Re: How to use rest api to intall service while kerberos is enabled

Hi Zhang... The latest docs for Ambari's Kerberos-release REST API can be found at https://github.com/apache/ambari/blob/trunk/ambari-server/docs/security/kerberos/enabling_kerberos.md#the-rest-api. In particular, to set the KDC administrator credentials, have a look at https://github.com/apache/a

Re: knox cannot resolve user principal

Hi Lian…. This seems to be more of a Knox/Ranger question. Here is a response from Larry from the Knox team. Can you send further questions on this topic to the Knox mailing list - u...@knox.apache.org. On Jun 11, 2018, at 2:49 PM, Larry McCay

Re: make ambari create kerberos users in custom format

Lian… It appears you have a few issues here – neither are related to the Ambari-generated auth-to-local rule. 1) The realm name needs to be in all uppercase characters. So test_kdc.com is incorrect. It needs to be TEST_KDC.COM. If the KDC is configured to use the lowercase version of this,

Re: use krb-conf section to set udp_preference_limit = 1

You can use Blueprints to customize the krb5.conf file. It is a little messy due to the JSON structure, but it is not that hard. This is done by setting the “content” property of the “krb5-conf” configuration type. The default value is: [libdefaults] renew_lifetime = 7d forwardable = tru

[NOTICE] FQDN is needed for MIT KDC admin_server_host value

Team… I wanted to alert to you a change that was added to the trunk via AMBARI-22293 (https://issues.apache.org/jira/browse/AMBARI-22293).As of this change, when enabling Kerberos using either the existing MIT KDC or IPA server options, it is required that the kerberos_env/admin_server_host

Re: 答复: 答复: User Management with kerboes

put the jar in env,then it will work,no need to replace the ambari code. Can I do like this? Regards Xinen Yuan 发件人: Robert Levas [mailto:rle...@hortonworks.com] 发送时间: 2017年8月16日 20:46 收件人: user@ambari.apache.org 主题: Re: 答复: User Management with kerboes Xinen… Since Ambari is not meant to

Re: 答复: User Management with kerboes

? If not, if I want to impement this apis,is there any custom API to implement this in ambari? Or is there a plan to support for ambary? Regards Xinen Yuan 发件人: Robert Levas [mailto:rle...@hortonworks.com] 发送时间: 2017年8月15日 20:30 收件人: user@ambari.apache.org 主题: Re: User Management with kerboe

Re: User Management with kerboes

Hi Xinen Can you clarify what you are trying to (or work like to) do? Ambari is not a general identity management system. Therefore, it does not have facilities to create just any identity (usernames, passwords, keytabs). It really only knows how to create the identities that it needs for the

Re: CacheLoader returned null for key

Hi Tom… I think I just ran into this as well. It wasn’t clear what caused it. Whether it is an Ambari upgrade bug or whether some view was not properly removed before the upgrade – maybe related to a stack upgrade? In any case, check out the Ambari DB and see if there are any orphaned adminres

Re: Does ambari agent renew kerberos ticket automaticly?

Hi Zhang… The answer to your question depends on who performed the kinit and for what purpose. The services should all renew their Kerberos tickets automatically. The logic for ticket handling in each service is in the source code for that particular service. You will need to research each ser

Re: Hit NPE in Test Kerberos Client When enable kerberos for HDFS

I believe that this tends to happen if the host names do not always resolve the same way. For example, does `hostname -f` yield the host name on each host that was registered with Ambari? The same goes for the Ambari server host. Rob On 6/29/16, 10:57 AM, "陶征霖" wrote: Hi, I used ambari 2

Re: question on Kerberos

Hi Fay… It seems like if you were switching KDCs, your best bet would have been to disable Kerberos and then enable Kerberos using the new KDC. In any case, I assume you have Ambari set up to integrate with a KDC using the “manual” option where you are responsible for creating the principals a

Re: question on kerberos

is shown: [1]+ Donecurl -k -H "X-Requested-By:ambari" -u admin:passw0rd -i -X GET http://localhost:8081/api/v1/clusters/MyCluster/kerberos_identities?fields=* It seems that format=csv is not taken into account. Do I miss anything? -f On Thursday, April 21, 2016

