Hello @Matt Clarke it seems all messages similar, it is repeating. I can't see a diffirent message. 2018-07-26 09:04:27,722 WARN [Timer-Driven Process Thread-3] o.a.n.r.util.SiteToSiteRestApiClient Failed to get controller from https://my-nifi-server:9443/nifi-api due to javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 2018-07-26 09:04:27,723 ERROR [Timer-Driven Process Thread-3] o.a.nifi.remote.StandardRemoteGroupPort RemoteGroupPort[name=RGP1,targets=https://my-nifi-server:9443] failed to communicate with https://my-nifi-server:9443 due to org.apache.nifi.remote.exception.UnreachableClusterException: Unable to refresh details from any of the configured remote instances. 2018-07-26 09:04:27,723 WARN [Timer-Driven Process Thread-2] o.a.n.r.util.SiteToSiteRestApiClient Failed to get controller from https://my-nifi-server:9443/nifi-api due to javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 2018-07-26 09:04:27,723 INFO [StandardProcessScheduler Thread-6] o.a.n.c.s.TimerDrivenSchedulingAgent Scheduled TailFile[id=7b70e94e-2b44-32a6-0000-000000000000] to run with 1 threads 2018-07-26 09:04:27,723 ERROR [Timer-Driven Process Thread-2] o.a.nifi.remote.StandardRemoteGroupPort RemoteGroupPort[name=RGP2,targets=https://my-nifi-server:9443] failed to communicate with https://my-nifi-server:9443 due to org.apache.nifi.remote.exception.UnreachableClusterException: Unable to refresh details from any of the configured remote instances. 2018-07-26 09:04:27,726 WARN [NiFi Site-to-Site Connection Pool Maintenance] o.a.n.r.util.SiteToSiteRestApiClient Failed to get controller from https://my-nifi-server:9443/nifi-api due to javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 2018-07-26 09:04:27,726 WARN [NiFi Site-to-Site Connection Pool Maintenance] o.a.n.r.util.SiteToSiteRestApiClient Failed to get controller from https://my-nifi-server:9443/nifi-api due to javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 2018-07-26 09:04:27,727 WARN [NiFi Site-to-Site Connection Pool Maintenance] o.apache.nifi.remote.client.PeerSelector org.apache.nifi.remote.client.PeerSelector@4f1c5017 Unable to refresh Remote Group's peers due to Received fatal alert: handshake_failure 2018-07-26 09:04:27,727 WARN [NiFi Site-to-Site Connection Pool Maintenance] o.apache.nifi.remote.client.PeerSelector org.apache.nifi.remote.client.PeerSelector@13a87254 Unable to refresh Remote Group's peers due to Received fatal alert: handshake_failure 2018-07-26 09:04:27,727 WARN [NiFi Site-to-Site Connection Pool Maintenance] o.a.n.r.util.SiteToSiteRestApiClient Failed to get controller from https://my-nifi-server:9443/nifi-api due to javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 2018-07-26 09:04:27,727 WARN [NiFi Site-to-Site Connection Pool Maintenance] o.apache.nifi.remote.client.PeerSelector org.apache.nifi.remote.client.PeerSelector@69c7fbb Unable to refresh Remote Group's peers due to Received fatal alert: handshake_failure ... View more

