Support Questions
Find answers, ask questions, and share your expertise

Error after enabling kerberos in CDH cluster

Solved Go to solution
Highlighted

Error after enabling kerberos in CDH cluster

I can't open /run/cloudera-scm-agent/process/256-yarn-NODEMANAGER/container-executor.cfg: Permission denied.
+ perl -pi -e 's#{{CGROUP_GROUP_CPU}}##g' /run/cloudera-scm-agent/process/256-yarn-NODEMANAGER/yarn-site.xml

I am getting this error after enabling Kerberos in CDH cluster, HDFS  and yarn are not able to start. After checking the yarn Node Manager logs I see the below error.

 yarn nodemanager logs:
: org.apache.hadoop.yarn.exceptions.YarnRuntimeException: org.apache.hadoop.security.authorize.AuthorizationException: : User: cloudera@CLUSTERIE.LOCAL is not allowed to impersonate yarn/ip-10-0-xxxxx@xyz.com

Any suggestion why am I getting this error, when I disable the Kerberos everything works well. Please assist as the severity of this is very high.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Error after enabling kerberos in CDH cluster

Master Collaborator

@HanzalaShaikh You are most probably hitting a known bug with Java recent versions (OpenJDK 1.8u242 or JDK 11.0.6). TSB-394. 

 

To resolve this issue, take the following action on all impacted nodes solved as appropriate for the environment.

  1. Edit java.security file located in the active JDK on the clusters.
  2. Add or alter sun.security.krb5.disableReferrals parameter, to ensure that the following is set to true:
    sun.security.krb5.disableReferrals=true

Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

2 REPLIES 2
Highlighted

Re: Error after enabling kerberos in CDH cluster

Master Collaborator

@HanzalaShaikh You are most probably hitting a known bug with Java recent versions (OpenJDK 1.8u242 or JDK 11.0.6). TSB-394. 

 

To resolve this issue, take the following action on all impacted nodes solved as appropriate for the environment.

  1. Edit java.security file located in the active JDK on the clusters.
  2. Add or alter sun.security.krb5.disableReferrals parameter, to ensure that the following is set to true:
    sun.security.krb5.disableReferrals=true

Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

View solution in original post

Highlighted

Re: Error after enabling kerberos in CDH cluster

Thanks a lot, @GangWar . You are absolutely correct I was using OpenJDK instead of Oracle JDK. I thought there is a bug in this but I didn't have any clue how to fix this but after making changes as per your suggestion it worked. Thanks a lot. I am accepting it as a solution.

Don't have an account?