Re: question on kerberos

Hi Fay… The API call you want to use to get the details about the expected Kerberos identities is GET /api/v1/clusters/c1/kerberos_identities?fields=* By default this will give you a JSON formatted file of the data. If you append format=CSV to the query, Ambari will provide the data in a CSV

Re: Question on Kerberos enabled cluster

Roberta… You can tell if Kerberos is enabled by checking the cluster-env/security_enabled flag. If true, kerberos is enabled, else is it is not. You will see a lot of code in the agent side scripts that look something like: params.py: … security_enabled = config['configurations']['cluster-en

Re: Trying to create hbase tables after enabling Kerberos with Ambari

rule several other ways but nothing seems to work. I still get the same behavior. Roberta From: Robert Levas [mailto:<mailto:rle...@hortonworks.com>rle...@hortonworks.com<mailto:rle...@hortonworks.com>] Sent: Monday, March 21, 2016 11:21 AM To: user@ambari.apache.org<mail

Re: Trying to create hbase tables after enabling Kerberos with Ambari

Hi Roberta… It seems like you need an auth-to-local run set up to translate trafodion-robertaclus...@trafkdc.com to trafodion. To can do this by editing the hadoop.security.auth_to_local property under HDFS->Configs->Advanced->Advanced core-site. Adding the following rule should do the trick:

Re: Kerveros version that Ambari supports

Zhaowei, Ambari and Hadoop use Kerberos V5. When enabling Kerberos via Ambari, the MIT Kerberos client packages will be installed. The version of theses packages is different depending on the OS. For example, on a CentOS6 host, the package version will be 1.10.3: Name: krb5-worksta

Re: Ambari Server sync-ldap not pulling group membership info.

# search result search: 2 result: 0 Success # numResponses: 10 # numEntries: 9 ++ As I am not very much familiar with LDAP so may be I am providing wrong value in authentication.ldap.groupMembershipAttr. Can you please help me on this? Regards, Pratip

Re: Ambari Server sync-ldap not pulling group membership info.

What version of Ambari and LDAP server are you using. I believe before Ambari 2.1 there was an issue syncing with OpenLDAP. Maybe you are hitting this issue. Else maybe there is an issue with your configuration where the group membership link isn correct and Ambari is trying to look up an i

Re: can not start service after kerberos

Hi Fay… The REST API call to set the KDC administrator credentials is to use the /api/v1/clusters/$CLUSTER_NAME entry point, not the /api/v1/clusters/$CLUSTER_NAME/service entry point. So you need to make 2 API calls – one to set the credentials and one to start the services. Ideally you sho

Re: another Kerberos issue

.apache.org<mailto:user@ambari.apache.org>" mailto:user@ambari.apache.org>>, Fay Wang mailto:faywang...@yahoo.com>> Date: Wednesday, February 24, 2016 at 1:55 AM To: Robert Levas mailto:rle...@hortonworks.com>>, "user@ambari.apache.org<mailto:user@ambari.apach

Re: another Kerberos issue

ot; : "1", "password_min_lowercase_letters" : "1", "password_min_punctuation" : "1", "password_min_uppercase_letters" : "1", "password_min_whitespace" : "0", "realm" : "EXAMPLE.COM", "servi

Re: another Kerberos issue

common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml /var/lib/ambari-server/resources/stacks/.../services/KERBEROS/configuration/kerberos-env.xml /var/lib/ambari-server/resources/common-services/KERBEROS/1.10.3-10/configuration/kerberos-env.xml Please advise. -f On Tuesday, Febru

Re: question on Kerberos attribute template

Hi Fay… That attribute template is used for creating accounts in an Active Directory. If you are not using AD as your KDC, then there is no need to set it. However if you are using AD, and you didn’t set it, Ambari should use the default template that is like the one you posted. Rob From: F

Re: another Kerberos issue

Hi Fay… This can happen if the Kerberos service config data becomes corrupted. If you do the following API call, you do get any data back? GET /api/v1/clusters/MyCluster/configurations?type=kerberos-env In my cluster I don’t have Kerberos installed, so I get the following response: { "href"

Re: Disable kerberbos using REST API

Fay… Just as when you enabled Kerberos via the API and you needed to add the KERBEROS service and KERBEROS_CLIENT component… when you disable Kerberos, you also need to manually remove the KERBEROS_CLIENT component and KERBEROS service. The Ambari UI does this as part of the Enabled/Disable Ker

