About lvazquez

lvazquez · ‎07-08-2022

I thought it was something like this, but it was hard to believe! After 2 full installation of CDP base, it seems clear that CDP may have been a big step for the final user, but still has a lot of room for improvement in the sysadmin and devops side of the platform, specially in the way-back or recovery of many central configuration changes (kerberos, TLS) where it really sucks, even when compared with the now ancient HDP3.

lvazquez · ‎06-20-2022

The solution above has been the accepted answer for a long time (since CM 6.x), but the procedure is not complete, at least for Cloudera Manager 7.6 with CDP Base 7.1.6 or above. After using Auto-TLS and needing to disable it because I needed to rename some nodes, I changed the web_tls and agent_tls settings in the Database, and changed the config.ini to disable TLS in all the agents' config and restarted all the cloudera-scm-* daemons (server/agents) and I was able to log to the UI and reach the hosts, but in "Management >> Security" the Cloudera Manager UI keeps showing "Auto-TLS is Enabled" in the menu bar, and if I try to add a new host it will fail with an error like "Unable to deploy host certificates" ... so it seems CM still has Auto-TLS enable somewhere/somehow. I have made a dump and double checked there isn't any TLS config parameter enabled in the DB, but there should be some other place from where CM assumes this is enabled.

lvazquez · ‎05-05-2022

As a general statement this is not right by any means. LDAP provides secure and encrypted authentication (encrypted user password and SSL/TLS communication) , together with user/group management. It's only the Hadoop stack does not support this and the two only autentication methods implemented for all the CDP components are the dummy simple auth (described above) and the Kerberos authentication (used in combination with PAM or LDAP for user/group mappings). As an example, nothing less than Knox (the security gateway to HDP or CDP) implements full authenticacion using only LDAP (with TLS), and it only relies on Kerberos to authenticate a single service/proxy user to communicate with the rest of the cluster.

lvazquez · ‎12-01-2020

The following map rule is wrong: RULE:[2:\$1@\$0](rm@MY_REALM)s/.*/rm/ the user for the ResourceManager is not "rm" but "yarn" and this should be the replacement value. This is the same as for the hadoop.security.auth_to_local in Hadoop/HDFS configuration.

lvazquez · ‎11-12-2020

To give some extra information (in case somebody guess about it) I have also tested adding the -b and -c options to curl, in order to use the received cookies in subsequent calls. Something like this: curl -i -k -u "admin:*****" -b cookies.txt -c cookies.txt --config headers-post.conf ... and the options included in headers-post.conf are: -X POST -H "X-Requested-By:admin" -H "Content-Type: application/json" -H "X-XSRF-HEADER:valid" But the problem is the same and I still receive "HTTP/1.1 403 Forbidden" when trying to execute any statement with LIvy over the session. Best regards

