Part 3 of the previous kerberization document ... View more

@Tom Burke Setup the Server: Install Kerberos KDC and Admin Server $ apt update && apt upgrade -y $ apt install krb5-kdc krb5-admin-server krb5-config -y $ krb5_newrealm Locate and edit the krb5.conf [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = TEST.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] TEST.COM = { kdc = server.test.com admin_server = server.test.com } [domain_realm] .test.com = TEST.COM test.com = TEST.COM KDC configuration Locate and edit the kdc.conf /etc/krb5kdc/kdc.conf. [kdcdefaults] kdc_ports = 88 kdc_tcp_ports = 88 [realms] TEST.COM = { #master_key_type = aes256-cts acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal } Create the Kerberos database This should pick your REALM for the krb5.conf and kdc.conf you will be prompted for a master password keep it preciously it will be useful for the Ambari Kerberos wizard # /usr/sbin/kdb5_util create -s output Loading random data Initializing database '/var/kerberos/krb5kdc/principal' for realm 'TEST.COM', master key name 'K/M@TEST.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Locate and edit the kadm5.acl Assign Administrator Privilege by editing the kadm5.acl in /var/kerberos/krb5kdc/kadm5.acl replace the EXAMPLE.COM with your realm */admin@TEST.COM * Restart the KDC and kadmin Set the 2 daemons to auto start at boot else your cluster won't start # /etc/rc.d/init.d/krb5kdc start Starting Kerberos 5 KDC: [ OK ] # /etc/rc.d/init.d/kadmin start Starting Kerberos 5 Admin Server: Create a Kerberos Admin Use the same master password # kadmin.local -q "addprinc admin/admin" Output Authenticating as principal root/admin@TEST.COM with password. WARNING: no policy specified for admin/admin@TEST.COM; defaulting to no policy Enter password for principal "admin/admin@TEST.COM": Re-enter password for principal "admin/admin@TEST.COM": Principal "admin/admin@TEST.COM" created. Check if the root principal was created Go to Ambari and enable Kerberos See attached Kerberos setup for HDP 3.1 they are quite similar save for the new UI ... View more

@Marcel-Jan Krijgsman So frustrating indeed have you tried running the hive import from /usr/hdp/2.6.5.0-292/atlas/hook-bin ? The output should look like below # ./import-hive.sh Using Hive configuration directory [/etc/hive/conf] Log file for import is /usr/hdp/current/atlas-server/logs/import-hive.log log4j:WARN No such property [maxFileSize] in org.apache.log4j.PatternLayout. log4j:WARN No such property [maxBackupIndex] in org.apache.log4j.PatternLayout. Enter username for atlas :- admin Enter password for atlas :- Hive Meta Data imported successfully!!! After running successfully you should be able to see your tables in Atlas ... View more

@Michael Bronson If you have exhausted all other avenues YES, Step 1 Check and compare the /usr/hdp/current/kafka-broker symlinks Step 2 Download both env'es as backup from the problematic and functioning cluster Upload the functioning cluster env to the problematic one, since you have a backup Start kafka through ambari Step 3 sed -i 's/verify=platform_default/verify=disable/'/etc/python/cert-verification.cfg Step 4 Lastly, if the above steps don't remedy the issue, then remove and -re-install the ambari-agent and remember to manually point to the correct ambari server in the ambari-agent.ini ... View more

@Michael Bronson If you can start your brokers from the CLI then that means your env is not set properly as Ambari depends on that env to successfully start or stop a component. What you could do is export the env from the problematic cluster and compare it meticulously against the env from the working cluster using the procedures I sent above. You should be able to see the difference Can you also validate that the symlinks are okay ... View more

@Bhushan Kandalkar Good it worked out but you shouldn't have omitted the information about the architecture ie Load balancer such info is critical in the analysis ....:-) Happy hadooping ... View more

@Michael Bronson Do you have a working cluster of same HDP version? Is it a kerberized environment? ... View more

@Bhushan Kandalkar Can you start with the following checks to investigate the SaslTransport issues, first the hive keytab # ll /etc/security/keytabs/hive.service.keytab Desired output see ownership and permission bits !!! -r--r----- 1 hive hadoop 353 Oct 11 10:49 /etc/security/keytabs/hive.service.keytab Check the Hive--->Configs--->Advanced hive-site check the hive.server2.authentication.kerberos.principal Desired output hive/_HOST@REALM This should match the entry in the Kerberos database, validate by running on the KDC server the below command as root user # kadmin.local kadmin.local: listprincs Desired output hive/$FQDN@REALM Lastly, Can you regenerate the keytabs using the Ambari Kerberos wizard the restart the cluster HTH ... View more