Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

How to SetACL or disable ACL check ( temporarily ) on zookeeper in Kerberized cluster

Labels:
avatar
author-rank sriramhadoop27
Contributor

Created ‎05-16-2018 02:09 AM

Hi

Storm job is failing with below exception:

:cause KeeperErrorCode = NoAuth for /credentials/rrtd-topology-1-1526434979 :via [{:type java.lang.RuntimeException :message org.apache.storm.shade.org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /credentials/rrtd-topology-1-1526434979 :at [org.apache.storm.util$wrap_in_runtime invoke util.clj 54]} {:type org.apache.storm.shade.org.apache.zookeeper.KeeperException$NoAuthException :message KeeperErrorCode = NoAuth for /credentials/rrtd-topology-1-1526434979 :at [org.apache.storm.shade.org.apache.zookeeper.KeeperException create KeeperException.java 113]}] :trace [[org.apache.storm.shade.org.apache.zookeeper.KeeperException create KeeperException.java 113] [org.apache.storm.shade.org.apache.zookeeper.KeeperException create KeeperException.java 51] [org.apache.storm.shade.org.apache.zookeeper.ZooKeeper create ZooKeeper.java 783] [org.apache.storm.shade.org.apache.curator.framework.imps.CreateBuilderImpl$11 call CreateB

What did I do?

I tried to create znode /credentials/rrtd-topology-1-1526434979 but znode is not created and instead I cannot create any znode in zookeeper and create /test is also failing.

Below is the ACL for / in zookeeper:

[zk: localhost:2181(CONNECTED) 26] getAcl / 'world,'anyone : cdrwa

Can someone please help me.

7,410 Views
0 Kudos
8 REPLIES 8

avatar
author-rank arald
Super Collaborator

Created ‎05-16-2018 06:12 AM

i think this solution is what you need: https://community.hortonworks.com/articles/29900/zookeeper-using-superdigest-to-gain-full-access-to....

6,754 Views
0 Kudos

avatar
author-rank sriramhadoop27
Contributor

Created ‎05-16-2018 11:35 AM

Hi,

/ has full permissions but I could not create znode. Any help and I tried working on steps mentioned in the Web link but it did not work.

,

Implemented it. But it did not work.

6,754 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎05-16-2018 11:44 AM

@Sriram

Can you check the document reference by @Harald Berghoff

6,754 Views
0 Kudos

avatar
author-rank sriramhadoop27
Contributor

Created ‎05-19-2018 05:02 PM

By default / has world wide permissions but I am unable to create znode under /.

By the way it is kerberised cluster.

And I tried the solution provided by @Harald Berghoff and unfortunately in my case it did not work.

My problem in one line is:

/ in zookeeper has worldwide permissions but I am unable to create znode under /

@Geoffrey... Can you help me on this.

6,754 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎05-19-2018 08:23 PM

@Sriram

Environment

  • HDP 2.6.2.0
  • Ambari 2.5.2.0
  • MIT Kerberos

I just connected as a normal user and followed the below steps, the znode Test was created without any issues.

I logged in as a local user without a valid Kerberos ticket

$ klist 
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500)

Connected to ZkCli

$ cd /usr/hdp/current/zookeeper-server 
$ ./bin/zkCli.sh 
.......
[zk: localhost:2181(CONNECTED) 0] ls /
[hive, registry, cluster, controller, brokers, zookeeper, infra-solr, hbase-unsecure, kafka-acl, kafka-acl-changes, admin, isr_change_notification, templeton-hadoop, hiveserver2, controller_epoch, druid, rmstore, hbase-secure, ambari-metrics-cluster, consumers, config]

Check permissions ACL's

[zk: localhost:2181(CONNECTED) 1] getAcl / 
'world,'anyone
: cdrwa

Created a Persistant znode Test 

[zk: localhost:2181(CONNECTED) 2] create /Test 'siram_issue'
Created /Test

List Znode child 

[zk: localhost:2181(CONNECTED) 3] ls /Test
[]

List Znodes

Notice Test is listed

[zk: localhost:2181(CONNECTED) 4] ls /
[hive, registry, cluster, controller, brokers, zookeeper, infra-solr, hbase-unsecure, kafka-acl, kafka-acl-changes, admin, isr_change_notification, templeton-hadoop, hiveserver2, controller_epoch, druid, Test, rmstore, hbase-secure, ambari-metrics-cluster, consumers, config]

Check Status 

[zk: localhost:2181(CONNECTED) 6] stat /Test
cZxid = 0x2997
ctime = Sat May 19 21:49:55 CEST 2018
mZxid = 0x2997
mtime = Sat May 19 21:49:55 CEST 2018
pZxid = 0x2997
cversion = 0
dataVersion = 0
aclVersion = 0
ephemeralOwner = 0x0
dataLength = 13
numChildren = 0

Can you share your steps that failed ?

6,754 Views

avatar
author-rank sriramhadoop27
Contributor

Created ‎05-20-2018 05:37 AM

@Geoffrey,

I thank a lot for your time on this and I could do it on my test server as you had done but unfortunately I could not do it on my pre-prod cluster and I do see the same that / has the same privileges as you have but I am unable to create znode 😞

Any logs or any configurations you would like to cross-check?

6,754 Views
0 Kudos

avatar
author-rank sriramhadoop27
Contributor

Created ‎05-20-2018 05:38 AM

Is a TGT hampering my activity? Should I destory TGT and try creating znode?

6,754 Views
0 Kudos

avatar
author-rank sriramhadoop27
Contributor

Created ‎05-23-2018 06:23 AM

@Geoffrey Shelton Okot ...Could you please help me on this.. I am unable to figure out root cause of the issue.

6,754 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements