@irfangk1    It's NOT a requirement but best practice you that you have better control and filter of who has access to your cluster and it is on the edge, not you Firewall your cluster by deploying KNOX like a DMZ in a classic network. 2M and & 6D is fine so one of the 3 ZK masters will sit on a data node right? .. Here is a document that should inspire you setup of edge node in HDP cluster ... View more

@irfangk1  Edge nodes are the interface between the Hadoop cluster and the outside network. They’re also often used as staging areas for data being transferred into the Hadoop cluster. Installing the edge node is as easy as adding a node to the cluster. The only difference is that on the edge-node you will only deploy client software ONLY e.g SQOOP, PIG, HDFS, YARN, HBase, SPARK, ZK HIVE or HUE etc to enable you to for example to run HDFS commands on the edge-node. To enable communication between the outside network and the Hadoop cluster, edge nodes need to be multi-homed into the private subnet of the Hadoop cluster as well as into the corporate network. A multi-homed computer is one that has dedicated connections to multiple networks. This is a practical illustration of why edge nodes are perfectly suited for interaction with the world outside the Hadoop cluster. Keeping your Hadoop cluster in its own private subnet is an excellent practice, so these edge nodes serve as a controlled window inside the cluster If you're using Knox for perimeter security, then all clients' software should reside on a dedicated Knox gateway machine to which end users can submit their requests.It's good practice to divide the cluster into master nodes, worker nodes, edge node(s), and management node. Services such as Namenode, Zookeeper, Yarn Resource Manager, Secondary Namenode usually run on the master node machines. Worker nodes aka Datanode should be further divided into two categories those running HDFS and Yarn and those running Storm and Kafka and other components A minimum best practice is to have 3-5 master and >5 data nodes. HTH ... View more

@Jena  Great patience never give up 😁 😂 . I think your problem is now resolved I suspect incompatibility problem with IE 11 I need to check the documentation later today. Please take some time to accept my reponse as valid answer  so other members can use 8t to resolve the same issue. Happy hadooping ... View more

@saivenkatg55  Did you set these parameters?   Configure the following environment properties for MIT Kerberos. KRB5_CONFIG: Path for the kerberos ini file. KRB5CCNAME: Path for the kerberos credential cache file. Please revert  ... View more

@Srishan    I want you to really confirm you followed the Cloudera document because by experience I have at time struggled to help members with issues, really starting from the basics and asking whether they, for example, if they followed the preparation of the environment a pre-requisite and they confirm the affirmative and in end after exhausting all avenues passionately trying to help then someone tells you it was the firewall or NTP after spending 3 to 4 days exchanging email  Having said that ,can you share the logs  so I can analyze ... View more

@Srishan  I just posted a response to a similar question. Did you reset the root password and ambari-admin-password-reset also? The sandbox should work out of the box without much tweaking ... View more

@Jena  I think you are on the right track but some steps away. You need to log in using the Web CLI as root/hadoop first change the root password after successfully doing that while still logged in as root rest the  #ambari-admin-password-reset  this will launch in the background a series of script execution and  trigger the restart of ambari server and some components some by default are in maintenance mode ONLY after then can you access the DAS UI please let me know if thats clear enough. HTH ... View more

@Fsetiawan  You can crate the keytabs for these user on the KDC and  send it to them but they MUST have locally the copy of the krb5.conf and correct permissions on those keytabs. The other solution is to create a trust between the 2 domains. HTH ... View more

@Vij    Can you share your share your zookeeper_client_jaas.conf and zookeeper_jaas.conf they should be look like below zookeeper_client_jaas.conf Client { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=false useTicketCache=true; }; zookeeper_jaas.conf Server { com.sun.security.auth.module.Krb5LoginModule required useKeyTab=true storeKey=true useTicketCache=false keyTab="/etc/security/keytabs/zk.service.keytab" principal="zookeeper/<host>@[REALM]"; };   Please compare and let me know    ... View more

@saivenkatg55    I can see your name node is in safe mode can you do the following As root # su - hdfs # Check  to validate what I saw in the log $ hdfs dfs -safemode get # Resolve the lock out $ hdfs dfs -safemode leave # Validate safe mode is off $ hdfs dfs -safemode get That should resolve the issue! Then also send me Share /var/log/kadmind.log and /var/log/kadmind.log ... View more

@saivenkatg55  Share /var/log/kadmind.log and /var/log/kadmind.log .. you can use Big file Transfer ... View more

