Re: Trying to create hbase tables after enabling Kerberos with Ambari

[Henning Kropp]

Hi,

what Robert suggested sounds to me exactly what you would need. It would 
help if you could provide your auth_to_local setting and the output of 
hbase> whoami


Another way to test your auth_to_locals setting would be to execute:
% hadoop org.apache.hadoop.security.HadoopKerberosName 
trafodion-robertaclus...@trafkdc.com 



Please be aware that the rules are applied in order, so it is important 
to have the rule from Robert before the default rule.


A more simple rule could also be:
RULE:[1:$1@$0](trafidion-robertaclus...@trafkdc.com)s/.*/trafodion/

The above rule will only work for this principal/user. Put it as the 
first line of your auth to local and use HadoopKerberosName to test if 
it is working.


Regards,
Henning


Am 21/03/16 um 21:40 schrieb Roberta Marton:


Thanks for your suggestion.  My property settings did have the second 
rule defined but not the first.


However, it did not seem to help.

I tried setting the rule several other ways but nothing seems to 
work.  I still get the same behavior.


Roberta

*From:* Robert Levas [mailto:rle...@hortonworks.com 
]

*Sent:* Monday, March 21, 2016 11:21 AM
*To:* user@ambari.apache.org 
*Subject:* Re: Trying to create hbase tables after enabling Kerberos 
with Ambari


Hi Roberta…

It seems like you need an auth-to-local run set up to translate 
trafodion-robertaclus...@trafkdc.com 
to trafodion.


To can do this by editing the hadoop.security.auth_to_local property 
under HDFS->Configs->Advanced->Advanced core-site.


Adding the following rule should do the trick:

RULE:[1:$1@$0](.*-robertaclus...@trafkdc.com)s/-robertaCluster@.*// 


You will need to add this rule to the ruleset before/above less 
general rules like


RULE:[1:$1@$0](.*@TRAFKDC.COM)s/@.*//


After adding this rule, save the config and restart the recommended 
services.


I hope this helps,

Rob

*From: *Roberta Marton >
*Reply-To: *"user@ambari.apache.org " 
>

*Date: *Monday, March 21, 2016 at 2:08 PM
*To: *"user@ambari.apache.org " 
>
*Subject: *Trying to create hbase tables after enabling Kerberos with 
Ambari


I am trying to install Kerberos on top of my Hortonworks 
installation.  I have tried this with both versions 2.2 and 2.3 and 
get similar results.


After I enable Kerberos, I create a Linux user called trafodion and 
grant this user all HBase permissions.


I connect as trafodion but get permission errors when I try to create 
a table.


Details:

[trafodion@myhost ~]$ whoami

trafodion

[trafodion@myhost ~]$ klist

Ticket cache: FILE:/tmp/krb5cc_503

Default principal: trafodion-robertaclus...@trafkdc.com 



Valid starting ExpiresService principal

03/21/16 16:39:33  03/22/16 16:39:33 krbtgt/trafkdc@trafkdc.com 



renew until 03/21/16 16:39:33

hbase shell

hbase(main):002:0> whoami

trafodion-robertaclus...@trafkdc.com 
(auth:KERBEROS)OIw


2016-03-21 17:06:22,925 WARN  [main] security.UserGroupInformation: No 
groups available for user trafodion-robertaCluster


hbase(main):003:0> user_permission

User Table,Family,Qualifier:Permission

trafodion hbase:acl,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]

ambari-qa hbase:acl,,: [Permission: actions=READ,WRITE,EXEC,CREATE,ADMIN]

2 row(s) in 1.7630 seconds

hbase(main):004:0> create 't1', 'f1', 'f2'

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: 
Insufficient permissions for user 'trafodion-robertaCluster' (global, 
action=CREATE)


I am able to perform ‘user_permission’ but not ‘create’

Any suggestion on how to proceed?

Roberta

RE: Trying to create hbase tables after enabling Kerberos with Ambari

[Roberta Marton]

Thanks for your suggestion.  My property settings did have the second rule
defined but not the first.

However, it did not seem to help.

I tried setting the rule several other ways but nothing seems to work.  I
still get the same behavior.



   Roberta



*From:* Robert Levas [mailto:rle...@hortonworks.com]
*Sent:* Monday, March 21, 2016 11:21 AM
*To:* user@ambari.apache.org
*Subject:* Re: Trying to create hbase tables after enabling Kerberos with
Ambari



Hi Roberta…



It seems like you need an auth-to-local run set up to translate
trafodion-robertaclus...@trafkdc.com to trafodion.



To can do this by editing the hadoop.security.auth_to_local property under
HDFS->Configs->Advanced->Advanced core-site.



Adding the following rule should do the trick:



RULE:[1:$1@$0](.*-robertaclus...@trafkdc.com)s/-robertaCluster@.*//



You will need to add this rule to the ruleset before/above less general
rules like



RULE:[1:$1@$0](.*@TRAFKDC.COM)s/@.*//



After adding this rule, save the config and restart the recommended
services.