Re: question on automating kerberization

.org>>, Fay Wang mailto:faywang...@yahoo.com>> Date: Sunday, February 14, 2016 at 5:28 PM To: Robert Levas mailto:rle...@hortonworks.com>>, "user@ambari.apache.org<mailto:user@ambari.apache.org>" mailto:user@ambari.apache.org>> Subject: Re: question on automati

Re: question on automating kerberization

Hi Fay… This is the first that I have heard of this issue. Have you noticed a pattern as to which keytab files are not being created? Did you look in the ambari-server.log file to see if any errors are logged? Have you looked in the KDC (or Active Directory) to see if the principal had been c

[ANNOUNCE] Apache Ambari 2.2.1

The Apache Ambari team is proud to announce Apache Ambari version 2.2.1 Apache Ambari is a tool for provisioning, managing, and monitoring Apache Hadoop clusters. Ambari consists of a set of RESTful APIs and a browser-based management console UI. The release bits are at: http://www.apache.org

Re: Method to re-populate keytabs on a single host?

Sorry, premature send… If you are daring and have a backup of your Ambari database, you can remove the relevant entries from the kerberos_principal_host table and then click then regenerate the missing keytabs. Rob From: Robert Levas mailto:rle...@hortonworks.com>> Date: Wednesday, Fe

Re: Method to re-populate keytabs on a single host?

Matthew… You can try to Regenerate Keytabs and click the check box on the first popup page that indicates to only create the missing keytab files. However the Ambari server may not know that the keytabs are missing from that one host. If you are daring and have a backup of your Ambari database,

Re: 500 status code in kerberos install step3

Margus, Is Ambari installed on a host that does not have an Ambari agent on it? If so, this is probably the issue. I believe this is fixed in Ambari 2.2.0. In Ambari 2.1.2, there appears to be an issue where if the Ambari server is not on a host with an agent, the server-side commands fail w

Re: openjdk update breaks ambari-agent 2-way ssl

Greg… I filed https://issues.apache.org/jira/browse/AMBARI-14778 for this issue. Rob From: Robert Levas mailto:rle...@hortonworks.com>> Reply-To: "user@ambari.apache.org<mailto:user@ambari.apache.org>" mailto:user@ambari.apache.org>> Date: Friday, January 2

Re: openjdk update breaks ambari-agent 2-way ssl

Hi Greg. Can you check the details about the agent-side certificate. openssl x509 -in /var/lib/ambari-agent/keys/HIOSTNAME.crt -text –noout I assume the signature algorithm is md5WithRSAEncryption: Signature Algorithm: md5WithRSAEncryption Ambari is generating this cert using a custom cnf fil

Re: Failed to put kerberos descriptor via REST API

aywang...@yahoo.com>> Date: Thursday, January 7, 2016 at 10:30 PM To: Robert Levas mailto:rle...@hortonworks.com>> Cc: "user@ambari.apache.org<mailto:user@ambari.apache.org>" mailto:user@ambari.apache.org>> Subject: Re: Failed to put kerberos descriptor via REST API Tha

Re: Failed to put kerberos descriptor via REST API

Hi Fay... Instead of PUT, you should do a POST. To create a new kerberos_descriptor artifact. If a kerberos_descriptor artifact already existed, then you out PUT to update it. I'll have to check, is the documentation I correct or confusing? Rob On Jan 7, 2016, at 6:50 PM, Fay Wang mailto:f

Re: Need help in Ambari - Active Directory Integration

*: CN=Darpan Patel,CN=Users,DC=test,DC=com But the error is still the same : Syncing all.ERROR: Exiting with exit code 1. REASON: Sync event creation failed. Error details: HTTP Error 403: Bad credentials On 17 December 2015 at 21:51, Robert Levas mailto:rle...@hortonworks.com>> wrote: Da

Re: Need help in Ambari - Active Directory Integration

ers,dc=test,dc=com Regards, DP On 17 December 2015 at 17:55, Robert Levas mailto:rle...@hortonworks.com>> wrote: However, I don’t think that these changes will help with the authentication/bind issue. For that, when asked to bind anonymously, you should answer false and then set the Man

Re: Need help in Ambari - Active Directory Integration

Hey Darpan… Try changing the following properties: Distinguished name attribute* : distinguishedName Group object class* : group Group name attribute* : cn However, I don’t think that these changes will help with the authentication/bind issue. For that, when asked to bind anonymously, you sho

