Member since
09-24-2015
144
Posts
72
Kudos Received
8
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
1327 | 08-15-2017 08:15 AM | |
6199 | 01-24-2017 06:58 AM | |
1630 | 08-03-2016 06:45 AM | |
2933 | 06-01-2016 10:08 PM | |
2518 | 04-07-2016 10:30 AM |
04-03-2017
12:34 AM
1 Kudo
May I have apache jira ID?
... View more
04-01-2017
01:15 AM
Thanks to @Vipin Rathor, I was able to setup HAProxy for Kerberos-ed WebHDFS. After that needed some changes for Ambari, so wrote: https://community.hortonworks.com/articles/91685/how-to-setup-haproxy-for-webhdfs-ha.html (日本語)
... View more
03-29-2017
08:29 AM
2 Kudos
Servers used in this document: node1.localdomain = HAProxy server
node2.localdomain = NameNode1
node3.localdomain = NameNode2
1. Install HAProxy [root@node1 ~]# yum install -y haproxy
2. Set up HAProxy with minimum configuration [root@node1 ~]# cp -p /etc/haproxy/haproxy.cfg /etc/haproxy/haproxy.cfg.orig
[root@node1 ~]# vim /etc/haproxy/haproxy.cfg
... (snip) ...
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main *:50070
default_backend app
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend app
balance roundrobin
option httpchk GET /webhdfs/v1/?op=CHECKACCESS
http-check expect rstatus ([23][0-9][0-9]|401)
server node2 node2.localdomain:50070 check
server node3 node3.localdomain:50070 check
3. Create a new service principal for HAProxy from your KDC server kadmin.local -q "addprinc -randkey HTTP/node1.localdomain@HO-UBU02"
4. Create a keytab. If same file already exists, just in case, taking a backup [root@node1 ~]# mv /etc/security/keytabs/spnego.service.keytab /etc/security/keytabs/spnego.service.keytab.old
[root@node1 ~]# kadmin -p ambari/admin -q "ktadd -k /etc/security/keytabs/spnego.service.keytab HTTP/node1.localdomain@HO-UBU02"
Authenticating as principal ambari/admin with password.
Password for ambari/admin@HO-UBU02:
... 5. Copy this keytab into NameNode servers: [root@node1 ~]# scp /etc/security/keytabs/spnego.service.keytab node2.localdomain:/tmp/node1.spnego.service.keytab
spnego.service.keytab 100% 306 0.3KB/s 00:00
[root@node1 ~]# scp /etc/security/keytabs/spnego.service.keytab node3.localdomain:/tmp/node1.spnego.service.keytab
spnego.service.keytab 100% 306 0.3KB/s 00:00
6. Merge keytabs:
First, confirm the keytabl path: [root@node2 ~]# grep 'dfs.web.authentication.kerberos.keytab' -A1 /etc/hadoop/conf/hdfs-site.xml
<name>dfs.web.authentication.kerberos.keytab</name>
<value>/etc/security/keytabs/spnego.service.keytab</value>
Make a backup: [root@node2 ~]# mv /etc/security/keytabs/spnego.service.keytab /etc/security/keytabs/spnego.service.keytab.orig
Merge keytabs with ktutil: [root@node2 ~]# ktutil
ktutil: rkt /etc/security/keytabs/spnego.service.keytab.orig
ktutil: rkt /tmp/node1.spnego.service.keytab
ktutil: wkt /etc/security/keytabs/spnego.service.keytab
ktutil: quit Make sure owner and permission: [root@node2 ~]# chown root:hadoop /etc/security/keytabs/spnego.service.keytab
[root@node2 ~]# chmod 440 /etc/security/keytabs/spnego.service.keytab
Confirm: [root@node2 ~]# klist -kte /etc/security/keytabs/spnego.service.keytab
Keytab name: FILE:/etc/security/keytabs/spnego.service.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
2 03/22/17 08:45:02 HTTP/node2.localdomain@HO-UBU02 (aes256-cts-hmac-sha1-96)
2 03/22/17 08:45:02 HTTP/node2.localdomain@HO-UBU02 (aes128-cts-hmac-sha1-96)
2 03/22/17 08:45:02 HTTP/node2.localdomain@HO-UBU02 (des3-cbc-sha1)
2 03/22/17 08:45:02 HTTP/node2.localdomain@HO-UBU02 (arcfour-hmac)
5 03/22/17 08:45:02 HTTP/node1.localdomain@HO-UBU02 (aes256-cts-hmac-sha1-96)
5 03/22/17 08:45:02 HTTP/node1.localdomain@HO-UBU02 (aes128-cts-hmac-sha1-96)
5 03/22/17 08:45:02 HTTP/node1.localdomain@HO-UBU02 (des3-cbc-sha1)
