Support Questions
Find answers, ask questions, and share your expertise

Kudu and Kerberos

Explorer

Hi,

I’m on CDH 5.13.0 with kudu 1.5.0. I have a problem when i enable kerberos authentication on kudu. Kerberos authentication work fine on other components (hbase, hdfs, impala, etc…).

 

When I try to create a table on kudu storage with hue or impala-shell, I have an error 

 

Query :

 

create table kudu_db.test3 (

row_id string,

test string,

primary key (row_id)

)

partition by hash (row_id) partitions 8

stored as kudu

 

Error :

 

ImpalaRuntimeException: Error creating Kudu table 'impala::s4do05k0_p04.test3' CAUSED BY: NonRecoverableException: Not enough live tablet servers to create a table with the requested replication factor 3. 0 tablet servers are alive.

 

In cloudera manager/Kudu Master Web UI/ « Tablet Servers » tab, i have this :

2018-08-02 12_05_38-Kudu.png

 

If I disable kerberos, I have this :

 2018-08-02 11_49_58-Kudu.png

Configuration in Cloudera Manager

2018-08-02 12_07_15-Kudu - Cloudera Manager.png

 

Create table doesn’t work but I can select on existing table...

 

Anyone can help me please ?

 

Best regards

 

 

21 REPLIES 21

New Contributor

Just as a quick check, you are looking to setup Kerberos between the Kudu master, tablet servers and Kudu client yes? (i.e. Not Kerberos authentication from a user client via Impala, as this is not setup here.)

 

If so, have you setup the keytab requirements etc. as per: https://www.cloudera.com/documentation/enterprise/5-13-x/topics/kudu_security.html#concept_syg_k35_l... ?

Explorer

Hi,

 

Yes I want setup Kerberos between the Kudu master, tablet servers and Kudu client.

 

Kerberos and TLS/SSL are enable and work fine on all others components of the cluster.

 

That 's this setting that I Implemented.

 

Best regards

Expert Contributor

It sounds like Impala might be configured to talk to the wrong master, or one of the Kudu masters is stuck and needs to be repaired.

 

1) How many Kudu master servers are you running?

 

2) Do you see any error messages in the Kudu master log file(s)?

 

3) Do you see any errors when you run the following command?

 

sudo -u kudu kudu cluster ksck <master-addresses>

See https://www.cloudera.com/documentation/enterprise/5-13-x/topics/kudu_administration_cli.html#ksck for documentation on running ksck.

 

 

4) Is Impala configured with the correct --kudu_master_hosts flag? It should be configured to talk to all of the masters. See https://www.cloudera.com/documentation/enterprise/5-13-x/topics/kudu_impala.html for documentation on that.

Explorer

Hi

1) How many Kudu master servers are you running?
=> Only One

2) Do you see any error messages in the Kudu master log file(s)?
=> No error in kudu-master.INFO

3) Do you see any errors when you run the following command?

 

sudo -u kudu kudu cluster ksck <master-addresses>

See https://www.cloudera.com/documentation/enterprise/5-13-x/topics/kudu_administration_cli.html#ksck for documentation on running ksck.

=> yes a lot...
 
 ...
 Tablet 6363250dcd7a47c4b5c2d4710c6536fd of table 'poc_rgpd_kudu_db.xxxxxxne_adresse_snappy' is unavailable: 3 replica(s) not RUNNING
  36386227a1624b74895dd1fb6b3150e9: TS unavailable [LEADER]
  3920550eeade417885b846064ddd2410: TS unavailable
  ea71c709fef34e0d87adfe90f917abc8: TS unavailable

Tablet c0ce4bfaf2a345d3944180e0168bfc84 of table 'poc_rgpd_kudu_db.xxxxxxtion_snt' is unavailable: 3 replica(s) not RUNNING
  ea71c709fef34e0d87adfe90f917abc8: TS unavailable
  041b5a3e1438484fbf3a68b10d91a928: TS unavailable [LEADER]
  fa697a7fc04d4c62ae031c77db71be9b: TS unavailable

Table impala::s4do05k0_p24.ec_donneesss has 24 unavailable tablet(s)

Table Summary
                       Name                       |   Status    | Total Tablets | Healthy | Under-replicated | Unavailable
--------------------------------------------------+-------------+---------------+---------+------------------+-------------
 impala::poc_rgpd_kudu_db.xxxxxxtion              | UNAVAILABLE | 10            | 0       | 0                | 10
 impala::poc_rgpd_kudu_db.xxxxxxne_adresse        | UNAVAILABLE | 20            | 0       | 0                | 20
 impala::poc_rgpd_kudu_db.xxxxxxne_adresse_ctas   | UNAVAILABLE | 20            | 0       | 0                | 20
 impala::poc_rgpd_kudu_db.xxxxxxne_adresse_snappy | UNAVAILABLE | 20            | 0       | 0                | 20
 impala::poc_rgpd_kudu_db.xxxxxxtion_snt          | UNAVAILABLE | 20            | 0       | 0                | 20
==================
Errors:
==================
error fetching info from tablet servers: Not found: No tablet servers found
table consistency check error: Corruption: 45 out of 45 table(s) are bad

FAILED
Runtime error: ksck discovered errors

4) Is Impala configured with the correct --kudu_master_hosts flag? It should be configured to talk to all of the masters. See https://www.cloudera.com/documentation/enterprise/5-13-x/topics/kudu_impala.html for documentation on that.
No, how can I configue  --kudu_master_hosts in cloudera manager, I don't find this setting ?

