01:12 PM
Hi @Sigmund Broele, Would you please check if the below properties set properly. In "Advanced core-site"
In "Advanced hdfs-site"
In "Ranger KMS Service > Custom kms-site.xml
10:29 AM
@Sajesh PP Are you able to list the keys using above method?If so, please login and accept the answer.
10:45 AM
@VinayPlease login and accept the answer if you find this helpful. Thanks
12:35 PM
Hi @Ankita Ghate Check the principals in kdc server $kadmin.local
Authenticating as principal root/admin@<realm> with password.
kadmin.local: listprincsK/M@<realm>
krbtgt/TEST.COM@TEST.COM Must create a admin principal for enabling kerberos from ambari $kadmin.local
$kadmin.local: addprinc admin/admin@<realm>
WARNING: no policy specified for root/admin@<realm>; defaulting to no policy
Enter password for principal "admin/admin@<realm>":<password>
Re-enter password for principal "admin/admin@<realm>":<password>
Principal "admin/admin@<realm>" created. While enabling the kerberos from ambari, use the below principal and corresponding password Admin principal : admin/admin@<realm>
admin password : <password> Try manual kinit of the same principal on ambari-server machine like, kinit admin/admin@REALM
Password: ******* Check if above is working fine. Also, you can refer the below thread which talk about adding the credential using API call as temporary or Permanent Hope this helps!
10:58 AM
Hi @Sajesh PP, Could you please try to add new user to KMS policy and grant the permissions. Login as keyadmin -> Access Manager -> Click the KMS service -> Edit "all-keyname" policy -> add newly created user in select user section. Hope this helps!! Please login and accept the answer if you find this answer helpful. Thanks
05:16 PM
Hi @Sajesh PP, To create KMS admins, do the following:
1. Since only admin role can create users, first login to Ranger UI as an admin.
2. Create multiple new users from Ranger webUI and keep these users as ADMIN role
3. Go to Settings -> Permissions -> Edit 'Key Manager' permission & add newly created user to 'Key Manager' module -> Save & Logout
4. Login as new user and you can use 'Encryption' tab for creating and managing the keys.
Hope this helps! Please login and accept the answer if you find this answer helpful. Thanks
01:03 PM
Hi @Vinay, It's seems to be an issue with stale WAL splits, try removing WAL's from below hdfs location and restart the Hbase and region services. /apps/hbase/data/WALs/ Please note that, removing them is almost never an ideal situation unless there is no data in HBase.
08:04 AM
We have Ranger KMS installed in our cluster. Somehow, ranger kms was in stale config state. I have restarted the Ranger KMS service and hive service check run is fine now.
08:49 AM
Hi, I'm getting the below issue during hive service check run. 2018-12-06 08:21:38,426 - Running WEBHCAT checks
2018-12-06 08:21:38,426 - ---------------------
2018-12-06 08:16:07,624 - Retrying after 5 seconds. Reason: Execution of '/var/lib/ambari-agent/tmp/ ambari-qa 50111 idtest.ambari-qa.1544084165.41.pig /etc/security/keytabs/smokeuser.headless.keytab true /usr/bin/kinit ambari-qa-yrt_sec_hkt@HADOOP.CER.HKT.COM /var/lib/ambari-agent/tmp' returned 1. Templeton Smoke Test (ddl cmd): Failed. : {"error":" Connection refused (Connection refused)"}http_code <500>
Templeton Smoke Test (ddl cmd): Failed. : {"error":" Connection refused (Connection refused)"}http_code <500>
I tried to execute the below command manually. [root@a767ca44d046 ~]# /var/lib/ambari-agent/tmp/ ambari-qa 50111 idtest.ambari-qa.1544084498.43.pig /etc/security/keytabs/smokeuser.headless.keytab true /usr/bin/kinit ambari-qa-yrt_sec_hkt@HADOOP.CER.HKT.COM /var/lib/ambari-agent/tmp
Templeton Smoke Test (ddl cmd): Failed. : {"error":" Connection refused (Connection refused)"}http_code <500> I have updated the below properties in custom core-site.xml in ambari but did not help. hadoop.proxyuser.HTTP.hosts=*
webhcat.proxyuser.HTTP.hosts=* Would you please help on this. Thank you.
11:03 AM
Hi, @Veera Mundra, Glad that the issue is resolved. Since this is a different issue, I would suggest to open a new thread for this issue so that the main thread doesn't get deviated. I'm not sure of this issue, may be other experts can help on this. Thanks