lvazquez · ‎11-12-2020

I have a kerberized HDP 3.1.4 authenticating against an IPA server (Kerberos/LDAP). Most of the supported web services are working via Knox (WEBHDFS, HDFSUI, YARNUI, YARNUIV2, SPARKHISTORYUI, OOZIEUI, HDFSUI, etc) , in some cases after fixing or replacing the service definitions with the ones from Knox 1.4.0 (some of ones included with HDP 3 have erros o missing redirects). Now I trying to expose the Livy Rest API via Knox and have tried both the LIVY service definitions in HDP 3 (it includes 3 versions 0.4.0, 0.4.1, 0.4.2) and with the one from Knox 1.4.0. A side note is that the service definition from upstream Knox 1.4.0 has a lower version number (0.4.0) but seems to be more recent including many additional rewrite rules and not using the "/v1" hack from the preliminary versions. The service definition for Knox in the ui.xml topology I'm using is: <service> <role>LIVYSERVER</role> <url>http://hdp3-livy:8999</url> </service> I'm using curl for testing and I'm able to initialize the "pyspark" session via Knox (authenticated with admin) to Livy as "knox" user and with the user authenticated to Knox (in this case "admin") as the "proxyUser": $ curl -k -u admin:${SECRET} --config headers-post.conf --data '{"kind": "pyspark"}' $LIVY_URL/sessions HTTP/1.1 200 OK { "appId": null, "appInfo": {"driverLogUrl": null, "sparkUiUrl": null}, "id": 19, "kind": "pyspark", "log": [], "owner": "knox", "proxyUser": "admin", "state": "starting" } However when in the next step I try to execute some code I get an empty response with code "403 Forbidden": $ curl -k -u admin:${SECRET} --config livy-headers-post.conf $LIVY_URL/sessions/$SESSIONID/statements -d '{"code":"2 + 2"}' HTTP/1.1 403 Forbidden If I do the same from Knox server, authenticated with kerberos keytab as user knox and including "proxyUser": "admin" in the JSON request (as Knox does) , I get the same response in the session setup but the subsequent code statement works as expected and executes the code: [knox@server ~]$ curl --negotiate -u : --config headers-post.conf $LIVY_URL/sessions/$SESSIONID/statements -d '{"code":"2 + 2"}' HTTP/1.1 200 OK { "code": "2 + 2", "id": 0, "output": null, "progress": 0.0, "state": "waiting" } As an extra diagnostic I have made a capture of traffic for both executions (via Knox and directly with knox using kinit + proxyUser) and the authentication headers received by Livy from the Knox server are clearly different with each method: Authencated as admin with Knox: POST /sessions/19/statements?doAs=admin HTTP/1.1 X-Forwarded-Proto: https X-Forwarded-Port: 10443 ... X-Forwarded-Context: /gateway/ui X-Requested-By: admin Accept: */* User-Agent: curl/7.29.0 X-XSRF-HEADER: valid Content-Type: application/json Transfer-Encoding: chunked Host: hdp3-livy:8999 Connection: Keep-Alive Cookie: hadoop.auth="u=knox&p=knox/hdp3-knox@EXAMPLE.COM&t=kerberos&e=1605153545612s=xD7N1bfFduRqQPQ/qtOkg0OVVs6sXC2C2MnTDlUDrSo=" 10 {"code":"2 + 2"} 0 Authenticated with kerberos as knox user (--negotiate): POST /sessions/18/statements HTTP/1.1 User-Agent: curl/7.29.0 Host: hdp3-dtlk-mn01.dtlk.in.iantel.com.uy:8999 Accept: */* X-Requested-By: admin Content-Type: application/json X-XSRF-HEADER:valid Content-Length: 16 {"code":"2 + 2"} @ HTTP/1.1 401 Authentication required Date: Wed, 11 Nov 2020 19:18:50 GMT WWW-Authenticate: Negotiate Set-Cookie: hadoop.auth=; HttpOnly Cache-Control: must-revalidate,no-cache,no-store ... Content-Length: 353 Server: Jetty(9.3.24.v20180605) POST /sessions/18/statements HTTP/1.1 Authorization: Negotiate YIIC1AYJKoZIhvcSAQICAQBuggLD ...... @ HTTP/1.1 201 Created Date: Wed, 11 Nov 2020 19:18:50 GMT WWW-Authenticate: Negotiate YGoGCSqGSIb.... ... Content-Type: application/json;charset=utf-8 Location: /sessions/18/statements/0 Content-Length: 70 Server: Jetty(9.3.24.v20180605) {"id":0,"code":"2 + 2","state":"waiting","output":null,"progress":0.0} Does anybody knows how to fix this and make Livy work with HTTPS and basic authentication via the Apache Knox Gateway server using Kerberos?

lvazquez · ‎08-19-2020

If you use the $ZK_HOST defined in infra-solr-env.sh you should not need to include the /infra-solr prefix when getting the solrconfig.xml: source /etc/ambari-infra-solr/conf/infra-solr-env.sh /usr/lib/ambari-infra-solr/server/scripts/cloud-scripts/zkcli.sh -z $ZK_HOST \ -cmd getfile /configs/ranger_audits/solrconfig.xml solrconfig.xml The same applies when uploading the edited config.