Thanks for your help

Best regards

Expert Contributor

> 3) Do you see any errors when you run the following command?

> sudo -u kudu kudu cluster ksck <master-addresses>

> See https://www.cloudera.com/documentation/enterprise/5-13-x/topics/kudu_administration_cli.html#ksck for documentation on running ksck.

=> yes a lot...

 

OK, you will need to take a look at the tserver logs to figure out what is going on. But it sounds like something is wrong with your tablet servers. Can you post any error messages you see in kudu-tserver.INFO logs?
 
> 4) Is Impala configured with the correct --kudu_master_hosts flag? It should be configured to talk to all of the

> masters. See https://www.cloudera.com/documentation/enterprise/5-13-x/topics/kudu_impala.html for

> documentation on that.

 

No, how can I configue  --kudu_master_hosts in cloudera manager, I don't find this setting ?

I just checked my dev cluster and you probably don't have to change anything; Cloudera Manager will automatically set it for Impala if you have a Kudu Service configured for it. I think your problem is with your Kudu tablet servers, not with Impala.

Explorer

I restarted a tserver and I've got these elements

 

stdout

 

Fri Sep 14 15:03:21 CEST 2018
JAVA_HOME=/logiciels/java/jdk
Using /run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER as conf dir
Using scripts/kudu.sh as process script
CONF_DIR=/run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER
CMF_CONF_DIR=/etc/cloudera-scm-agent
Fri Sep 14 15:03:21 CEST 2018: KUDU_HOME: /opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/kudu
Fri Sep 14 15:03:21 CEST 2018: CONF_DIR: /run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER
Fri Sep 14 15:03:21 CEST 2018: CMD: tserver
Fri Sep 14 15:03:21 CEST 2018: Found master(s) on XXX1105.krj.gie

stderr

 

