Hi, Active Directory users can successfully login to Zeppelin but roles are not mapped to the users. Here is the shiro.ini configuration: [main] adRealm = org.apache.shiro.realm.activedirectory.ActiveDirectoryRealm adRealm.url = ldap://domain.com:389 adRealm.searchBase = DC=domain,DC=com adRealm.groupRolesMap = "CN=admins,OU=HWX,DC=domain,DC=com":"admin","CN=users,OU=HWX,DC=domain,DC=com":"users" adRealm.systemUsername = hwx@DOMAIN.COM adRealm.systemPassword = XXXXXX adRealm.principalSuffix = @DOMAIN.COM adRealm.authorizationCachingEnabled = false sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager securityManager.sessionManager = $sessionManager securityManager.sessionManager.globalSessionTimeout = 86400000 cacheManager = org.apache.shiro.cache.MemoryConstrainedCacheManager securityManager.cacheManager = $cacheManager securityManager.realms = $adRealm shiro.loginUrl = /api/login [roles] admin = * users = * [urls] /** = authc /api/version = anon /api/interpreter/** = authc, roles[admin] /api/credential/** = authc, roles[admin] /api/configurations/** = authc, roles[admin] Is there something missing in the configuration? The following message is displayed on the log: WARN [2018-12-13 12:33:30,771] ({qtp64830413-19} LoginRestApi.java[postLogin]:119) - {"status":"OK","message":"","body":{"principal":"user1","ticket":"64c38479-4241-417b-99c4-1840fd41e5a4","roles":"[]"}} Many thanks in advance, Jorge. ... View more

Hi all, I've installed SOLR service on HDP 2.6.3 by following this guide: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.3/bk_solr-search-installation/content/ch_hdp-search-install-ambari.html After successfully installed and started the the SOLR service, this alert is displayed in Ambari: The following components are reporting unexpected versions: host.fqdn SOLR_SERVER: UNKNOWN Does someone know how to fix this issue? Any suggestions would be appreciated. Many thanks in advance, Jorge. ... View more

Hi all, I'm trying to connect to HiveServer2 using beeline and using the information from Ambari: Connected to: Apache Hive (version 1.2.1000.2.6.2.14-5) Driver: Hive JDBC (version 1.2.1000.2.6.2.14-5) Transaction isolation: TRANSACTION_REPEATABLE_READ Beeline version 1.2.1000.2.6.2.14-5 by Apache Hive Why is still using Hive version 1.2 ? Many thanks in advance, Jorge. ... View more

Hi folks, Atlas is unable to authenticate using AD with SSL (unable to find valid certification path to requested target): 2018-01-02 22:56:32,503 ERROR - [pool-2-thread-6:] ~ AD Authentication Failed: (AtlasADAuthenticationProvider:126) org.springframework.security.authentication.InternalAuthenticationServiceException: simple bind failed: dc01.vlab.local:636; nested exception is javax.naming.CommunicationException: simple bind failed: dc01.vlab.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target] at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:206) at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:85) at org.apache.atlas.web.security.AtlasADAuthenticationProvider.getADBindAuthentication(AtlasADAuthenticationProvider.java:116) at org.apache.atlas.web.security.AtlasADAuthenticationProvider.authenticate(AtlasADAuthenticationProvider.java:64) at org.apache.atlas.web.security.AtlasAuthenticationProvider.authenticate(AtlasAuthenticationProvider.java:109) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:199) at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:116) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.eclipse.jetty.server.Server.handle(Server.java:499) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Where can I configure the path to the certificate store containing CA root certificate ? Many thanks in advance, Jorge ... View more

Hi, this is a HDP 2.6.2.14-5 deployment using Ambari 2.5.2 with enabled Kerberos. I've successfully installed Ambari-Infra service and, after installing Ranger, the access audit is showing this error: HTTP ERROR 404 Problem accessing /solr/ranger_audits/select. Reason: Not found This is the configuration in ranger.audit.solr.urls: http://<fqdn>:8886/solr/ranger_audits Many thanks in advance, Jorge. ... View more

