In Nifi with the PutS3Object, we get an error using AWS Credentials Provider service. AwsCredentialsProviderControlerService is configured to use IAM roles as follows: Use Default Credentials = True Use Anonymous Credentials = False Assume Role ARN = arn:aws:iam::ahjhdiauisjkk:role/role-test Assume Role Session Name = nifitest (*arbitary name*) Session time = 3600 No other values are set in the AwsCredentialsProviderControlerService We are using IAM roles because of organizational policies. The error is loosely transcribe here (it may contain typos): 13:40:46 EDT - All Nodes - ERROR PutS3Object[id=asdfasdfasdfasdf] Failed to put StandardFlowFileRecord[uuid=xxxxxxxx,claim=StandardContentClaim[resourceClaim=StandardResourceClaim[id=11111111, container=default,section=1], offset=0,length=222222],offset=1,name=test3,size=33333] to Amazon S2 due to com.amazonaws.services.securitytokenmodel.AWSSEcurityToeknServiceException: User: arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000 is not authorized to perform: sts:Assumerole on resource: arn:aws:sts::7777777:role/role-hdf-node (Service: AWSSecurityToeknService;Status Code: 403; Error Code: AccessDenied; Request ID: aaaaaaaaaaaa) com.amazonaws.services.securitytokenmodel.AWSSEcurityToeknServiceException: User: arn:aws:sts::7777777:assumed-role/role-hdf-node/i-03333330000 is not authorized to perform: sts:Assumerole on resource: arn:aws:sts::7777777:role/role-hdf-node (Service: AWSSecurityToeknService;Status Code: 403; Error Code: AccessDenied; Request ID: aaaaaaaaaaaa) Thanks for any help. Jim ... View more

I am trying to configure LDAP authentication with Ambari and other components (e.g. Zeppelin, Ranger and Knox). This is a complex environment with Centrify where users have multiple identities which resolve to a single ID in Linux. On Linux, my id is "u1101". I can execute "id u1101" or "id james-jones" and both result in the same Linux ID -- e.g. uid=60012(u1101) gid=5001(user). On a Windows system, only james-jones works. There are two domains: company.com and corp.company.int. I want to configure LDAP authentication using the Linux ID rather than the windows sAMAccountName, but it only works with the sAMAccountName. I have configured the correct settings in Ambari for userObjectClass, baseDn, userAttributeName, primaryUrl, managerDn, etc. I don't know if the problem is with Centrify or an LDAP server hosting the Linux accounts. I decided to conduct a test, and it seems that using dn bind account is prohibited in one case but not the other. Since Ambari LDAP authentication essentially does two queries, one with the bind user to find the person logging in, and then a second query with the person's DN and the password they entered, I tested two ldapsearch queries. One with the Windows DN and the second using the Linux DN. Using ldapsearch, this query succeeds using my Windows domain DN ldapsearch -D "CN=1101737,OU=NY,OU=my_company,OU=CO_Users,DC=corp,DC=company,DC=int" -W \ -b "dc=corp,dc=company,dc=int" \ "sAMAccountName=james-jones" This query fails on authentication using my UNIX domain DN ldapsearch -D "CN=james-jones@corp.company.int,CN=Users,CN=Global,CN=Zones,OU=Centrify,OU=Enterprise Systems,DC=corp,DC=company,DC=int" -W \ -b "DC=corp,DC=company,DC=int" \ "sAMAccountName=james-jones" There are two different LDIFs for these two ids (u1101 and james-jones): sAMAccountName=james-jones objectClass=person dn=CN=1101737,OU=NY,OU=my_company,OU=CO_Users,DC=corp,DC=company,DC=int distinguishedName==CN=1101737,OU=NY,OU=my_company,OU=CO_Users,DC=corp,DC=company,DC=int The other looks like non-AD LDAP and I think openLdap may be behind it with some centrify magic going on. uid=u1101 objectClass=posixAccount dn=CN=james-jones@corp.company.int,CN=Users,CN=Global,CN=Zones,OU=Centrify,OU=Enterprise Systems,DC=corp,DC=company,DC=int distinguishedName=CN=james-jones@corp.company.int,CN=Users,CN=Global,CN=Zones,OU=Centrify,OU=Enterprise Systems,DC=corp,DC=company,DC=int The reason this matters is that when I use Ambari views, my account needs to match the Unix accounts. Hopefully that made sense. It's a bit long and complicated. Any help is very appreciated. ... View more

Ambari 2.5.0.3 complains about openblas-Rblas x86_64 0.2.19-4.el7 installed when installing HDP 2.6. This was in the checks done during service installation. What version of R is HDP happy with? If we remove openblasRblas, it will also remove R 3.3.3 and we want to replace it with the correct version. ... View more