Fri Sep 14 15:03:21 CEST 2018
+ locate_java_home
+ locate_java_home_no_verify
+ JAVA6_HOME_CANDIDATES=('/usr/lib/j2sdk1.6-sun' '/usr/lib/jvm/java-6-sun' '/usr/lib/jvm/java-1.6.0-sun-1.6.0' '/usr/lib/jvm/j2sdk1.6-oracle' '/usr/lib/jvm/j2sdk1.6-oracle/jre' '/usr/java/jdk1.6' '/usr/java/jre1.6')
+ local JAVA6_HOME_CANDIDATES
+ OPENJAVA6_HOME_CANDIDATES=('/usr/lib/jvm/java-1.6.0-openjdk' '/usr/lib/jvm/jre-1.6.0-openjdk')
+ local OPENJAVA6_HOME_CANDIDATES
+ JAVA7_HOME_CANDIDATES=('/usr/java/jdk1.7' '/usr/java/jre1.7' '/usr/lib/jvm/j2sdk1.7-oracle' '/usr/lib/jvm/j2sdk1.7-oracle/jre' '/usr/lib/jvm/java-7-oracle')
+ local JAVA7_HOME_CANDIDATES
+ OPENJAVA7_HOME_CANDIDATES=('/usr/lib/jvm/java-1.7.0-openjdk' '/usr/lib/jvm/java-7-openjdk')
+ local OPENJAVA7_HOME_CANDIDATES
+ JAVA8_HOME_CANDIDATES=('/usr/java/jdk1.8' '/usr/java/jre1.8' '/usr/lib/jvm/j2sdk1.8-oracle' '/usr/lib/jvm/j2sdk1.8-oracle/jre' '/usr/lib/jvm/java-8-oracle')
+ local JAVA8_HOME_CANDIDATES
+ OPENJAVA8_HOME_CANDIDATES=('/usr/lib/jvm/java-1.8.0-openjdk' '/usr/lib/jvm/java-8-openjdk')
+ local OPENJAVA8_HOME_CANDIDATES
+ MISCJAVA_HOME_CANDIDATES=('/Library/Java/Home' '/usr/java/default' '/usr/lib/jvm/default-java' '/usr/lib/jvm/java-openjdk' '/usr/lib/jvm/jre-openjdk')
+ local MISCJAVA_HOME_CANDIDATES
+ case ${BIGTOP_JAVA_MAJOR} in
+ JAVA_HOME_CANDIDATES=(${JAVA7_HOME_CANDIDATES[@]} ${JAVA8_HOME_CANDIDATES[@]} ${JAVA6_HOME_CANDIDATES[@]} ${MISCJAVA_HOME_CANDIDATES[@]} ${OPENJAVA7_HOME_CANDIDATES[@]} ${OPENJAVA8_HOME_CANDIDATES[@]} ${OPENJAVA6_HOME_CANDIDATES[@]})
+ '[' -z /logiciels/java/jdk ']'
+ verify_java_home
+ '[' -z /logiciels/java/jdk ']'
+ echo JAVA_HOME=/logiciels/java/jdk
+ '[' -n '' ']'
+ source_parcel_environment
+ '[' '!' -z /opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/meta/cdh_env.sh ']'
+ OLD_IFS=' 	
'
+ IFS=:
+ SCRIPT_ARRAY=($SCM_DEFINES_SCRIPTS)
+ DIRNAME_ARRAY=($PARCEL_DIRNAMES)
+ IFS=' 	
'
+ COUNT=1
++ seq 1 1
+ for i in '`seq 1 $COUNT`'
+ SCRIPT=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/meta/cdh_env.sh
+ PARCEL_DIRNAME=CDH-5.13.0-1.cdh5.13.0.p0.29
+ . /opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/meta/cdh_env.sh
++ CDH_DIRNAME=CDH-5.13.0-1.cdh5.13.0.p0.29
++ export CDH_HADOOP_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hadoop
++ CDH_HADOOP_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hadoop
++ export CDH_MR1_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hadoop-0.20-mapreduce
++ CDH_MR1_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hadoop-0.20-mapreduce
++ export CDH_HDFS_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hadoop-hdfs
++ CDH_HDFS_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hadoop-hdfs
++ export CDH_HTTPFS_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hadoop-httpfs
++ CDH_HTTPFS_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hadoop-httpfs
++ export CDH_MR2_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hadoop-mapreduce
++ CDH_MR2_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hadoop-mapreduce
++ export CDH_YARN_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hadoop-yarn
++ CDH_YARN_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hadoop-yarn
++ export CDH_HBASE_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hbase
++ CDH_HBASE_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hbase
++ export CDH_ZOOKEEPER_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/zookeeper
++ CDH_ZOOKEEPER_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/zookeeper
++ export CDH_HIVE_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hive
++ CDH_HIVE_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hive
++ export CDH_HUE_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hue
++ CDH_HUE_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hue
++ export CDH_OOZIE_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/oozie
++ CDH_OOZIE_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/oozie
++ export CDH_HUE_PLUGINS_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hadoop
++ CDH_HUE_PLUGINS_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hadoop
++ export CDH_FLUME_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/flume-ng
++ CDH_FLUME_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/flume-ng
++ export CDH_PIG_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/pig
++ CDH_PIG_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/pig
++ export CDH_HCAT_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hive-hcatalog
++ CDH_HCAT_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hive-hcatalog
++ export CDH_SQOOP2_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/sqoop2
++ CDH_SQOOP2_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/sqoop2
++ export CDH_LLAMA_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/llama
++ CDH_LLAMA_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/llama
++ export CDH_SENTRY_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/sentry
++ CDH_SENTRY_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/sentry
++ export TOMCAT_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/bigtop-tomcat
++ TOMCAT_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/bigtop-tomcat
++ export JSVC_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/bigtop-utils
++ JSVC_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/bigtop-utils
++ export CDH_HADOOP_BIN=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hadoop/bin/hadoop
++ CDH_HADOOP_BIN=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hadoop/bin/hadoop
++ export CDH_IMPALA_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/impala
++ CDH_IMPALA_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/impala
++ export CDH_SOLR_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/solr
++ CDH_SOLR_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/solr
++ export CDH_HBASE_INDEXER_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hbase-solr
++ CDH_HBASE_INDEXER_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hbase-solr
++ export SEARCH_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/search
