Support Questions

nord_tramper · ‎11-20-2017

Hello, all!

Environment:

RHEL 7.3, HDP 2.6, Kerberos, ActiveDirectory

Hive view error:

Message: Cannot open a hive connection with connect string jdbc:hive2://nn1:2181,nn2:2181,dn1:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;transportMode=binary;hive.server2.proxy.user=admin

And deep in logs:

Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User: ambari-server is not allowed to impersonate admin

Following settings already in place in core-site.xml

hadoop.proxyuser.ambari-server.groups=*
hadoop.proxyuser.ambari-server.hosts=*
hadoop.proxyuser.root.groups=*
hadoop.proxyuser.root.hosts=*

jsensharma · ‎11-20-2017

@Nikita Kiselev

In kerberized environment we should use the ambari server kerberos principal name in the hadoop.proxyuser property something like:

hadoop.proxyuser.$AMBARI_PRINCIPAL.groups=*
hadoop.proxyuser.$AMBARI_PRINCIPAL.hosts=*

.

So you will need to check your ambari server principal is correctly set there or not?

You can find the ambariserver principal name inside the following file "/etc/ambari-server/conf/krb5JAASLogin.conf"

:

Example:

# cat /etc/ambari-server/conf/krb5JAASLogin.conf
com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    renewTGT=false
    doNotPrompt=true
    useKeyTab=true
    keyTab="/etc/security/keytabs/ambari.server.keytab"
    principal="ambari-server-kerberos_ambari@EXAMPLE.COM"
    storeKey=true
    useTicketCache=false;
};

.

In the above example the principal name for ambari server is "ambari-server-kerberos_ambari" so the proxy user property should be:

hadoop.proxyuser.ambari-server-kerberos_ambari.groups=*
hadoop.proxyuser.ambari-server-kerberos_ambari.hosts=*

.

nord_tramper · ‎11-21-2017

@Jay Kumar SenSharma

I have following settings

# cat /etc/ambari-server/conf/krb5JAASLogin.conf
com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    renewTGT=false
    doNotPrompt=true
    useKeyTab=true
    keyTab="/etc/security/keytabs/ambari.server.keytab"
    principal=<a href="mailto:ambari-server/JounralNode@REALM">ambari-server/JounralNode@REALM</a>
    storeKey=true
    useTicketCache=false;
};

Principal name is ambari-server/JounralNode@REALM . /JounralNode has been add as a requirement from AD admins to create Principal.

So I have to set up

hadoop.proxyuser.ambari-server/JounralNode.groups=*
hadoop.proxyuser.ambari-server/JounralNode.hosts=*

But it is not possible

nord_tramper · ‎11-21-2017

@Aditya Sirna

Added hadoop.proxyuser.ambari-server.users=* into custom core-site section. Restart both cluster and Ambari - no effect

nord_tramper · ‎11-21-2017

Also in HDFS View I have error

java.lang.IllegalArgumentException: Invalid value: "ambari-server/JournalNode" does not belong to the domain ^[A-Za-z_][A-Za-z0-9._-]*[$]?$

jsensharma · ‎11-21-2017

@Nikita Kiselev

I see that you are usign Ambari-server principal name as "ambari-server/JounralNode@REALM" which does not looks valid.

From Ambari 2.5 onwards when we kerberize a cluster then the wizard itself creates ambari principal name including the cluster name something like following:

Assuming your ambari-server cluster name is "test_cluster" (and realm name "EXAMPLE.COM") then the auto generated principal name should be something like following:

ambari-server-test_cluster@EXAMPLE.COM

.

But in your case it looks like you are managing the ambari-server principal name on your own (which is fine) but the principal name that you have specified is not correct. So if you are managing the principal name for ambari then please change it to something more meaningful and simple sothat it will not cause any violation of principal naming.

.

Can you please also share the output of the following command and verify if that principal exist well on your AD (KDC server)?

# klist -kte /etc/security/keytabs/ambari.server.keytab

.

nord_tramper · ‎11-21-2017

@Jay Kumar SenSharma

Here it is. Yep there was advised principal like ambari-serve-ClusterName@REALM, but our AD has strict rule that Principal should be in format <service-name>/<host>@<realm> so I modify it to meet requirements. So is there any thing that I can do with this Principal (assume that I can't change it to for ambari-serve-ClusterName@REALM)?

klist -kte /etc/security/keytabs/ambari.server.keytab
Keytab name: FILE:/etc/security/keytabs/ambari.server.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   0 01/01/1970 03:00:00 ambari-server/ClusterName@REALM (des-cbc-crc)
   0 01/01/1970 03:00:00 ambari-server/ClusterName@REALM (des-cbc-md5)
   0 01/01/1970 03:00:00 ambari-server/ClusterName@REALM (arcfour-hmac)
   0 01/01/1970 03:00:00 ambari-server/ClusterName@REALM (aes256-cts-hmac-sha1-96)
   0 01/01/1970 03:00:00 ambari-server/ClusterName@REALM (aes128-cts-hmac-sha1-96)

jsensharma · ‎11-21-2017

@Nikita Kiselev

As you mentioned that you must have to use the principal name in <service-name>/<host>@<realm> format only so in that case i will suggest to take a look at the "hadoop.security.auth_to_local" property syntax and change it accordingly to match your requierment

Ambari UI --> HDFS --> Configs (Tab) --> Advanced --> "Advanced core-site" --> "hadoop.security.auth_to_local"

.

Also please refer to the following article to know more about those syntax: https://community.hortonworks.com/articles/14463/auth-to-local-rules-syntax.html

nord_tramper · ‎11-22-2017

@Jay Kumar SenSharma

Hello, I add following line to auth_to_local

RULE:[2:$1@$0](ambari-server@REALM)s/.*/ambari-server/

Still same errors

Caused by: org.apache.hive.service.cli.HiveSQLException: Failed to validate proxy privilege of ambari-server for admin
....
....
Caused by: org.apache.hadoop.security.authorize.AuthorizationException: User: ambari-server is not allowed to impersonate admin

Support Questions

Hive View + Kerberos error: User: ambari-server is not allowed to impersonate admin