate?

Highlighted

Re: Error: Attempted to add a rule for a principal with no realm: ambari-qa

Your issue is with the smoke user principal, on line 29 of the Kerberos Descriptor you posted:

  "value" : "${cluster-env/smokeuser}",

It should be:

  "value" : "${cluster-env/smokeuser}@${realm}",
Highlighted

Re: Error: Attempted to add a rule for a principal with no realm: ambari-qa

That worked!

Don't have an account?
Coming from Hortonworks? Activate your account here