++ SEARCH_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/search
++ export CDH_SPARK_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/spark
++ CDH_SPARK_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/spark
++ export WEBHCAT_DEFAULT_XML=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/etc/hive-webhcat/conf.dist/webhcat-default.xml
++ WEBHCAT_DEFAULT_XML=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/etc/hive-webhcat/conf.dist/webhcat-default.xml
++ export CDH_KMS_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hadoop-kms
++ CDH_KMS_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/hadoop-kms
++ export CDH_PARQUET_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/parquet
++ CDH_PARQUET_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/parquet
++ export CDH_AVRO_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/avro
++ CDH_AVRO_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/avro
++ export CDH_KUDU_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/kudu
++ CDH_KUDU_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/kudu
+ echo 'Using /run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER as conf dir'
+ echo 'Using scripts/kudu.sh as process script'
+ replace_conf_dir
+ echo CONF_DIR=/run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER
+ echo CMF_CONF_DIR=/etc/cloudera-scm-agent
+ EXCLUDE_CMF_FILES=('cloudera-config.sh' 'httpfs.sh' 'hue.sh' 'impala.sh' 'sqoop.sh' 'supervisor.conf' 'config.zip' 'proc.json' '*.log' '*.keytab' '*jceks')
++ printf '! -name %s ' cloudera-config.sh httpfs.sh hue.sh impala.sh sqoop.sh supervisor.conf config.zip proc.json '*.log' kudu.keytab creds.localjceks
+ find /run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER -type f '!' -path '/run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER/logs/*' '!' -name cloudera-config.sh '!' -name httpfs.sh '!' -name hue.sh '!' -name impala.sh '!' -name sqoop.sh '!' -name supervisor.conf '!' -name config.zip '!' -name proc.json '!' -name '*.log' '!' -name kudu.keytab '!' -name creds.localjceks -exec perl -pi -e 's#{{CMF_CONF_DIR}}#/run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER#g' '{}' ';'
+ make_scripts_executable
+ find /run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER -regex '.*\.\(py\|sh\)$' -exec chmod u+x '{}' ';'
+ RUN_DIR=/run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER
+ '[' '' == true ']'
+ chmod u+x /run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER/scripts/kudu.sh
+ export COMMON_SCRIPT=/usr/lib64/cmf/service/common/cloudera-config.sh
+ COMMON_SCRIPT=/usr/lib64/cmf/service/common/cloudera-config.sh
+ exec /run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER/scripts/kudu.sh tserver
+ date
Fri Sep 14 15:03:21 CEST 2018
+ DEFAULT_KUDU_HOME=/usr/lib/kudu
+ export KUDU_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/kudu
+ KUDU_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/kudu
+ export KUDU_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/kudu
+ KUDU_HOME=/opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/kudu
+ CMD=tserver
+ shift 2
+ log 'KUDU_HOME: /opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/kudu'
++ date
+ timestamp='Fri Sep 14 15:03:21 CEST 2018'
+ echo 'Fri Sep 14 15:03:21 CEST 2018: KUDU_HOME: /opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/kudu'
+ echo 'Fri Sep 14 15:03:21 CEST 2018: KUDU_HOME: /opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/kudu'
Fri Sep 14 15:03:21 CEST 2018: KUDU_HOME: /opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/kudu
+ log 'CONF_DIR: /run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER'
++ date
+ timestamp='Fri Sep 14 15:03:21 CEST 2018'
+ echo 'Fri Sep 14 15:03:21 CEST 2018: CONF_DIR: /run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER'
+ echo 'Fri Sep 14 15:03:21 CEST 2018: CONF_DIR: /run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER'
Fri Sep 14 15:03:21 CEST 2018: CONF_DIR: /run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER
+ log 'CMD: tserver'
++ date
+ timestamp='Fri Sep 14 15:03:21 CEST 2018'
+ echo 'Fri Sep 14 15:03:21 CEST 2018: CMD: tserver'
+ echo 'Fri Sep 14 15:03:21 CEST 2018: CMD: tserver'
Fri Sep 14 15:03:21 CEST 2018: CMD: tserver
+ GFLAG_FILE=/run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER/gflagfile
+ '[' '!' -r /run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER/gflagfile ']'
+ MASTER_FILE=/run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER/master.properties
+ '[' '!' -r /run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER/master.properties ']'
+ MASTER_IPS=
++ cat /run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER/master.properties
+ for line in '$(cat "$MASTER_FILE")'
+ readconf XXX1105.krj.gie:server.address=
+ local conf
+ IFS=:
+ read host conf
+ IFS==
+ read key value
+ case $key in
+ '[' -n '' ']'
+ actual_value=XXX1105.krj.gie
+ '[' -n '' ']'
+ MASTER_IPS=XXX1105.krj.gie
+ log 'Found master(s) on XXX1105.krj.gie'
++ date
+ timestamp='Fri Sep 14 15:03:21 CEST 2018'
+ echo 'Fri Sep 14 15:03:21 CEST 2018: Found master(s) on XXX1105.krj.gie'
+ echo 'Fri Sep 14 15:03:21 CEST 2018: Found master(s) on XXX1105.krj.gie'
Fri Sep 14 15:03:21 CEST 2018: Found master(s) on XXX1105.krj.gie
+ '[' false == true ']'
+ KUDU_ARGS=
+ '[' true == true ']'
+ KUDU_ARGS='              --rpc_authentication=required              --rpc_encryption=required              --keytab_file=/run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER/kudu.keytab'
+ '[' tserver = master ']'
+ '[' tserver = tserver ']'
+ KUDU_ARGS='              --rpc_authentication=required              --rpc_encryption=required              --keytab_file=/run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER/kudu.keytab --tserver_master_addrs=XXX1105.krj.gie'
+ exec /opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/kudu/sbin/kudu-tserver --rpc_authentication=required --rpc_encryption=required --keytab_file=/run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER/kudu.keytab --tserver_master_addrs=XXX1105.krj.gie --flagfile=/run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER/gflagfile

