In my hadoop cluster OS, Ranger and Kerberos is integrated with an external AD. id <username> and hdfs groups <username> both show group to which user belongs. ... View more

Hi Sriram I was able to do this by adding the following parameters in Custom core-site.xml in HDFS through Ambari: Please change the figures as per the environment. hadoop.security.group.mapping=org.apache.hadoop.security.CompositeGroupsMapping hadoop.security.group.mapping.provider.ad4users=org.apache.hadoop.security.LdapGroupsMapping hadoop.security.group.mapping.provider.ad4users.ldap.base=dc=csmodule,dc=com hadoop.security.group.mapping.provider.ad4users.ldap.bind.user=cn=username,OU=Users,DC=hortonworks,DC=com hadoop.security.group.mapping.provider.ad4users.ldap.bind.password=password hadoop.security.group.mapping.provider.ad4users.ldap.search.attr.group.name=cn hadoop.security.group.mapping.provider.ad4users.ldap.search.attr.member=member hadoop.security.group.mapping.provider.ad4users.ldap.search.filter.group=(objectclass=group) hadoop.security.group.mapping.provider.ad4users.ldap.search.filter.user=(&(|(objectclass=person)(objectclass=applicationProcess))(sAMAccountName={0})) hadoop.security.group.mapping.provider.ad4users.ldap.url=ldap-url:389 hadoop.security.group.mapping.provider.shell4services=org.apache.hadoop.security.ShellBasedUnixGroupsMapping hadoop.security.group.mapping.providers=ad4users,shell4services hadoop.security.group.mapping.providers.combined=true Reference: https://github.com/apache/hadoop/blob/f67237cbe7bc48a1b9088e990800b37529f1db2a/hadoop-common-project/hadoop-common/src/site/markdown/GroupsMapping.md#Composite_Groups_Mapping Please accept my answer if you found this helpful. ... View more

I don't think the changes has reflected. If you see the table description TTL => '86400 SECONDS (1 DAY). @Kashif Amir does your problem still exists? ... View more

Hi Kashif Can you please login to Hbase UI and check if the table shows up there. If yes, can you mention the table Description here. Also, what command did you used to changed the TTL? ... View more

Hi Were you able to find the solution? I am facing the same issue. When i run the query from hive shell or zeppelin as a hive user, then the query works fine. But if i run it with other user, sometime it works and most of the times i get the Vertex error. Thanks & Regards ... View more

