Support Questions

sreeram_chintal · ‎07-12-2016

HI,

I recently upgraded from HDP 2.3.2 to HDP 2.4.2 on a secure cluster.

When I try to start MR History server, yarn Timeline service and HBase master service, all three are throwing the same error as

failed to obtain user group information: java.io.IOException: Usernames not matched: name=hdfs != expected=hdfs-REALM
Below is the stacktrace:

 File "/usr/lib/python2.6/site-packages/resource_management/libraries/providers/hdfs_resource.py", line 195, in run_command
    raise Fail(err_msg)
resource_management.core.exceptions.Fail: Execution of 'curl -sS -L -w '%{http_code}' -X GET --negotiate -u : 'http://znlhacdt0002.amer.zurich.corp:50070/webhdfs/v1/app-logs?op=GETFILESTATUS&user.name=hdfs'' returned status_code=403. 
{
  "RemoteException": {
    "exception": "SecurityException", 
    "javaClassName": "java.lang.SecurityException", 
    "message": "Failed to obtain user group information: java.io.IOException: Usernames not matched: name=hdfs != expected=hdfs-SANDBOX"
  }
}

Not sure why the user.name its using hdfs-sandox instead hdfs. When I tried the curl, it works with hdfs-sandbox, but doesnt work with hdfs. Please let me know where I have to change the config to make it work..
Any help is greatly appreciated.
thanks,
Sreeram

SBren · ‎07-13-2016

@Sreeram Chintalapudi This could happen if there is an incorrect RULE in "hadoop.security.auth_to_local" in /etc/hadoop/conf/core-site.xml. You can review/modify the contents by navigating to Ambari -> HDFS -> Configs -> Advanced -> Advanced core-site.xml -> hadoop.security.auth_to_local.

It should look similar to this;

RULE:[1:$1@$0](ambari-qa-EXAMPLE@EXAMPLE.COM)s/.*/ambari-qa/
RULE:[1:$1@$0](hbase-EXAMPLE@EXAMPLE.COM)s/.*/hbase/ 
RULE:[1:$1@$0](hdfs-EXAMPLE@EXAMPLE.COM)s/.*/hdfs/ 
RULE:[1:$1@$0](spark-EXAMPLE@EXAMPLE.COM)s/.*/spark/ 
RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*// 
RULE:[1:$1@$0](.*@.*EXAMPLE.COM)s/@.*// 
RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*// 
RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*///L 
RULE:[2:$1@$0](amshbase@EXAMPLE.COM)s/.*/ams/ 
RULE:[2:$1@$0](amszk@EXAMPLE.COM)s/.*/ams/ 
RULE:[2:$1@$0](atlas@EXAMPLE.COM)s/.*/atlas/ 
RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/ 
RULE:[2:$1@$0](falcon@EXAMPLE.COM)s/.*/falcon/ 
RULE:[2:$1@$0](hbase@EXAMPLE.COM)s/.*/hbase/ 
RULE:[2:$1@$0](hive@EXAMPLE.COM)s/.*/hive/ 
RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/ 
RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/ 
RULE:[2:$1@$0](knox@EXAMPLE.COM)s/.*/knox/ 
RULE:[2:$1@$0](nm@EXAMPLE.COM)s/.*/yarn/ 
RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/ 
RULE:[2:$1@$0](oozie@EXAMPLE.COM)s/.*/oozie/ 
RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/ 
RULE:[2:$1@$0](yarn@EXAMPLE.COM)s/.*/yarn/ 
DEFAULT

If you make any changes to the rules you will need to restart the affected services.

Hope this helps,

Steve

View solution in original post

SBren · ‎07-13-2016

@Sreeram Chintalapudi This could happen if there is an incorrect RULE in "hadoop.security.auth_to_local" in /etc/hadoop/conf/core-site.xml. You can review/modify the contents by navigating to Ambari -> HDFS -> Configs -> Advanced -> Advanced core-site.xml -> hadoop.security.auth_to_local.

It should look similar to this;

RULE:[1:$1@$0](ambari-qa-EXAMPLE@EXAMPLE.COM)s/.*/ambari-qa/
RULE:[1:$1@$0](hbase-EXAMPLE@EXAMPLE.COM)s/.*/hbase/ 
RULE:[1:$1@$0](hdfs-EXAMPLE@EXAMPLE.COM)s/.*/hdfs/ 
RULE:[1:$1@$0](spark-EXAMPLE@EXAMPLE.COM)s/.*/spark/ 
RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*// 
RULE:[1:$1@$0](.*@.*EXAMPLE.COM)s/@.*// 
RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*// 
RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*///L 
RULE:[2:$1@$0](amshbase@EXAMPLE.COM)s/.*/ams/ 
RULE:[2:$1@$0](amszk@EXAMPLE.COM)s/.*/ams/ 
RULE:[2:$1@$0](atlas@EXAMPLE.COM)s/.*/atlas/ 
RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/ 
RULE:[2:$1@$0](falcon@EXAMPLE.COM)s/.*/falcon/ 
RULE:[2:$1@$0](hbase@EXAMPLE.COM)s/.*/hbase/ 
RULE:[2:$1@$0](hive@EXAMPLE.COM)s/.*/hive/ 
RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/ 
RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/ 
RULE:[2:$1@$0](knox@EXAMPLE.COM)s/.*/knox/ 
RULE:[2:$1@$0](nm@EXAMPLE.COM)s/.*/yarn/ 
RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/ 
RULE:[2:$1@$0](oozie@EXAMPLE.COM)s/.*/oozie/ 
RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/ 
RULE:[2:$1@$0](yarn@EXAMPLE.COM)s/.*/yarn/ 
DEFAULT

If you make any changes to the rules you will need to restart the affected services.

Hope this helps,

Steve

sreeram_chintal · ‎07-13-2016

Thanks Steve for the article..that did the trick...thanks again for all ur help

Sreeram

vvvvvdev · ‎09-01-2016

Hi Sreeram,

I am also facing the same issue. Can you please tell me exactly what you did to solve the issue.

Thanks in advance

Cloudera Community

Support Questions

Upgraded HDP stack from 2.3.2 to 2.4.2. webhdfs curl failed to obtain user group information: java.io.IOException: Usernames not matched: name=hdfs != expected=hdfs-