Hi @Geoffrey Shelton Okot, I decided to test with local user. I added also a principle to kerberos with same name. I did configurations in url that you mentioned before. [users] # List of users with their password allowed to access Zeppelin. # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections admin = admin, admin zptest = password, role1 user1 = user1, role1, role2 user2 = user2, role3 user3 = user3, role2 # Sample LDAP configuration, for user Authentication, currently tested for single Realm [main] ### A sample for configuring Active Directory Realm #activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm #activeDirectoryRealm.systemUsername = userNameA #use either systemPassword or hadoopSecurityCredentialPath, more details in http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html #activeDirectoryRealm.systemPassword = passwordA #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/zeppelin.jceks #activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM #activeDirectoryRealm.url = ldap://ldap.test.com:389 #activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr" #activeDirectoryRealm.authorizationCachingEnabled = false ### A sample PAM configuration #pamRealm=org.apache.zeppelin.realm.PamRealm #pamRealm.service=sshd sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager ### If caching of user is required then uncomment below lines cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager securityManager.sessionManager = $sessionManager # 86,400,000 milliseconds = 24 hour securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login [roles] role1 = * role2 = * role3 = * admin = * [urls] # This section is used for url-based security. # You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide. # anon means the access is anonymous. # authc means Form based Auth Security # To enfore security, comment the line below and uncomment the next one /api/version = anon #/api/interpreter/** = authc, roles[admin] #/api/configurations/** = authc, roles[admin] #/api/credential/** = authc, roles[admin] #/** = anon /** = authc I am logging in to Zeppelin with zptest user and "whoami" command displays "zeppelin". Impersonation part at advanced env is here; #--- FOR IMPERSONATION -- START ---- ZEPPELIN_IMPERSONATE_USER=`echo ${ZEPPELIN_IMPERSONATE_USER} | cut -d "@" -f1` export ZEPPELIN_IMPERSONATE_CMD='sudo -H -u zeppelin bash -c' export SPARK_HOME=/usr/hdp/current/spark2-client/ export PYTHONPATH=$SPARK_HOME/python/:$PYTHONPATH export PYTHONPATH=$SPARK_HOME/python/lib/py4j-0.9-src.zip:$PYTHONPATH # This is version based config and needs to be changed based on the spark version export SPARK_YARN_USER_ENV="PYTHONPATH=${PYTHONPATH}" #--- FOR IMPERSONATION -- END ---- ... View more

Hi, here it is; [users] # List of users with their password allowed to access Zeppelin. # To use a different strategy (LDAP / Database / ...) check the shiro doc at http://shiro.apache.org/configuration.html#Configuration-INISections admin = admin, admin user1 = user1, role1, role2 user2 = user2, role3 user3 = user3, role2 # Sample LDAP configuration, for user Authentication, currently tested for single Realm [main] ### A sample for configuring Active Directory Realm #activeDirectoryRealm = org.apache.zeppelin.realm.ActiveDirectoryGroupRealm #activeDirectoryRealm.systemUsername = userNameA #use either systemPassword or hadoopSecurityCredentialPath, more details in http://zeppelin.apache.org/docs/latest/security/shiroauthentication.html #activeDirectoryRealm.systemPassword = passwordA #activeDirectoryRealm.hadoopSecurityCredentialPath = jceks://file/user/zeppelin/zeppelin.jceks #activeDirectoryRealm.searchBase = CN=Users,DC=SOME_GROUP,DC=COMPANY,DC=COM #activeDirectoryRealm.url = ldap://ldap.test.com:389 #activeDirectoryRealm.groupRolesMap = "CN=admin,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"admin","CN=finance,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"finance","CN=hr,OU=groups,DC=SOME_GROUP,DC=COMPANY,DC=COM":"hr" #activeDirectoryRealm.authorizationCachingEnabled = false ### A sample for configuring LDAP Directory Realm ldapRealm = org.apache.zeppelin.realm.LdapRealm ## search base for ldap groups (only relevant for LdapGroupRealm): ldapRealm.contextFactory.environment[ldap.searchBase] = mysearchbase ldapRealm.contextFactory.url = myldapserver ldapRealm.userDnTemplate = myuserdntemplae ldapRealm.contextFactory.authenticationMechanism = SIMPLE ldapRealm.authorizationEnabled=true ldapRealm.userSearchBase=myusersearchbase ldapRealm.groupSearchBase=mygroupsearchbase ldapRealm.userObjectClass=inetorgperson ldapRealm.groupObjectClass=groupofnames ldapRealm.memberAttribute=member securityManager.realms = $ldapRealm ldapRealm.rolesByGroup = "admingroup": "admin" ### A sample PAM configuration #pamRealm=org.apache.zeppelin.realm.PamRealm #pamRealm.service=sshd sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager ### If caching of user is required then uncomment below lines cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager securityManager.sessionManager = $sessionManager # 86,400,000 milliseconds = 24 hour securityManager.sessionManager.globalSessionTimeout = 86400000 shiro.loginUrl = /api/login [roles] role1 = * role2 = * role3 = * admin = * [urls] # This section is used for url-based security. # You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide. # anon means the access is anonymous. # authc means Form based Auth Security # To enfore security, comment the line below and uncomment the next one /api/version = anon /** = authc #/api/interpreter/** = authc, roles[admin] #/api/configurations/** = authc, roles[admin] #/api/credential/** = authc, roles[admin] #/** = anon ... View more