I hope this helps,



Rob







*From: *Roberta Marton 
*Reply-To: *"user@ambari.apache.org" 
*Date: *Monday, March 21, 2016 at 2:08 PM
*To: *"user@ambari.apache.org" 
*Subject: *Trying to create hbase tables after enabling Kerberos with Ambari



I am trying to install Kerberos on top of my Hortonworks installation.  I
have tried this with both versions 2.2 and 2.3 and get similar results.

After I enable Kerberos, I create a Linux user called trafodion and grant
this user all HBase permissions.

I connect as trafodion but get permission errors when I try to create a
table.



Details:



[trafodion@myhost ~]$ whoami

trafodion



[trafodion@myhost ~]$ klist

Ticket cache: FILE:/tmp/krb5cc_503

Default principal: trafodion-robertaclus...@trafkdc.com



Valid starting ExpiresService principal

03/21/16 16:39:33  03/22/16 16:39:33  krbtgt/trafkdc@trafkdc.com

renew until 03/21/16 16:39:33



hbase shell



hbase(main):002:0> whoami

trafodion-robertaclus...@trafkdc.com(auth:KERBEROS)OIw

2016-03-21 17:06:22,925 WARN  [main] security.UserGroupInformation: No
groups available for user trafodion-robertaCluster



hbase(main):003:0> user_permission

UserTable,Family,Qualifier:Permission

trafodion  hbase:acl,,: [Permission:
actions=READ,WRITE,EXEC,CREATE,ADMIN]

ambari-qa  hbase:acl,,: [Permission:
actions=READ,WRITE,EXEC,CREATE,ADMIN]

2 row(s) in 1.7630 seconds



hbase(main):004:0> create 't1', 'f1', 'f2'



ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions for user 'trafodion-robertaCluster' (global, action=CREATE)



I am able to perform ‘user_permission’ but not ‘create’



Any suggestion on how to proceed?



Roberta

Re: Trying to create hbase tables after enabling Kerberos with Ambari

[Robert Levas]

Hi Roberta…

It seems like you need an auth-to-local run set up to translate 
trafodion-robertaclus...@trafkdc.com to trafodion.

To can do this by editing the hadoop.security.auth_to_local property under 
HDFS->Configs->Advanced->Advanced core-site.

Adding the following rule should do the trick:

RULE:[1:$1@$0](.*-robertaclus...@trafkdc.com)s/-robertaCluster@.*//

You will need to add this rule to the ruleset before/above less general rules 
like

RULE:[1:$1@$0](.*@TRAFKDC.COM)s/@.*//

After adding this rule, save the config and restart the recommended services.

I hope this helps,

Rob



From: Roberta Marton >
Reply-To: "user@ambari.apache.org" 
>
Date: Monday, March 21, 2016 at 2:08 PM
To: "user@ambari.apache.org" 
>
Subject: Trying to create hbase tables after enabling Kerberos with Ambari

I am trying to install Kerberos on top of my Hortonworks installation.  I have 
tried this with both versions 2.2 and 2.3 and get similar results.
After I enable Kerberos, I create a Linux user called trafodion and grant this 
user all HBase permissions.
I connect as trafodion but get permission errors when I try to create a table.

Details:

[trafodion@myhost ~]$ whoami
trafodion

[trafodion@myhost ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_503
Default principal: 
trafodion-robertaclus...@trafkdc.com

Valid starting ExpiresService principal
03/21/16 16:39:33  03/22/16 16:39:33  
krbtgt/trafkdc@trafkdc.com
renew until 03/21/16 16:39:33

hbase shell

hbase(main):002:0> whoami
trafodion-robertaclus...@trafkdc.com(auth:KERBEROS)OIw
2016-03-21 17:06:22,925 WARN  [main] security.UserGroupInformation: No groups 
available for user trafodion-robertaCluster

hbase(main):003:0> user_permission
UserTable,Family,Qualifier:Permission
trafodion  hbase:acl,,: [Permission: 
actions=READ,WRITE,EXEC,CREATE,ADMIN]
ambari-qa  hbase:acl,,: [Permission: 
actions=READ,WRITE,EXEC,CREATE,ADMIN]
2 row(s) in 1.7630 seconds

hbase(main):004:0> create 't1', 'f1', 'f2'

ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient 
permissions for user 'trafodion-robertaCluster' (global, action=CREATE)

I am able to perform ‘user_permission’ but not ‘create’

Any suggestion on how to proceed?

Roberta

Trying to create hbase tables after enabling Kerberos with Ambari

[Roberta Marton]

I am trying to install Kerberos on top of my Hortonworks installation.  I
have tried this with both versions 2.2 and 2.3 and get similar results.

After I enable Kerberos, I create a Linux user called trafodion and grant
this user all HBase permissions.