But, I don't have log file

 

[Errno 2] No such file or directory: '/logiciels/hadoop/log/kudu/kudu-tserver.INFO'

Expert Contributor
Can you access the role log files through Cloudera Manager?

Expert Contributor

Some more questions:

 

  1. When was the last time the cluster worked?
  2. What has changed since then?

Explorer
  1. When was the last time the cluster worke?
  2. What has changed since then?

 

I have this issue when I check this :

 

2018-09-17 10_50_25-Kudu - Cloudera Manager.png

Contributor

Hi,

 

Can you check what keytab your tablet servers are running with?

 

You can do that by logging in to one of the tablet server machines and checking the command line that kudu-tserver process is running with.   Then check what's inside that keytab.

 

It's something like

 

[root@anonymous ~]# ps axw | grep kudu-tserver

  548 pts/0    S+     0:00 grep --color=auto kudu-tserver

32747 ?        Sl     1:12 /opt/cloudera/parcels/CDH/lib/kudu/sbin/kudu-tserver

--rpc_authentication=required --rpc_encryption=required --keytab_file=/var/run/cloudera-scm-agent/process/580-kudu-KUDU_TSERVER/kudu.keytab --tserver_master_addrs=master.myhost.org --flagfile=/var/run/cloudera-scm-agent/process/580-kudu-KUDU_TSERVER/gflagfile

 

[root@anonymous ~]# klist -k /var/run/cloudera-scm-agent/process/580-kudu-KUDU_TSERVER/kudu.keytab

Keytab name: FILE:/var/run/cloudera-scm-agent/process/580-kudu-KUDU_TSERVER/kudu.keytab

KVNO Principal

---- --------------------------------------------------------------------------

   2 kudu/ts-01.myhost.org@DC.MYHOST.ORG

   2 kudu/ts-01.myhost.org@DC.MYHOST.ORG

   2 kudu/ts-01.myhost.org@DC.MYHOST.ORG

   2 kudu/ts-01.myhost.org@DC.MYHOST.ORG

 

 

If tablet servers are not runing or running without keytabs, or there is nothing in those keytabs, that might be the problem.

 

Anyway, I think there should be log files of Kudu tablet servers at those machines, by default they are in /var/log/kudu.  Checking those logs might give you some ideas what to start the troubleshooting with.

 

 

Regards,

 

Alexey

Expert Contributor

There is documentation for how to enable Kudu security on CDH 5.13.0 here: https://www.cloudera.com/documentation/enterprise/5-13-x/topics/kudu_security.html#concept_syg_k35_l...

 

Please follow those steps and let us know if it still doesn't work for you.

 

Thanks,

Mike

Explorer

 

Hi Mike

 

It's this document that I followed to enable TLS/SSL and Kerberos.

 

I have this settings in Cloudera Manager2018-09-25 10_18_30-Kudu - Cloudera Manager.png

 

2018-09-25 10_21_29-Security - Cloudera Manager.png

 

2018-09-25 10_23_13-Kudu - Cloudera Manager.png

2018-09-25 10_25_25-Kudu - Cloudera Manager.png

 

2018-09-25 10_26_02-Kudu - Cloudera Manager.png

 

Is there something wrong ?

Best regards

 

Christophe

 

 

Explorer
Hi Alexey, Tablet Server are runnig, I've got the following : [993][root@XXX1111:~]# ps axw | grep kudu-tserver 61712 ? Sl 621:42 /opt/cloudera/parcels/CDH-5.13.0-1.cdh5.13.0.p0.29/lib/kudu/sbin/kudu-tserver --rpc_authentication=required --rpc_encryption=required --keytab_file=/run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER/kudu.keytab --tserver_master_addrs=XXX1105.krj.gie --flagfile=/run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER/gflagfile 185450 pts/0 S+ 0:00 grep --color=auto kudu-tserver [994][root@knlXXX1:~]# klist -k /run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER/kudu.keytab Keytab name: FILE:/run/cloudera-scm-agent/process/7996-kudu-KUDU_TSERVER/kudu.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 kudu/XXX1111.krj.gie@XXXX.GIE FYI I've got 5 tablets Server Is there anything wrong ? Regards Christophe

Cloudera Employee
The tablet servers are failing to register with the master. There should be errors in the tablet server and master logs about this, assuming that the value you've obfuscated in '--tserver_master_addrs=XXX1105.krj.gie' is correct for the Kudu master.

What do those errors say?

Contributor

The 'ps' sample output from one your servers looks fine.