@saivenkatg55  What do you mean by local (MIT) if I guess right you are accessing the HDP cluster from a client laptop or edge node where you installed the Kerberos client libraries. To communicate with secure Hadoop clusters that use Kerberos authentication, known as Kerberized clusters, a client uses the Kerberos client utilities. You MUST install these utilities on the same system where you are connecting from. For Linux desktops here are the different options Ubunt: # apt install krb5-user RHEL/Centos: # yum install -y krb5-server krb5-libs krb5-workstation These packages deliver the krb5.conf that the client should configure to connect to a kerberized cluster, the easier and recommended way is to copy the krb5.conf from the kdc server to all clients that need to connect to the Kerberized cluster in RHEL/CentOS it's located in /etc/krb5.conf. This file has the pointer to the REALM, KDC and ADMIN server Here is an example [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = REDHAT.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] REDHAT.COM = { kdc = KDC.REDHAT.COM admin_server = KDC.REDHAT.COM } [domain_realm] .redhat.com = REDHAT.COM redhat.com = REDHAT.COM Else share /var/log/kadmind.log and /var/log/kadmind.log   HTH ... View more

@vsrikanth9    The UI  and the contents of your krb5.conf look okay my only concern is the encryption types entries for the Kerberos encryption types field matches what your KDC supports, so can  look at the line supported_enctypes = Do you have a particular reason to have the 3 entries in /var/kerberos/krb5kdc/kadm5.acl the first line ONLY is enough */admin@CLSECURITY.COM *   Please do that and  revert  ... View more

@AU  As promised here is the download the document  read through and follow the steps   HTH   ... View more

@AU  What the value of  "  server.jdbc.driver.path=[path/to/custom_jdbc_driver] " if empty can you replace it with "/usr/share/java/mysql-connector-java-8.0.17.jar" Can you validate your JCE  if not download  JCE link  Then o n Ambari Server and on each host in the cluster, add the unlimited security policy JCE jars to $JAVA_HOME/jre/lib/security/. For example, run the following to extract the policy jars into the JDK installed on your host: unzip -o -j -q jce_policy-8.zip -d /usr/jdk64/jdk1.8.0_40/jre/lib/security/     ... View more

@AU    Assuming you are on Linux RHEL/Centos just add an extra step to my previous response do the following Step 1 # yum install -y mysql-connector-java Step 2 Ensure that the file exists # ls -al /usr/share/java/mysql-connector-java.jar -rw-r--r-- 1 root root 883898 Jun 10 2014 /usr/share/java/mysql-connector-java.jar The run the below command Step 3 # ambari-server setup --jdbc-db=mysql --jdbc-driver=/usr/share/java/mysql-connector-java.jar Step 4 After the above command please validate that this entry exist in the /etc/ambari-server/conf/ambari.properties file # cat /etc/ambari-server/conf/ambari.properties | grep mysql-connector-java.jar custom.mysql.jdbc.name=mysql-connector-java.jar previous.custom.mysql.jdbc.name=mysql-connector-java.jar Step 5 Restart the agent and the Ambari server # ambari-server stop # ambari-server start Then finally # ambari-agent stop # ambari-agent start Your problem should be resolved, please revert ... View more

@mailtosolaris    There are 2 ways to kerberize a cluster either MIT or AD as the KDC. In your situation, the easiest option will be to use the AD as KDC so that during the initial kerberization all existing AD users Kerberos  keytabs will be generated automatically and all subsequent users added in AD wil also trigger their keytab creation without will be trigger automatically.   You will need a Windows Server 2012R2 or later and quite a number of steps to achieve that. Here is a visually rich document from @ Kuldeep   Setup and configure Active Directory server for Kerberos The steps look challenging but doable also have this as a Hortonwork reference but the Kuldeep document will work like a charm.    hope that helps ... View more

@AU  I think you missed a step during your Ambari server setup ! Can you run the below command as the root user Step1 Ensure that the file exists # ls -al /usr/share/java/mysql-connector-java.jar -rw-r--r-- 1 root root 883898 Jun 10 2014 /usr/share/java/mysql-connector-java.jar The run the below command  Step 2 # ambari-server setup --jdbc-db=mysql --jdbc-driver=/usr/share/java/mysql-connector-java.jar   Step 3 After the above command please validate that this entry exist in the /etc/ambari-server/conf/ambari.properties file  # cat /etc/ambari-server/conf/ambari.properties | grep mysql-connector-java.jar custom.mysql.jdbc.name=mysql-connector-java.jar previous.custom.mysql.jdbc.name=mysql-connector-java.jar Step4 Restart the agent and the Ambari server  # ambari-server stop # ambari-server start   Then    # ambari-agent stop # ambari-agent start   Your problem should be resolved, please revert  ... View more