Hello, after enabling Kerberos the YARN ResourceManager failed to start. This is the content from log file: 2017-11-06 12:11:58,708 FATAL resourcemanager.ResourceManager (ResourceManager.java:main(1232)) - Error starting ResourceManager org.apache.hadoop.service.ServiceStateException: org.apache.zookeeper.KeeperException$AuthFailedException: KeeperErrorCode = AuthFailed for /rmstore at org.apache.hadoop.service.ServiceStateException.convert(ServiceStateException.java:59) at org.apache.hadoop.service.AbstractService.start(AbstractService.java:204) at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager$RMActiveServices.serviceStart(ResourceManager.java:593) at org.apache.hadoop.service.AbstractService.start(AbstractService.java:193) at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.startActiveServices(ResourceManager.java:1008) at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager$1.run(ResourceManager.java:1049) at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager$1.run(ResourceManager.java:1045) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAs(Subject.java:422) at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1866) at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.transitionToActive(ResourceManager.java:1045) at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.serviceStart(ResourceManager.java:1085) at org.apache.hadoop.service.AbstractService.start(AbstractService.java:193) at org.apache.hadoop.yarn.server.resourcemanager.ResourceManager.main(ResourceManager.java:1229) Caused by: org.apache.zookeeper.KeeperException$AuthFailedException: KeeperErrorCode = AuthFailed for /rmstore at org.apache.zookeeper.KeeperException.create(KeeperException.java:123) at org.apache.zookeeper.KeeperException.create(KeeperException.java:51) at org.apache.zookeeper.ZooKeeper.create(ZooKeeper.java:783) at org.apache.hadoop.yarn.server.resourcemanager.recovery.ZKRMStateStore$1.run(ZKRMStateStore.java:326) at org.apache.hadoop.yarn.server.resourcemanager.recovery.ZKRMStateStore$1.run(ZKRMStateStore.java:322) at org.apache.hadoop.yarn.server.resourcemanager.recovery.ZKRMStateStore$ZKAction.runWithCheck(ZKRMStateStore.java:1174) at org.apache.hadoop.yarn.server.resourcemanager.recovery.ZKRMStateStore$ZKAction.runWithRetries(ZKRMStateStore.java:1207) at org.apache.hadoop.yarn.server.resourcemanager.recovery.ZKRMStateStore.createRootDir(ZKRMStateStore.java:336) at org.apache.hadoop.yarn.server.resourcemanager.recovery.ZKRMStateStore.createRootDirRecursively(ZKRMStateStore.java:1311) at org.apache.hadoop.yarn.server.resourcemanager.recovery.ZKRMStateStore.startInternal(ZKRMStateStore.java:303) at org.apache.hadoop.yarn.server.resourcemanager.recovery.RMStateStore.serviceStart(RMStateStore.java:598) at org.apache.hadoop.service.AbstractService.start(AbstractService.java:193) ... 12 more It seems to be an issue with Zookeeper. If I execute zkCli.sh on the node where ResourceManager is installed the message "AUTH_FAILED" is displayed: $ /usr/hdp/2.6.3.0-235/zookeeper/bin/zkCli.sh Connecting to localhost:2181 log4j:WARN No appenders could be found for logger (org.apache.zookeeper.ZooKeeper). log4j:WARN Please initialize the log4j system properly. log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info. Welcome to ZooKeeper! JLine support is enabled [zk: localhost:2181(CONNECTING) 0] WATCHER:: WatchedEvent state:SyncConnected type:None path:null WATCHER:: WatchedEvent state:AuthFailed type:None path:null [zk: localhost:2181(AUTH_FAILED) 0] zkCli.sh in the other nodes is working fine: $ /usr/hdp/2.6.3.0-235/zookeeper/bin/zkCli.sh Connecting to localhost:2181 log4j:WARN No appenders could be found for logger (org.apache.zookeeper.ZooKeeper). log4j:WARN Please initialize the log4j system properly. log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info. Welcome to ZooKeeper! JLine support is enabled WATCHER:: WatchedEvent state:AuthFailed type:None path:null [zk: localhost:2181(CONNECTING) 0] WATCHER:: WatchedEvent state:SyncConnected type:None path:null [zk: localhost:2181(CONNECTED) 0] Do you have any idea about how to troubleshoot this issue? Many thanks in advance, Jorge. ... View more

Hi folks, the "Enable Kerberos Wizard" failed to create all needed principals. Some principals were created, but not all. This is the output from the log file: 05 Nov 2017 12:24:26,337 INFO [Server Action Executor Worker 270] KerberosServerAction:353 - Processing identities... 05 Nov 2017 12:24:26,419 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, HTTP/hdp-master-02.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,471 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, ambari-qa@VLAB.LOCAL 05 Nov 2017 12:24:26,516 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, hdfs@VLAB.LOCAL 05 Nov 2017 12:24:26,566 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, mapred/hdp-master-02.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,614 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, yarn/hdp-master-02.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,664 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, rm/hdp-master-02.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,712 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, zookeeper/hdp-master-02.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,759 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, HTTP/hdp-master-01.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,806 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, amshbase/hdp-master-01.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,856 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, amszk/hdp-master-01.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,902 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, activity_analyzer/hdp-master-01.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,951 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, activity_explorer/hdp-master-01.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:26,996 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, zookeeper/hdp-master-01.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:27,043 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, HTTP/lab1-hdfs.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:27,093 INFO [Server Action Executor Worker 270] CreatePrincipalsServerAction:203 - Processing principal, hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL 05 Nov 2017 12:24:27,096 ERROR [Server Action Executor Worker 270] CreatePrincipalsServerAction:297 - Failed to create principal, hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL - Can not create principal : hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL org.apache.ambari.server.serveraction.kerberos.KerberosOperationException: Can not create principal : hdfs/lab1-hdfs.vlab.local@VLAB.LOCAL at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.createPrincipal(ADKerberosOperationHandler.java:338) at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.createPrincipal(CreatePrincipalsServerAction.java:256) at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.processIdentity(CreatePrincipalsServerAction.java:159) at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processRecord(KerberosServerAction.java:532) at org.apache.ambari.server.serveraction.kerberos.KerberosServerAction.processIdentities(KerberosServerAction.java:414) at org.apache.ambari.server.serveraction.kerberos.CreatePrincipalsServerAction.execute(CreatePrincipalsServerAction.java:91) at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.execute(ServerActionExecutor.java:517) at org.apache.ambari.server.serveraction.ServerActionExecutor$Worker.run(ServerActionExecutor.java:454) at java.lang.Thread.run(Thread.java:745) Caused by: javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 19 - 000021C7: AtrErr: DSID-03200BDF, #1: 0: 000021C7: DSID-03200BDF, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90303 (servicePrincipalName) ]; remaining name '"cn=hdfs/lab1-hdfs.vlab.local,OU=HDP"' at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3149) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2888) at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:812) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:341) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:268) at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:202) at org.apache.ambari.server.serveraction.kerberos.ADKerberosOperationHandler.createPrincipal(ADKerberosOperationHandler.java:336) ... 8 more 05 Nov 2017 12:24:27,096 INFO [Server Action Executor Worker 270] KerberosServerAction:457 - Processing identities completed. Any suggestion would be appreciated. Many thanks in advance, Jorge. ... View more