 

Just another question: I assume the 'superuser_acl' property in you CM configuration (that's blurred out) contains 'kudu' (or whatever you have for the Kudu service principal), right?  If not, add that into the list.

 

Anyway, it's hard to say what's wrong looking at the configuration snippets and playing the 'guess what?' game.  I would highly recommend following Will's advise on looking into the logs of master(s) and tablet servers for the error details.  I think that will give you a firm starting point in troubleshooting the issue and save some time for everybody.

 

 

Regards,

 

Alexey

Explorer
Hi, Sorry for the late response, I was on another subject For your information : The property did not contain "kudu", I added it and it does not work. I have the same error when the property is set on "*" I've modified the kudu log level to WARNING and I have more messages On tablet server, I have this W1016 17:20:42.294350 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-hwefzjneur', principal='kudu/XXX1119.krj.gie@REALM'} at 100.54.44.235:59322 W1016 17:20:42.308531 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-hwefzjneur', principal='kudu/XXX1119.krj.gie@REALM'} at 100.54.44.235:59322 W1016 17:20:42.321985 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-huzuudvhxu', principal='kudu/XXX1113.krj.gie@REALM'} at 100.54.44.229:42450 W1016 17:20:42.339105 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-hwefzjneur', principal='kudu/XXX1119.krj.gie@REALM'} at 100.54.44.235:59322 W1016 17:20:42.352322 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-hwbmxqylry', principal='kudu/XXX1115.krj.gie@REALM'} at 100.54.44.231:33470 W1016 17:20:42.373529 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-huzuudvhxu', principal='kudu/XXX1113.krj.gie@REALM'} at 100.54.44.229:42450 W1016 17:20:42.384279 48461 leader_election.cc:277] T eee6075900bf49a78a911fe5b88e98e3 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer fa697a7fc04d4c62ae031c77db71be9b: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.384328 48461 leader_election.cc:277] T eee6075900bf49a78a911fe5b88e98e3 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer ea71c709fef34e0d87adfe90f917abc8: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.388542 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-huzuudvhxu', principal='kudu/XXX1113.krj.gie@REALM'} at 100.54.44.229:42450 W1016 17:20:42.393936 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-huzuudvhxu', principal='kudu/XXX1113.krj.gie@REALM'} at 100.54.44.229:42450 W1016 17:20:42.396759 48461 leader_election.cc:277] T db6bdb50bb964c40b76e73f633f82bc8 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer fa697a7fc04d4c62ae031c77db71be9b: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.396842 48459 leader_election.cc:277] T db6bdb50bb964c40b76e73f633f82bc8 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 041b5a3e1438484fbf3a68b10d91a928: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.401067 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-hwefzjneur', principal='kudu/XXX1119.krj.gie@REALM'} at 100.54.44.235:59322 W1016 17:20:42.402855 48459 leader_election.cc:277] T 7fbc0fdb102a4246937c14768eed58f1 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 041b5a3e1438484fbf3a68b10d91a928: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.402894 48461 leader_election.cc:277] T 7fbc0fdb102a4246937c14768eed58f1 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer fa697a7fc04d4c62ae031c77db71be9b: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.408056 48461 leader_election.cc:277] T de0a76fa35154cfcba1d1acabbd9fd97 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer fa697a7fc04d4c62ae031c77db71be9b: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.408090 48459 leader_election.cc:277] T de0a76fa35154cfcba1d1acabbd9fd97 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 36386227a1624b74895dd1fb6b3150e9: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.418889 48461 leader_election.cc:277] T 789096c226c241b3bda456da99025455 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer fa697a7fc04d4c62ae031c77db71be9b: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.418917 48459 leader_election.cc:277] T 789096c226c241b3bda456da99025455 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 041b5a3e1438484fbf3a68b10d91a928: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.421723 48461 leader_election.cc:277] T abc59c8abe454ff1b1e34f1b90f52851 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer fa697a7fc04d4c62ae031c77db71be9b: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.421763 48459 leader_election.cc:277] T abc59c8abe454ff1b1e34f1b90f52851 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 36386227a1624b74895dd1fb6b3150e9: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.459609 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-ibzddzigqg', principal='kudu/XXX1117.krj.gie@REALM'} at 100.54.44.233:41820 W1016 17:20:42.461763 48459 leader_election.cc:277] T 42e7bdc8c26642059439897f7f127f92 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 041b5a3e1438484fbf3a68b10d91a928: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.461799 48461 leader_election.cc:277] T 42e7bdc8c26642059439897f7f127f92 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer ea71c709fef34e0d87adfe90f917abc8: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.477473 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-ibzddzigqg', principal='kudu/XXX1117.krj.gie@REALM'} at 100.54.44.233:41820 W1016 17:20:42.488016 48459 leader_election.cc:277] T 7d80d9b648aa43c5b0e37e2aa882738b P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 36386227a1624b74895dd1fb6b3150e9: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.488055 48461 leader_election.cc:277] T 7d80d9b648aa43c5b0e37e2aa882738b P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer fa697a7fc04d4c62ae031c77db71be9b: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.525362 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-ibzddzigqg', principal='kudu/XXX1117.krj.gie@REALM'} at 100.54.44.233:41820 W1016 17:20:42.528292 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-ibzddzigqg', principal='kudu/XXX1117.krj.gie@REALM'} at 100.54.44.233:41820 W1016 17:20:42.553570 48459 leader_election.cc:277] T 358989d89bd541b88f0ebb78d47e650a P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 041b5a3e1438484fbf3a68b10d91a928: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.553606 48459 leader_election.cc:277] T 358989d89bd541b88f0ebb78d47e650a P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 36386227a1624b74895dd1fb6b3150e9: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.588174 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-hwefzjneur', principal='kudu/XXX1119.krj.gie@REALM'} at 100.54.44.235:59322 W1016 17:20:42.591974 48459 leader_election.cc:277] T 61f2c9b394f74eb49499ef1671d03596 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 041b5a3e1438484fbf3a68b10d91a928: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.592010 48459 leader_election.cc:277] T 61f2c9b394f74eb49499ef1671d03596 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 36386227a1624b74895dd1fb6b3150e9: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.596632 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-huzuudvhxu', principal='kudu/XXX1113.krj.gie@REALM'} at 100.54.44.229:42450 W1016 17:20:42.603999 48461 leader_election.cc:277] T 9ae1a83fa31d4af6816d52e3351cf57e P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer ea71c709fef34e0d87adfe90f917abc8: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.604034 48461 leader_election.cc:277] T 9ae1a83fa31d4af6816d52e3351cf57e P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer fa697a7fc04d4c62ae031c77db71be9b: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote I Can send the full log if you want. Thanks for your help Best Regards Christophe

