Review Request 29459: JobHistoryServer Fails to pass service check in Kerberized cluster

Mon, 29 Dec 2014 08:07:11 -0800 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/29459/
-----------------------------------------------------------

Review request for Ambari, John Speidel, Robert Nettleton, and Yusaku Sako.


Bugs: AMBARI-8935
    https://issues.apache.org/jira/browse/AMBARI-8935


Repository: ambari


Description
-------

JobHistoryServer Fails to pass service check in Kerberized cluster due to 
kerberos to local account mapping failure 

```
org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException):
 Permission denied: user=jhs, access=READ_EXECUTE, 
inode="/mr-history/done/2014":mapred:hadoop:drwxrwx---
```

`core-site` `auth_to_local` fails to map `jhs/_HOST` to `mapred` user.  

The solution is to dynamically create auth_to_local configuration based on 
kerberos descriptors.


Diffs
-----

  
ambari-server/src/main/java/org/apache/ambari/server/controller/AuthToLocalBuilder.java
 PRE-CREATION 
  
ambari-server/src/main/java/org/apache/ambari/server/controller/KerberosHelper.java
 562ce9e 
  
ambari-server/src/main/java/org/apache/ambari/server/state/kerberos/KerberosPrincipalDescriptor.java
 70bd396 
  ambari-server/src/main/resources/stacks/HDP/2.2/services/HBASE/kerberos.json 
4b6213e 
  ambari-server/src/main/resources/stacks/HDP/2.2/services/HDFS/kerberos.json 
52c7d37 
  ambari-server/src/main/resources/stacks/HDP/2.2/services/OOZIE/kerberos.json 
9cb24ca 
  ambari-server/src/main/resources/stacks/HDP/2.2/services/YARN/kerberos.json 
7677a7a 
  
ambari-server/src/test/java/org/apache/ambari/server/controller/AuthToLocalBuilderTest.java
 PRE-CREATION 
  
ambari-server/src/test/java/org/apache/ambari/server/state/kerberos/KerberosPrincipalDescriptorTest.java
 a35bad3 
  ambari-server/src/test/resources/stacks/HDP/2.0.8/kerberos.json 64c7a8c 
  ambari-server/src/test/resources/stacks/HDP/2.0.8/services/HDFS/kerberos.json 
7271b36 

Diff: https://reviews.apache.org/r/29459/diff/


Testing
-------

Manually tested on test cluster - JobHistoryServer sometimes fails the service 
check, but appears to be unrelated to the auth_to_local mapping issue.

Added new test case: 
`org.apache.ambari.server.controller.AuthToLocalBuilderTest`
Updated existing test case: 
`org.apache.ambari.server.state.kerberos.KerberosPrincipalDescriptorTest`

Waiting for Jenkins server for test results - issues with rat check in truck 
not related to this patch.


Thanks,

Robert Levas

Reply via email to