Thanks @Geoffrey Shelton Okot But this solution is for local OS users, I need something for LDAP users. Also I need something for all interpreters, my problem is not shell interpreter specific. ... View more

I resolved by adding a custom kafka-broker variable, advertised.listeners. It is fqdn of broker host. Also changed listener address to 0.0.0.0, it worked. ... View more

yes I tried to produce like this. ... View more

it is 0.10.0.2.6(which comes with hdp 2.6, it uses zookeeper). It uses port 6667. It is not secure. ... View more

Thanks @Abdelkrim Hadjidj. Do you mean software delete by logical deleting? (Not actually delete, update some fields) Are there any native solution for mongodb or cassandra? What do you think about using triggers? (writing insert,delete,update records to a table) Regards. ... View more

Hello @Vipin Rathor, 1. it is RedHat IDM. It has a "specialized" kerberos configuration and hadoop can't execute kerberos commands with it. RedHat support also says it is not supported by ambari. There is an article about ambari freeipa(free version of IDM) plugin, but it is an experimental method, doesn't work with HDP 2.5 2. I am planning to use LDAP for only system logins. Hadoop admins will switch to local users which are linked to kerberos. ... View more

Result is; { "href" : "http://AMBARI_IP:8080/api/v1/clusters/testcls/credentials/kdc.admin.credential", "Credential" : { "alias" : "kdc.admin.credential", "cluster_name" : "testcls", "type" : "persisted" }} Same in firefox. ... View more

Hello, when I check ambari-server log, there is an error like this; 29 Mar 2017 10:54:59,309 ERROR [ambari-client-thread-63] BaseManagementHandler:67 - Bad request received: Missing KDC administrator credentials. The KDC administrator credentials must be set as a persisted or temporary credential resource.This may be done by issuing a POST to the /api/v1/clusters/:clusterName/credentials/kdc.admin.credential API entry point with the following payload: { "Credential" : { "principal" : "(PRINCIPAL)", "key" : "(PASSWORD)", "type" : "(persisted|temporary)"} } } I did the settings according to this url; https://community.hortonworks.com/articles/42927/adding-kdc-administrator-credentials-to-the-ambari.html Firstly run ambari-server setup-security and select option 2. Then run these without no error; curl -H "X-Requested-By:ambari" -u admin:admin -X POST -d '{ "Credential" : { "principal" : "hadoopadmin@REALM", "key" : "xxxxx", "type" : "persisted" } }' http://AMBARI_IP:8080/api/v1/clusters/testcls/credentials/kdc.admin.credential curl -H "X-Requested-By:ambari" -u admin:admin -X PUT -d '{ "Credential" : { "principal" : "hadoopadmin@REALM", "key" : "xxxxx", "type" : "persisted" } }' http://AMBARI_IP:8080/api/v1/clusters/testcls/credentials/kdc.admin.credential But I am still getting above error about credential resource. When I type a wrong password ambari log says password is wrong. So I am sure that password is correct. ... View more

Hi, I remember admin principal's password, I am trying it but can't pass this popup. I could validate it's true by "kinit ..." ... View more