lvazquez · ‎07-24-2020

May be it's because of a diferente version (I'm using HDP and Hadoop 3) but this doesn't work as described here. In first place if you try to set a variable in the "hiveConf:" namespace you will get an error like this: Error while processing statement: Cannot modify hiveConf:test at runtime You have to use the "hivevar:" namespace for this like: :2> set hivevar:test=date_sub(current_date, 5); But more importante, Hive won't expand the variable value definition as shown here: :2> set hivevar:test; +-----------------------------------------+ | hivevar:test=date_sub(current_date, 5) | +-----------------------------------------+ So the INSERT will not interpreted as you stated but instead as: INSERT INTO TABLE am_temp2 PARTITION (search_date=date_sub(current_date, 5)) and this for some reason is not supported in Hive and gives a compilation error: FAILED: ParseException line 1:50 cannot recognize input near 'date_sub' '(' It would be very useful to insert data into static partitioning using pre-calculated variable values like this, from functions or select queries, but I still haven't found how to do this in HiveQL. As a reference, this seems to be (at least partially) related with this: https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.0/hive-overview/content/hive_use_variables.html

lvazquez · ‎08-27-2019

This feature is not (well) documented anywere and the intructions for user impersonation in Zeppelin's manual only works for shell or for spark when not using Kerberos, so I will respond myself showing how I was able to make this work with Kerberos and HDP 3.1 (zeppelin 0.8.0). First you DON'T have to change/uncoment ZEPPELIN_IMPERSONATE_SPARK_PROXY_USER in zeppelin-env and should leave this with the default value "true" (meaning that Zeppelin will use --proxy-user option when impersonation is enabled in the spark2 interpreter). The after you kerberized the cluster you will have to edit the Spark2 interpreter and change the following: Set the interpeter to be instantiated "Per User | Isolated" and select the "User Impersonate" checkbox. Remove the following properties from the interpreter configuration: spark.yarn.keytab=/etc/security/keytabs/zeppelin.server.kerberos.keytab spark.yarn.principal=zeppelin-mycluster@MYREALM.COM Add the following properties to the interpreter (fix domain and kerberos realm's names) : zeppelin.spark.keytab=/etc/security/keytabs/zeppelin.server.kerberos.keytab zeppelin.spark.principal=zeppelin-mycluster@MYREALM.COM Save and restart the interpreter After you should be able to run your %spark2.* jobs from Zeppelin as the logger user.

lvazquez · ‎05-24-2019

@jingyong zou you should not use AUTH_LDAP_APPEND_DOMAIN unless your users are authenticating using the fully qualified principal name as in "username@mydomain.com" instead of simply "username". If you use uid or samAccountName as AUTH_LDAP_UID_FIELD (as is the case with OpenLDAP, IPA or AD) then this is not needed, Also check the values for the parameters AUTH_USER_REGISTRATION=True and AUTH_USER_REGISTRATION_ROLE which should be set to a valid role in Superset (Public, Gamma, Alpha o Admin). Another not very documented parameter which may be important depending on your LDAP setup is AUTH_LDAP_USERNAME_FORMAT, check this also. With the previous advises in mind, check carefully the following documentation articles and you may be able to find your appropiate options combination to make LDAP work with Superset: https://flask-appbuilder.readthedocs.io/en/latest/config.html https://superset.incubator.apache.org/security.html https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-ldap A tcpdump capture in your Superset server + wireshark analysis may be also of much help to debug what is your current Superset config sending to the LDAP server. In my case this was the "final step" to fit all the pieces.

Online	Offline
Last Visited	‎07-08-2022 12:06 PM

Member Since	‎12-03-2016 02:07 PM
Last Visited	‎07-08-2022 12:06 PM
Posts	91
Kudos received	25

Cloudera Community

Cloudera Community

Re: How to make Zeppelin's User Impersonation work...

Re: How to fix Knox HBASE UI?

Re: is there any way to reset ranger admin UI pass...

Re: Ambari Pig View not working in HDP 2.5 multi-n...

Re: Disable/remove auto TLS certificates and creat...

Re: Disable/remove auto TLS certificates and creat...

Re: Can ranger work with AD without Kerberos?

Re: Zookeeper problem after hadoop kerberization

Re: Does anybody was able to make LIvy work via Kn...

Does anybody was able to make LIvy work via Knox i...

Re: Ambari Infra best practices

Re: Hive: Set variable for Static Partitioning

Re: How to make Zeppelin's User Impersonation work...

Re: How to configure Superset to use LDAP?