> On March 17, 2015, 3:26 p.m., Jonathan Hurley wrote: > > ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/alerts/alert_hive_thrift_port.py, > > line 94 > > <https://reviews.apache.org/r/32168/diff/1/?file=897976#file897976line94> > > > > Can you explain how the smokeuser is different than the smokeuser > > principal? Should the commands be executed as the principal instead of the > > user?
Esseitnally they represent two different identites. The _smoke user principal_ is the "username" of the Kerberos identity where the _smoke user_ is the "username" of the local user account. These values (related to the smoke user) tend to look a lot alike ([email protected]_ and _ambari-qa_) but there are no rules that state that these names need to be so similar. This is where the _auto-to-local_ maps come into play. It attempts to match a principal name to a local user account, so there is no need to directly map the two. Given this, there are scenarios where the principal name of the smoke user Kerberos identity **must** be changed from _ambari-qa@REALM_. A common one is a shared KDC amoung multiple Ambari clusters. In this case, we need to make sure that one cluster does not step on another cluster's smoke user identitiy. For this, we recommend adding the cluster name to the smoke user principal. So _ambari-qa@REALM_ becomes _ambari-qa-c1@REALM_, _ambari-qa-c2@REALM_, etc... This is actually the case for all _headless_ (or _user_) identities to ensure uniqueness. For _service_ identities, the uniqueness comes in the form of a hostname, tying the identity to a particular host. - Robert ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/32168/#review76778 ----------------------------------------------------------- On March 17, 2015, 2:59 p.m., Robert Levas wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/32168/ > ----------------------------------------------------------- > > (Updated March 17, 2015, 2:59 p.m.) > > > Review request for Ambari, Andrew Onischuk, Jonathan Hurley, and Vitalyi > Brodetskyi. > > > Bugs: AMBARI-10101 > https://issues.apache.org/jira/browse/AMBARI-10101 > > > Repository: ambari > > > Description > ------- > > When Kerberos is enabled, Hive components show alerts due to the following > error: > > ``` > WARNING 2015-03-16 06:01:08,253 base_alert.py:140 - > [Alert][hive_metastore_process] Unable to execute alert. Execution of > '/usr/bin/kinit -kt /etc/security/keytabs/smokeuser.headless.keytab > ambari-qa; ' returned 1. kinit: Keytab contains no suitable keys for > ambari-qa@REALM while getting initial credentials > ``` > > This occurs because the alert logic for Hive uses `cluster-env/smokeuser` > rather than `cluster-env/smokeuser_principal_name` to get the principal name > for the smoke test identity. > > > Diffs > ----- > > > ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/alerts/alert_hive_metastore.py > 804ddfe > > ambari-server/src/main/resources/common-services/HIVE/0.12.0.2.0/package/alerts/alert_hive_thrift_port.py > 0fb8898 > > Diff: https://reviews.apache.org/r/32168/diff/ > > > Testing > ------- > > Manually testing is cluster by setting the smoke user principal name to > something other than `${cluster-env/smokeuser}@${realm}` and saw that alerts > for Hive were working as designed. > > > Thanks, > > Robert Levas > >