@pshah Can you please help? I am still facing the same issue. I also noticed one thing, when i try to connect zookeeper on kafka server from kerberized cluster without taking any ticket, I am able to connect, with below logs: p.p1 {margin: 0.0px 0.0px 10.0px 0.0px; line-height: 18.0px; font: 15.0px Arial; color: #404041; -webkit-text-stroke: #404041} span.s1 {font-kerning: none} WARN [main-SendThread(kafka01.nix.xyz.com:2181):ZooKeeperSaslClient$ClientCallbackHandler@496] - Could not login: the client is being asked for a password, but the Zookeeper client code does not currently support obtaining a password from the user. Make sure that the client is configured to use a ticket cache (using the JAAS configuration setting 'useTicketCache=true)' and restart the client. If you still get this message after that, the TGT in the ticket cache has expired and must be manually refreshed. To do so, first determine if you are using a password or a keytab. If the former, run kinit in a Unix shell in the environment of the user who is running this Zookeeper client using the command 'kinit <princ>' (where <princ> is the name of the client's Kerberos principal). If the latter, do 'kinit -k -t <keytab> <princ>' (where <princ> is the name of the Kerberos principal, and <keytab> is the location of the keytab file). After manually refreshing your cache, restart this client. If you continue to see this message after manually refreshing your cache, ensure that your KDC host's clock is in sync with this host's clock. 2017-10-23 15:56:40,982 - WARN [main-SendThread(kafka01.nix.xyz.com:2181):ClientCnxn$SendThread@1001] - SASL configuration failed: javax.security.auth.login.LoginException: No password provided Will continue connection to Zookeeper server without SASL authentication, if Zookeeper server allows it. 2017-10-23 15:56:40,984 - INFO [main-SendThread(kafka01.nix.xyz.com:2181):ClientCnxn$SendThread@1019] - Opening socket connection to server kafka01.nix.xyz.com/10.72.19.66:2181 But when i take the zookeeper ticket on the same server, then it fails: 2017-10-23 16:01:47,877 - INFO [main:ZooKeeper@438] - Initiating client connection, connectString=sta-needs01-kafka01 sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@4534b60d Welcome to ZooKeeper! JLine support is enabled 2017-10-23 16:01:47,989 - INFO [main-SendThread(kafka01.nix.xyz.com:2181):Login@294] - successfully logged in. 2017-10-23 16:01:47,991 - INFO [Thread-0:Login$1@127] - TGT refresh thread started. 2017-10-23 16:01:47,995 - INFO [main-SendThread(kafka01.nix.xyz.com:2181):ZooKeeperSaslClient$1@289] - Client will use GSSAPI as SASL mechanism. 2017-10-23 16:01:48,013 - INFO [Thread-0:Login@302] - TGT valid starting at: Mon Oct 23 16:01:44 CEST 2017 2017-10-23 16:01:48,013 - INFO [Thread-0:Login@303] - TGT expires: Tue Oct 24 02:01:44 CEST 2017 2017-10-23 16:01:48,013 - INFO [Thread-0:Login$1@181] - TGT refresh sleeping until: Tue Oct 24 00:06:45 CEST 2017 [zk: sta-needs01-kafka01(CONNECTING) 0] 2017-10-23 16:01:48,052 - INFO [main-SendThread(kafka01.nix.xyz.com:2181):ClientCnxn$SendThread@1019] - Opening socket connection to server kafka01.nix.xyz.com/10.72.19.66:2181. Will attempt to SASL-authenticate using Login Context section 'Client' 2017-10-23 16:01:48,058 - INFO [main-SendThread(kafka01.nix.xyz.com:2181):ClientCnxn$SendThread@864] - Socket connection established to kafka01.nix.xyz.com/10.72.19.66:2181, initiating session 2017-10-23 16:01:48,067 - INFO [main-SendThread(kafka01.nix.xyz.com:2181):ClientCnxn$SendThread@1279] - Session establishment complete on server kafka01.nix.xyz.com/10.72.19.66:2181, sessionid = 0x15f496f70e70049, negotiated timeout = 30000 WATCHER:: WatchedEvent state:SyncConnected type:None path:null 2017-10-23 16:01:48,140 - ERROR [main-SendThread(kafka01.nix.xyz.com:2181):ZooKeeperSaslClient@388] - An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state. 2017-10-23 16:01:48,140 - ERROR [main-SendThread(kafka01.nix.xyz.com:2181):ClientCnxn$SendThread@1059] - SASL authentication with Zookeeper Quorum member failed: javax.security.sasl.SaslException: An error: (java.security.PrivilegedActionException: javax.security.sasl.SaslException: GSS initiate failed [Caused by GSSException: No valid credentials provided (Mechanism level: Message stream modified (41))]) occurred when evaluating Zookeeper Quorum Member's received SASL token. Zookeeper Client will go to AUTH_FAILED state. ... View more

@Amardeep Sarkar were you able to find the solution? Even, I am facing the same issue. ... View more

Hi, Can you please mention the error occurring in the metric collector logs? ... View more

@Karan Alang - Were you able to resolve the issue? ... View more

Hi Timothy, I am planning to take HDPCA exam very soon. Do you mean that they have changed the pattern and instead of practical, it will be just questions(I mean theoretical)? Also, any change in HDP and ambari version used? No, such information on their website: http://hortonworks.com/training/certification/hdp-certified-administrator-hdpca-exam/ Thanks & Regards Saurabh ... View more

Hi Dinesh, Were you able to solve this issue? ... View more

Does it mean that i cannot install Kerberos with ambari using LDAP, it needs to be LDAPS? I think i am having this issue 'Ambari will fail setting the account's password' ... View more