I connect as trafodion but get permission errors when I try to create a
table.



Details:



[trafodion@myhost ~]$ whoami

trafodion



[trafodion@myhost ~]$ klist

Ticket cache: FILE:/tmp/krb5cc_503

Default principal: *trafodion-robertaclus...@trafkdc.com
*



Valid starting ExpiresService principal

03/21/16 16:39:33  03/22/16 16:39:33  krbtgt/trafkdc@trafkdc.com

renew until 03/21/16 16:39:33



hbase shell



hbase(main):002:0> whoami

*trafodion-robertaclus...@trafkdc.com
* (auth:KERBEROS)OIw

2016-03-21 17:06:22,925 WARN  [main] security.UserGroupInformation: No
groups available for user trafodion-robertaCluster



hbase(main):003:0> user_permission

UserTable,Family,Qualifier:Permission

trafodion  hbase:acl,,: [Permission:
actions=READ,WRITE,EXEC,CREATE,ADMIN]

ambari-qa  hbase:acl,,: [Permission:
actions=READ,WRITE,EXEC,CREATE,ADMIN]

2 row(s) in 1.7630 seconds



hbase(main):004:0> create 't1', 'f1', 'f2'



ERROR: org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient
permissions for user 'trafodion-robertaCluster' (global, action=CREATE)



I am able to perform ‘user_permission’ but not ‘create’



Any suggestion on how to proceed?



Roberta

Re: Do we have API for change password

[Dmitry Sen]

It works for me:


curl -i -u admin:admin  'http://192.168.120.6:1081/api/v1/users/admin' -X PUT 
-H 'X-Requested-By: ambari' --data-binary 
'{"Users/password":"newpasswd","Users/old_password":"admin"}'


BR,

Dmytro Sen



From: Satyanarayana Jampa 
Sent: Monday, March 21, 2016 7:59 AM
To: user@ambari.apache.org
Subject: Do we have API for change password

Hi,
  Just wondering if we have an API to change the Ambari password, instead of 
logging in and changing the password.
  Actually I have a custom script which will take username and password as 
argument which I have to use it for configuration before installing Ambari.

Thanks,
Satya.

TypeError: getpwnam() argument 1 must be string, not None

[zhang juntao]

hi all,
I have been using ambari to manage our cluster of hadoop, now i met a problem 
that i can’t push command to agents , there always some exception like:

Traceback (most recent call last):
  File 
"/var/lib/ambari-agent/cache/stacks/HDP/2.0.6/hooks/before-ANY/scripts/hook.py",
 line 35, in 
BeforeAnyHook().execute()
  File 
"/usr/lib/python2.6/site-packages/resource_management/libraries/script/script.py",
 line 219, in execute
method(env)
  File 
"/var/lib/ambari-agent/cache/stacks/HDP/2.0.6/hooks/before-ANY/scripts/hook.py",
 line 29, in hook
setup_users()
  File 
"/var/lib/ambari-agent/cache/stacks/HDP/2.0.6/hooks/before-ANY/scripts/shared_initialization.py",
 line 41, in setup_users
groups = params.user_to_groups_dict[user],
  File "/usr/lib/python2.6/site-packages/resource_management/core/base.py", 
line 154, in __init__
self.env.run()
  File 
"/usr/lib/python2.6/site-packages/resource_management/core/environment.py", 
line 158, in run
self.run_action(resource, action)
  File 
"/usr/lib/python2.6/site-packages/resource_management/core/environment.py", 
line 121, in run_action
provider_action()
  File 
"/usr/lib/python2.6/site-packages/resource_management/core/providers/accounts.py",
 line 44, in action_create
if not self.user:
  File 
"/usr/lib/python2.6/site-packages/resource_management/core/providers/accounts.py",
 line 94, in user
return pwd.getpwnam(self.resource.username)
TypeError: getpwnam() argument 1 must be string, not None
Error: Error: Unable to run the custom hook script ['/usr/bin/python2', 
'/var/lib/ambari-agent/cache/stacks/HDP/2.0.6/hooks/before-ANY/scripts/hook.py',
 'ANY', '/var/lib/ambari-agent/data/command-3281.json', 
'/var/lib/ambari-agent/cache/stacks/HDP/2.0.6/hooks/before-ANY', 
'/var/lib/ambari-agent/data/structured-out-3281.json', 'INFO', 
'/var/lib/ambari-agent/tmp']
i find there is a jira bug (https://issues.apache.org/jira/browse/AMBARI-13401 
)
Is this a bug of ambari? how can I fix this issue?

thanks
juntao

Do we have API for change password

[Satyanarayana Jampa]

Hi,
  Just wondering if we have an API to change the Ambari password, instead of 
logging in and changing the password.
  Actually I have a custom script which will take username and password as 
argument which I have to use it for configuration before installing Ambari.

Thanks,
Satya.