Explorer
Hi, Sorry for the late response, I was on another subject
For your information : The property did not contain "kudu", I added it and it does not work. I have the same error when the property is set on "*"
 
I've modified the kudu log level to WARNING and I have more messages On tablet server, I have this :
 
W1016 17:20:42.294350 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-hwefzjneur', principal='kudu/XXX1119.krj.gie@REALM'} at 100.54.44.235:59322 W1016 17:20:42.308531 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-hwefzjneur', principal='kudu/XXX1119.krj.gie@REALM'} at 100.54.44.235:59322 W1016 17:20:42.321985 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-huzuudvhxu', principal='kudu/XXX1113.krj.gie@REALM'} at 100.54.44.229:42450 W1016 17:20:42.339105 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-hwefzjneur', principal='kudu/XXX1119.krj.gie@REALM'} at 100.54.44.235:59322 W1016 17:20:42.352322 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-hwbmxqylry', principal='kudu/XXX1115.krj.gie@REALM'} at 100.54.44.231:33470 W1016 17:20:42.373529 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-huzuudvhxu', principal='kudu/XXX1113.krj.gie@REALM'} at 100.54.44.229:42450 W1016 17:20:42.384279 48461 leader_election.cc:277] T eee6075900bf49a78a911fe5b88e98e3 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer fa697a7fc04d4c62ae031c77db71be9b: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.384328 48461 leader_election.cc:277] T eee6075900bf49a78a911fe5b88e98e3 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer ea71c709fef34e0d87adfe90f917abc8: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.388542 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-huzuudvhxu', principal='kudu/XXX1113.krj.gie@REALM'} at 100.54.44.229:42450 W1016 17:20:42.393936 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-huzuudvhxu', principal='kudu/XXX1113.krj.gie@REALM'} at 100.54.44.229:42450 W1016 17:20:42.396759 48461 leader_election.cc:277] T db6bdb50bb964c40b76e73f633f82bc8 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer fa697a7fc04d4c62ae031c77db71be9b: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.396842 48459 leader_election.cc:277] T db6bdb50bb964c40b76e73f633f82bc8 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 041b5a3e1438484fbf3a68b10d91a928: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.401067 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-hwefzjneur', principal='kudu/XXX1119.krj.gie@REALM'} at 100.54.44.235:59322 W1016 17:20:42.402855 48459 leader_election.cc:277] T 7fbc0fdb102a4246937c14768eed58f1 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 041b5a3e1438484fbf3a68b10d91a928: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.402894 48461 leader_election.cc:277] T 7fbc0fdb102a4246937c14768eed58f1 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer fa697a7fc04d4c62ae031c77db71be9b: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.408056 48461 leader_election.cc:277] T de0a76fa35154cfcba1d1acabbd9fd97 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer fa697a7fc04d4c62ae031c77db71be9b: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.408090 48459 leader_election.cc:277] T de0a76fa35154cfcba1d1acabbd9fd97 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 36386227a1624b74895dd1fb6b3150e9: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.418889 48461 leader_election.cc:277] T 789096c226c241b3bda456da99025455 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer fa697a7fc04d4c62ae031c77db71be9b: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.418917 48459 leader_election.cc:277] T 789096c226c241b3bda456da99025455 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 041b5a3e1438484fbf3a68b10d91a928: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.421723 48461 leader_election.cc:277] T abc59c8abe454ff1b1e34f1b90f52851 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer fa697a7fc04d4c62ae031c77db71be9b: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.421763 48459 leader_election.cc:277] T abc59c8abe454ff1b1e34f1b90f52851 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 36386227a1624b74895dd1fb6b3150e9: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.459609 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-ibzddzigqg', principal='kudu/XXX1117.krj.gie@REALM'} at 100.54.44.233:41820 W1016 17:20:42.461763 