Cloudera Community
Shelton
user rank
Master Mentor

Re: Kerberos with hortonworks stack 18.04 ubuntu

by New Member in Support Questions
‎01-29-2019 01:50 AM
‎01-29-2019 01:50 AM
Thanks Again! I do believe I found my issue. the repos where not complete and accurate on my ubuntu 18.04 builds , so I just copied repos from my xenial 16.04 box and replaced xenial with ubuntu then was able to install lafter update the kerberos client. here was my final repo for ubuntu 18.04 deb http://us.archive.ubuntu.com/ubuntu/ bionic main restricted deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates main restricted deb http://us.archive.ubuntu.com/ubuntu/ bionic universe deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates universe deb http://us.archive.ubuntu.com/ubuntu/ bionic multiverse deb http://us.archive.ubuntu.com/ubuntu/ bionic-updates multiverse deb http://us.archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse deb http://security.ubuntu.com/ubuntu bionic-security main restricted deb http://security.ubuntu.com/ubuntu bionic-security universe deb http://security.ubuntu.com/ubuntu bionic-security multiverse ... View more

Re: cant start kafka broker from ambari

by Master Mentor in Support Questions
‎01-28-2019 11:57 AM
1 Kudo
‎01-28-2019 11:57 AM
1 Kudo
@Michael Bronson If you have exhausted all other avenues YES, Step 1 Check and compare the /usr/hdp/current/kafka-broker symlinks Step 2 Download both env'es as backup from the problematic and functioning cluster Upload the functioning cluster env to the problematic one, since you have a backup Start kafka through ambari Step 3 sed -i 's/verify=platform_default/verify=disable/'/etc/python/cert-verification.cfg Step 4 Lastly, if the above steps don't remedy the issue, then remove and -re-install the ambari-agent and remember to manually point to the correct ambari server in the ambari-agent.ini ... View more

Re: ambari 2.7.1 to 2.7.3 upgrade failed

by Frequent Visitor in Support Questions
‎01-25-2019 07:47 PM
‎01-25-2019 07:47 PM
Thanks Geoffrey. I copied the backup of the ambari.properties to expected location and ran the upgrade command again and it worked this time. ... View more

Re: Atlas Metadata server not starting

by Master Mentor in Support Questions
‎01-28-2019 08:50 AM
‎01-28-2019 08:50 AM
@Bhushan Kandalkar Good it worked out but you shouldn't have omitted the information about the architecture ie Load balancer such info is critical in the analysis ....:-) Happy hadooping ... View more

Re: namenode down?

by Master Mentor in Support Questions
‎01-24-2019 04:07 PM
‎01-24-2019 04:07 PM
@Lokesh Mukku Good to know it has given you a better understanding. If you found this answer addressed your question, please take a moment to log in and click the "accept" link on the answer. That would be a great help to Community users to find the solution quickly for these kinds of errors. Happy hadooping !!!!! ... View more

Re: Spark in yarn-cluster mode on Zeppelin

by Visitor in Support Questions
‎01-22-2019 12:23 PM
‎01-22-2019 12:23 PM
Thank you for your fast answer! Indeed it works after tweaking zeppelin's spark interpreter parameters and changing: master: yarn-cluster to master: yarn spark.submit.deployMode: cluster ... View more

Re: ConsumeKafka processor's NiFi can't communicat...

by Rising Star in Support Questions
‎02-04-2019 04:11 PM
‎02-04-2019 04:11 PM
@Geoffrey Shelton Okot Thank you, you are right, the problem was really in zookeeper's acl. I copied everything in "ZooKeeper directory" from Test cluster to Dev cluster and that was help. But i don't know what exactly permission affected it. Is something way to get list all acl permission by Zookeeper? I would like to compare it with all acl from both cluster. ... View more

Re: Can not add HDF 3.3.1 service in Ambari 2.7.3

by New Member in Support Questions
‎01-15-2019 02:18 AM
‎01-15-2019 02:18 AM
I think my mpack wasn't installed properly. So I uninstalled and reinstalled again. Now it is working fine. I followed the steps from Derek's answer from the link below: https://community.hortonworks.com/questions/208084/remove-hdf-mpack.html Thanks, ... View more

Re: can we enable nifi in hdp 3.0?

by New Member in Support Questions
‎01-10-2019 08:45 AM
‎01-10-2019 08:45 AM
You are right, it is just a label issue in the HDF mack extention ... View more