5 03/22/17 08:45:02 HTTP/node1.localdomain@HO-UBU02 (arcfour-hmac)
7. Do above steps on Node3 as well
8. From Ambari, search and change dfs.web.authentication.kerberos.principal to "*" NOTE: Newer Ambari does not allow to change this. In that case, please use configs.sh (deprecated) or configs.py 9. (Optional but strongly recommended) Just in case, stop ambari-server and take a database backup, for example: ambari-server stop
pg_dump -Uambari -Z 9 -f ./ambari_$(date +"%Y%m%d%H%M%S").sql.gz 10. Login to Ambari database, for example:
psql -Uambari ambari
then run UPDATE statement below: update alert_definition set alert_source = replace(alert_source, '{hdfs-site/dfs.web.authentication.kerberos.principal}', '{hdfs-site/dfs.namenode.kerberos.internal.spnego.principal}') where alert_source like '%{hdfs-site/dfs.web.authentication.kerberos.principal}%' and component_name in ('NAMENODE', 'JOURNALNODE', 'DATANODE');
11. Login to Ambari-server with SSH as *root*, then type the following commands: cd /var/lib/ambari-server/resources/common-services/HDFS/2.1.0.2.0/package/alerts
sed -i_$(date +"%Y%m%d%H%M%S").bak 's/dfs.web.authentication.kerberos.principal/dfs.namenode.kerberos.internal.spnego.principal/' *.py
ambari-server restart
12. From Ambari UI, Disable and Enable each Alerts which are failing due to ".../spnego.service.keytab * > ..." error. When you disable an Alert, please wait until all red alerts are disappeared. 13. Restart HDFS components from Ambari
14. Test ("HTTP/1.1 200 OK" means good) [root@node1 ~]# curl --negotiate -u : -X GET 'http://node3.localdomain:50070/webhdfs/v1/?op=CHECKACCESS'
[root@node1 ~]# curl --negotiate -u : -X GET 'http://node2.localdomain:50070/webhdfs/v1/?op=CHECKACCESS'
{"RemoteException":{"exception":"StandbyException","javaClassName":"org.apache.hadoop.ipc.StandbyException","message":"Operation category READ is not supported in state standby"}}[root@node1 ~]#
[root@node1 ~]# curl -s -I --negotiate -u : 'http://node1.localdomain:50070/webhdfs/v1/?op=CHECKACCESS' | grep ^HTTP
HTTP/1.1 401 Authentication required
HTTP/1.1 200 OK
... View more
Labels:
03-24-2017
02:53 AM
Does "hbase org.apache.hadoop.hbase.snapshot.ExportSnapshot" use ATS? Maybe restarting ResrouceManager fixed the issue?
... View more
03-23-2017
01:00 AM
@Namit Maheshwari Node2 is Active NameNode right now (node1 is HAProxy server) I changed to curl -I, if you prefer curl -i, let me know. Thank you! [root@node2 ~]# kdestroy
kdestroy: No credentials cache found while destroying cache
[root@node2 ~]# kinit -kt /etc/security/keytabs/spnego.service.keytab HTTP/node2.localdomain@HO-UBU02
[root@node2 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/node2.localdomain@HO-UBU02
Valid starting Expires Service principal
03/23/17 00:54:33 03/23/17 10:54:33 krbtgt/HO-UBU02@HO-UBU02
renew until 03/30/17 00:54:33
[root@node2 ~]# curl -I --negotiate -u : 'http://node2.localdomain:50070/webhdfs/v1/tmp/?op=LISTSTATUS'
HTTP/1.1 401 Authentication required
Cache-Control: must-revalidate,no-cache,no-store
Date: Thu, 23 Mar 2017 00:55:47 GMT
Pragma: no-cache
Date: Thu, 23 Mar 2017 00:55:47 GMT
Pragma: no-cache
Content-Type: text/html; charset=iso-8859-1
WWW-Authenticate: Negotiate
Set-Cookie: hadoop.auth=; Path=/; HttpOnly
Content-Length: 1408
Server: Jetty(6.1.26.hwx)
HTTP/1.1 200 OK
Cache-Control: no-cache
Expires: Thu, 23 Mar 2017 00:55:47 GMT
Date: Thu, 23 Mar 2017 00:55:47 GMT
Pragma: no-cache
Expires: Thu, 23 Mar 2017 00:55:47 GMT
Date: Thu, 23 Mar 2017 00:55:47 GMT
Pragma: no-cache
Content-Type: application/json
Set-Cookie: hadoop.auth="u=HTTP&p=HTTP/node2.localdomain@HO-UBU02&t=kerberos&e=1490266548000&s=HN3jepaKuYI5iKYfJ5IW1wHxJ3M="; Path=/; HttpOnly
Content-Length: 0
Server: Jetty(6.1.26.hwx)
[root@node2 ~]#
... View more