48459 leader_election.cc:277] T 42e7bdc8c26642059439897f7f127f92 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 041b5a3e1438484fbf3a68b10d91a928: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.461799 48461 leader_election.cc:277] T 42e7bdc8c26642059439897f7f127f92 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer ea71c709fef34e0d87adfe90f917abc8: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.477473 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-ibzddzigqg', principal='kudu/XXX1117.krj.gie@REALM'} at 100.54.44.233:41820 W1016 17:20:42.488016 48459 leader_election.cc:277] T 7d80d9b648aa43c5b0e37e2aa882738b P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 36386227a1624b74895dd1fb6b3150e9: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.488055 48461 leader_election.cc:277] T 7d80d9b648aa43c5b0e37e2aa882738b P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer fa697a7fc04d4c62ae031c77db71be9b: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.525362 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-ibzddzigqg', principal='kudu/XXX1117.krj.gie@REALM'} at 100.54.44.233:41820 W1016 17:20:42.528292 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-ibzddzigqg', principal='kudu/XXX1117.krj.gie@REALM'} at 100.54.44.233:41820 W1016 17:20:42.553570 48459 leader_election.cc:277] T 358989d89bd541b88f0ebb78d47e650a P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 041b5a3e1438484fbf3a68b10d91a928: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.553606 48459 leader_election.cc:277] T 358989d89bd541b88f0ebb78d47e650a P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 36386227a1624b74895dd1fb6b3150e9: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.588174 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-hwefzjneur', principal='kudu/XXX1119.krj.gie@REALM'} at 100.54.44.235:59322 W1016 17:20:42.591974 48459 leader_election.cc:277] T 61f2c9b394f74eb49499ef1671d03596 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 041b5a3e1438484fbf3a68b10d91a928: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.592010 48459 leader_election.cc:277] T 61f2c9b394f74eb49499ef1671d03596 P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer 36386227a1624b74895dd1fb6b3150e9: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.596632 48572 server_base.cc:329] Unauthorized access attempt to method kudu.consensus.ConsensusService.RequestConsensusVote from {username='m-zhdp-s-huzuudvhxu', principal='kudu/XXX1113.krj.gie@REALM'} at 100.54.44.229:42450 W1016 17:20:42.603999 48461 leader_election.cc:277] T 9ae1a83fa31d4af6816d52e3351cf57e P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer ea71c709fef34e0d87adfe90f917abc8: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote W1016 17:20:42.604034 48461 leader_election.cc:277] T 9ae1a83fa31d4af6816d52e3351cf57e P 3920550eeade417885b846064ddd2410 [CANDIDATE]: Term 47 pre-election: RPC error from VoteRequest() call to peer fa697a7fc04d4c62ae031c77db71be9b: Remote error: Not authorized: unauthorized access to method: RequestConsensusVote
 
I Can send the full log if you want.
 
Thanks for your help
 
Best Regards
Christophe

Contributor

Hi Christophe,

 

It seems in your case kudu service principals (like 'kudu/XXX1119.krj.gie@REALM') are not mapped into 'kudu' as expected, but into name of local users (like 'm-zhdp-s-hwefzjneur').  If I'm not mistaken, that's exactly https://issues.apache.org/jira/browse/KUDU-2198. 

 

As a workaround, I can suggest to add --use_system_auth_to_local=false to the Kudu flags (both masters and tservers).  If using CM, add that flag into the 'Kudu Service Advanced Configuration Snippet (Safety Valve) for gflagfile'.

 

Hope this helps.

 

 

Regards,

 

Alexey

Contributor

Oh, sorry -- it seems you are at 5.13.0 and that flag is not available in that version yet (but it's present starting 5.14.0).  I'm afraid you need either to introduce custom mappings for those kudu service principals (so they would be mapped into 'kudu') or upgrade to 5.14 or higher to get access to that flag.  Setting superuser ACL to '*' would not allow tablet servers to register with masters anyway because of the following:

 

  https://github.com/apache/kudu/blob/master/src/kudu/master/master_service.cc#L122

Explorer

thanks for these informations, a little question : where must I define the custom mapping ?

 

Best regards

 

Christophe

; ;