Creating a local hadoop principal and keytab in a...

by Master Mentor in Community Articles
‎05-11-2018 04:55 AM
2 Kudos
‎05-11-2018 04:55 AM
2 Kudos
Iy you have deployed and secured your multi-node-cluster with an MIT KDC running on a Linux box (dedicated or not), this can also be applied on a single node cluster. Below is a step by step procedure to grant a group of user(s) on the Edge node with access to services in the cluster. Assumption KDC is running KDC is created KDC user and a master password is available REALM: DEV.COM Users: user1 to user5 Edge node: for users Kerberos Admin user is root or sudoer A good solution security-wise is to copy the generated keytabs to that users' home directory. If these are local Unix users NOT Active directory then create the keytabs in e.g /tmp and later copy them to their respective home directories and make sure to change the correct permissions on the keytabs. A good practice is to ensure a node dedicated to users usually called an EDGE NODE all client software is installed here and not on the Data or Name Nodes! Change directory to tmp # cd /tmp If you have root access, no need for sudo, specify the password for user1 # sudo kadmin.local Authenticating as principal root/admin@DEV.COM with password. kadmin.local: addprinc user1@DEV.COM WARNING: no policy specified for user1@DEV.COM; defaulting to no policy Enter password for principal "user1@DEV.COM": Re-enter password for principal "user1@DEV.COM": Principal "user1@DEV.COM" created. Do the above step for all the new users addprinc user2@DEV.COM addprinc user3@DEV.COM addprinc user4@DEV.COM addprinc user5@DEV.COM The keytabs with be generated in the current directory Generate keytab for user1 The keytab will be generated in the current directory # sudo ktutil ktutil: addent -password -p user1@DEV.COM -k 1 -e RC4-HMAC Password for user1@DEV.COM: ktutil: wkt user1.keytab ktutil: q You MUST repeat the above for all the 5 users Copy the newly created keytab to the user's home directory, in this example I have copied the keytab to /etc/security/keytabs # cp user1.keytab /etc/security/keytabs Change ownership & permission here user1 belongs to hadmin group # chown user1:hadmin user1.keytab Again do the above for all the other users. A good technical and security best practice is to copy the keytabs from the kdc to edge node respective home directories and change the ownership of the keytabs Validate the principals in this example the keytabs are in /etc/security/keytabs # klist -kt /etc/security/keytabs/user1.keytab Keytab name: FILE:/etc/security/keytabs/user1.keytab KVNO Timestamp Principal ----------- ------------------- ------------------------------------------------------ 1 05/10/2018 10:46:27 user1@DEV.COM To ensure successful ticket attribution the newly created user should validate the principal. See example below and use it grab a ticket, the principal will be concatenated with the keytab when running the kinit # klist -kt /etc/security/keytabs/user1.keytab Keytab name: FILE:/etc/security/keytabs/user1.keytab KVNO Timestamp Principal -------- ------------------------ -------------------------------------------------------- 1 05/10/18 01:00:50 user1@DEV.COM .... .................. .............. 1 05/10/18 01:00:50 user1@DEV.COM Test the new user1 should try grabbing a Kerberos ticket (keytab + principal) # kinit -kt /etc/security/keytabs/user1.keytab user1@DEV.COM The below command should show the validity of the Kerberos ticket # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: user1@DEV.COM Valid starting Expires Service principal 05/10/2018 10:53:48 05/11/2018 10:53:48 krbtgt/DEV.COM@DEV.COM You should be okay now access and successfully run jobs on the cluster see example Accessing Hive CLI with Kerberos ticket $ hive 2018-05-10 23:18:57 WARN [main] conf.HiveConf: HiveConf of name hive.custom-extensions.root does not exist log4j:WARN No such property [maxFileSize] in org.apache.log4j.DailyRollingFileAppender. Logging initialized using configuration in file:/etc/hive/2.6.2.0-205/0/hive-log4j.properties hive> show databases; OK default Time taken: 8.525 seconds, Fetched: 1 row(s) Success !! Accessing Hive without a Kerberos ticket¨ Destroy the Kerberos ticket $ kdestroy Validate the existence of absence of Kerberos ticket $ klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1001) Accessing Hive CLI should fail ... View more
Contact Me
Online
Offline
Last Visited
‎06-01-2026 01:43 AM
Community Statistics
Member Since ‎01-19-2017 04:35 AM
Last Visited ‎06-01-2026 01:43 AM
Posts 3,682
Kudos received 622