Support Questions

Situation;

When running a Zeppelin notebook with the Livy interpreter, I get the following error;

Executed Command:

%livy.pyspark

print "1"

Error

Attempt recovered after RM restartAM Container for appattempt_1555963066902_0007_000001 exited with exitCode: -1000 Failing this attempt.Diagnostics: [2019-04-23 10:36:30.617]Application application_1555963066902_0007 initialization failed (exitCode=255) with output: main : command provided 0 main : run as user is pc7 main : requested yarn user is pc7 org.apache.hadoop.security.KerberosAuthException: failure to login: javax.security.auth.login.LoginException: java.lang.IllegalArgumentException: Illegal principal name pc7@domain.local: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to pc7@domain.local at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:1847) at org.apache.hadoop.security.UserGroupInformation.createLoginUser(UserGroupInformation.java:710) at org.apache.hadoop.security.UserGroupInformation.getLoginUser(UserGroupInformation.java:660) at org.apache.hadoop.security.UserGroupInformation.getCurrentUser(UserGroupInformation.java:571) at org.apache.hadoop.yarn.server.nodemanager.containermanager.localizer.ContainerLocalizer.main(ContainerLocalizer.java:461) Caused by: javax.security.auth.login.LoginException: java.lang.IllegalArgumentException: Illegal principal name pc7@domain.local: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to pc7@domain.local at org.apache.hadoop.security.UserGroupInformation$HadoopLoginModule.commit(UserGroupInformation.java:232) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) at javax.security.auth.login.LoginContext.login(LoginContext.java:588) at org.apache.hadoop.security.UserGroupInformation$HadoopLoginContext.login(UserGroupInformation.java:1926) at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:1837) ... 4 more Caused by: java.lang.IllegalArgumentException: Illegal principal name pc7@domain.local: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to pc7@domain.local at org.apache.hadoop.security.User.<init>(User.java:51) at org.apache.hadoop.security.UserGroupInformation$HadoopLoginModule.commit(UserGroupInformation.java:230) ... 17 more Caused by: org.apache.hadoop.security.authentication.util.KerberosName$NoMatchingRule: No rules applied to pc7@domain.local at org.apache.hadoop.security.authentication.util.KerberosName.getShortName(KerberosName.java:401) at org.apache.hadoop.security.User.<init>(User.java:48) ... 18 more For more detailed output, check the application tracking page: http://hdpuat01.domain.local:8088/cluster/app/application_1555963066902_0007 Then click on links to logs of each attempt.

Environment:

HDP: 3.1

Ambari: 2.7.3

Kerberos Enabled

Services and configurations: All installed via Ambari

Hosts: 1 (UAT All in One environment)

What works:

Spark Interpretor

Livy command shown above with impersonation disabled

Can confirm exists:

pc7 account is able to kinit and obtain token

pc7 is able to access and alter hdfs/user/pc7 directory

hadoop.proxyuser.livy.groups = *

hadoop.proxyuser.livy.hosts = *

hadoop.proxyuser.zeppelin.groups = *

hadoop.proxyuser.zeppelin.hosts = *

hadoop.proxyuser.yarn.groups = *

hadoop.proxyuser.hdfs.groups = *

DEFAULT value in auth-to-local

Impersonation enabled (disabled now)

Livy.Superuser is zeppelin account without the @domain.local

Zeppelin.livy.principal is zeppelin account without the @domain.local

Livy keytab pertains to zeppelin user

Any help would be greatly appreciated!