Support Questions

wangao · ‎03-30-2018

I disabled kerberos and installed metron with ambari, but ambari showed:

3137 [main] INFO o.a.s.f.Flux - Running remotely... 3138 [main] INFO o.a.s.f.Flux - Deploying topology in an ACTIVE state... 3156 [main] INFO o.a.s.StormSubmitter - Generated ZooKeeper secret payload for MD5-digest: -8204121732888936297:-4718837925061130180 3241 [main] WARN o.a.s.s.a.k.ClientCallbackHandler - Could not login: the client is being asked for a password, but the client code does not currently support obtaining a password from the user. Make sure that the client is configured to use a ticket cache (using the JAAS configuration setting 'useTicketCache=true)' and restart the client. If you still get this message after that, the TGT in the ticket cache has expired and must be manually refreshed. To do so, first determine if you are using a password or a keytab. If the former, run kinit in a Unix shell in the environment of the user who is running this client using the command 'kinit <princ>' (where <princ> is the name of the client's Kerberos principal). If the latter, do 'kinit -k -t <keytab> <princ>' (where <princ> is the name of the Kerberos principal, and <keytab> is the location of the keytab file). After manually refreshing your cache, restart this client. If you continue to see this message after manually refreshing your cache, ensure that your KDC host's clock is in sync with this host's clock. 3243 [main] ERROR o.a.s.s.a.k.KerberosSaslTransportPlugin - Server failed to login in principal:javax.security.auth.login.LoginException: No password provided javax.security.auth.login.LoginException: No password provided at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:919) ~[?:1.8.0_151] at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760) ~[?:1.8.0_151] at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) ~[?:1.8.0_151] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_151] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_151] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_151] at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_151] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) ~[?:1.8.0_151] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) ~[?:1.8.0_151] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) ~[?:1.8.0_151] at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) ~[?:1.8.0_151] at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_151] at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) ~[?:1.8.0_151] at javax.security.auth.login.LoginContext.login(LoginContext.java:587) ~[?:1.8.0_151] at org.apache.storm.messaging.netty.Login.login(Login.java:299) ~[storm-core-1.1.0.2.6.3.0-235.jar:1.1.0.2.6.3.0-235] at org.apache.storm.messaging.netty.Login.<init>(Login.java:96) ~[storm-core-1.1.0.2.6.3.0-235.jar:1.1.0.2.6.3.0-235] at org.apache.storm.security.auth.kerberos.KerberosSaslTransportPlugin.connect(KerberosSaslTransportPlugin.java:108) [storm-core-1.1.0.2.6.3.0-235.jar:1.1.0.2.6.3.0-235]

Who can help me ?

Shelton · ‎03-30-2018

@Wang Ao

Despite disabling Kerberos the errors clearly shows your metron to startup needs a keytab specified in the client_jaas.conf.

Could you give a reason why you disabled Kerberos? Are other components starting up correctly?

wangao · ‎03-30-2018

Other components started up correctly except for metron, I just want to test if I can start metron without kerberos, because kerberos is not that important to me and it's a bit of a problem.

Shelton · ‎03-30-2018

@Wang Ao

Unfortunately, there is no half method you can't install a non-kerberized component on a kerberized cluster and expect it to work because the cluster security can be compromised through that loophole.

What's the problem or biggest issue with having kerberos enabled for Metron?

Your workaround is to go to Ambari UI-->Admin-->Stacks & Versions-->Enable Kerberos---> Generate the missing keytabs

this will generate the keytabs for Metron and It should start normally thereafter

wangao · ‎03-30-2018

OK,thank you very much

wangao · ‎03-30-2018

But when I enabled kerberos, the storm ui can not access, and I have tried to kinit the principal and keytab, it doesn't work.

Shelton · ‎03-30-2018

@Wang Ao

Can you paste the contents of your /etc/storm/conf/clientjaas.conf

wangao · ‎03-30-2018

Ok：

StormClient{ com.sun.security.auth.module.Krb5LoginModulerequireduseTicketCache=truerenewTicket=trueserviceName="nimbus"; };KafkaClient{ com.sun.security.auth.module.Krb5LoginModulerequireduseTicketCache=truerenewTicket=trueserviceName="kafka"; };

Shelton · ‎03-30-2018

@Wang Ao

I don't see the keytab it should look like this example below

StormClient {
    com.sun.security.auth.module.Krb5LoginModule required
    useTicketCache=true
    renewTicket=true
    serviceName="nimbus";
};
Client {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/etc/security/keytabs/metron.headless.keytab"
    storeKey=true
    useTicketCache=false
    serviceName="zookeeper"
    principal="metron@EXAMPLE.COM";
};
KafkaClient {
    com.sun.security.auth.module.Krb5LoginModule required
    useKeyTab=true
    keyTab="/etc/security/keytabs/metron.headless.keytab"
    storeKey=true
    useTicketCache=false
    serviceName="kafka"
    principal="metron@EXAMPLE.COM";
};

Make sure that the values map to your actual config.

wangao · ‎03-31-2018

Hello , I founf that there was a storm_jaas.conf at the same folder:

StormServer {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/etc/security/keytabs/nimbus.service.keytab"
   storeKey=true
   useTicketCache=false
   principal="nimbus/am3.ics.com@ICS.COM";
};
StormClient {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/etc/security/keytabs/storm.headless.keytab"
   storeKey=true
   useTicketCache=false
   serviceName="nimbus"
   principal="storm-ics_bigdata@ICS.COM";
};
RegistryClient {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/etc/security/keytabs/storm.headless.keytab"
   storeKey=true
   useTicketCache=false
   principal="storm-ics_bigdata@ICS.COM";
};
com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    renewTGT=false
    doNotPrompt=true
    useKeyTab=true
    keyTab="/etc/security/keytabs/nimbus.service.keytab"
    principal="nimbus/am3.ics.com@ICS.COM"
    storeKey=true
    useTicketCache=false;
};
Client {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/etc/security/keytabs/storm.headless.keytab"
   storeKey=true
   useTicketCache=false
   serviceName="zookeeper"
   principal="storm-ics_bigdata@ICS.COM";
};
KafkaClient {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/etc/security/keytabs/storm.headless.keytab"
   storeKey=true
   useTicketCache=false
   serviceName="kafka"
   principal="storm-ics_bigdata@ICS.COM";
};

Is there any problem?

Shelton · ‎03-31-2018

@Wang Ao

Did you make a backup of the previous file? I would have loved to compare before overwriting it.

Despite what have you tried restarting? And do the storm or other keytabs exist in /etc/security/keytabs/*?

wangao · ‎03-31-2018

Could you please tell me what do you want to view? Keytabs or storm_jaas.conf?

storm_jaas.conf will be overwrite by the ambari every time I try to restart storm. And the content above is the lastest version/

Support Questions

metron start failed