Support Questions

Find answers, ask questions, and share your expertise

historyserver not able to read log after enabling kerberos

avatar

hi,

 

i enable the kerberos on the cluster and it is working fine. But due to some issue mapred user is not albe to read and display log over jobhistory server. I check the logs of job history server and it giving access error as:

 

org.apache.hadoop.security.AccessControlException: Permission denied: user=mapred, access=READ_EXECUTE, inode="/user/history/done_intermediate/prakul":prakul:hadoop:drwxrwx---

 

as we can see the directory have access to hadoop group and mapred is in hadoop group, even then it is not able to read the logs. Similar error it is giving for /tmp/logs/<USER> folder due to which no log was displayed on resource manager UI.

 

I verify over all machine that hadoop group contains mapred user on all machine:

 

cloudera]# id mapred
uid=491(mapred) gid=489(mapred) groups=489(mapred),496(hadoop)

 

I also kinit the mapred user and try to access manually to these directory, but mapred not able to access even when folder having 770 permission:

 

[root@mn0 cloudera]# hdfs dfs -ls /tmp/logs/prakul
ls: Permission denied: user=mapred, access=READ_EXECUTE, inode="/tmp/logs/prakul":prakul:hadoop:drwxrwx---
[root@mn0 cloudera]# hdfs dfs -ls /tmp/logs/
Found 8 items
drwxrwx--- - xyz hadoop 0 2016-06-14 19:19 /tmp/logs/xyz
drwxrwx--- - abc hadoop 0 2016-06-13 06:06 /tmp/logs/abc
drwxrwx--- - prakul hadoop 0 2016-06-10 04:47 /tmp/logs/prakul
[root@mn0 cloudera]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: mapred/mn0.eastus.cloudapp.azure.com@AD.COM

Valid starting Expires Service principal
06/27/16 01:07:32 06/27/16 11:07:32 krbtgt/AD.COM@AD.COM
renew until 07/04/16 01:07:32

 

If i give 777 permission to the directory then mapred is able to read and show log over UI as well as CLI.

 

Can any one know whether it is some cloudera bug or there is some configuration issue due to which mapred not able to access the log even having full permission at group level?

 

I am using cloudera 5.7 with kerberos enable.

 

thanks in advance

Prakul singhal

1 ACCEPTED SOLUTION

avatar

Find the cause of problem. I have to explicitly add the hadoop group in AD and make the mapred user as the member of that group. After that I am able to see the logs. As given over below URL:

http://stackoverflow.com/questions/38114866/historyserver-not-able-to-read-log-after-enabling-kerber...

 

View solution in original post

1 REPLY 1

avatar

Find the cause of problem. I have to explicitly add the hadoop group in AD and make the mapred user as the member of that group. After that I am able to see the logs. As given over below URL:

http://stackoverflow.com/questions/38114866/historyserver-not-able-to-read-log-after-enabling-kerber...