Re: Install kerberos with AD

Hi Ivan… What version of Ambari are you using? The kerberos-setup.sh script is not compatible with Active Directory… it is meant to be used with an MIT KDC. For Active Directory, you will need to crate the accounts and keytab files manually. You will also need to distribute the keytab files

Re: Problem while kerberizing my cluster

Ho Christian, I haven’t see that particular error before. I know in the past that we required the Ambari server host to be in the cluster and have at least some clients installed on it. Is it possible for you to try adding the Ambari server host to the cluster? Rob From: "Brand, Christian" R

Re: New groups for HDFS user? And scope of that user?

Hi AlexŠ I don¹t think I can answer you question about groups. I assume it is more than just setting the group for the local account. Regarding the headless Kerberos identitiesŠ if Ambari is to manage the Kerberos identities, and multiple clusters are setup using the same KDC, then the headless u

Re: Launching Kerberized cluster via Blueprint

Hi Loïc, Installing a cluster with Kerberos enabled via Blueprints is not available right now. I think it may be possible to enable this feature, but some work needs to done in Ambari to handle it. I think this is somewhere in the roadmap, but I am not sure where. As a workaround, it is poss

Re: Active Directory as a KDC for Hadoop

Steve... Thanks for the update on this. Rob From: Steve Howard mailto:stevedhow...@gmail.com>> Reply-To: "user@ambari.apache.org" mailto:user@ambari.apache.org>> Date: Thursday, May 28, 2015 at 9:12 PM To: "user@ambari.apache.org"

Re: Active Directory as a KDC for Hadoop

Hi Steve... We have successfully enable Kerberos on many clusters using AD as the KDC. My experience is with Windows Server 2012, though. The details you are showing for the NN service identity looks correct, so I don't think that is an issue. If it wasn't, Active Directory would have reject

Re: Kadmin installation

Hi Loïc, I am sorry it took so long to get back to you. I didn't see your question until just now. For now, Ambari needs to be on a host in the cluster. We hope to fix this requirement soon, but at least through Ambari 2.1, this requirement will stand. So if you have a cluster such that the ho

Re: Kerberos - Algorithme AES256 not enabled

6 related message disappeared. Thanks Rob ! Loïc De : Robert Levas [mailto:rle...@hortonworks.com] Envoyé : mercredi 6 mai 2015 14:25 À : user@ambari.apache.org<mailto:user@ambari.apache.org> Objet : Re: Kerberos - Algorithme AES256 not enabled Hi Loïc, It appears you were heading in the

Re: Kerberos - Algorithme AES256 not enabled

Hi Loïc, It appears you were heading in the correct direction. The issue is related to the lack of JCE. Once you install the JCE policy jars, you need to restart Ambari. If you have already generated the keytabs for the cluster, you can tell Ambari to regenerate the keytabs and the correct ent

Re: Ambari Unable to start Hive server 2 after enabling security

Hi Shaik… That is a good question. According to https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2, it doesn’t appear that a kinit is needed before starting up the server. Rob From: Shaik M mailto:munna.had...@gmail.com>> Reply-To: "user@ambari.apache.org

Re: FreeIPA Support for Ambari 2.0

ri-server/src/main/java/org/apache/ambari/server/serveraction/kerberos/MITKerberosOperationHandler.java For now I'll go ahead with plain Kerberos setup for 2.0. Please let us know, when 2.1 will be GA release ? Regards, Shaik [https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif] On 22 April 2

Re: FreeIPA Support for Ambari 2.0

Hi Shaik... I am not familiar with FreeIPA. Looking at the docs, however, it appears that the underlying KDC and supporting tools are from the MIT packages. This leads me to think that it may work as long as you know how to tell Ambari where the KDC and admin host and ports are. If you try i

Re: HBASE multiple branches in common-services

Alejandro, Thanks for the heads up on this. I will create a JIRA and fix the kinit path issue. Rob From: Alejandro Fernandez mailto:afernan...@hortonworks.com>> Date: Monday, April 20, 2015 at 5:45 PM To: Robert Levas mailto:rle...@hortonworks.com>>, Nick Dimiduk

Re: Ambari 2.0 Kerberos Activation - Failed to create keytab

-x 2 ambari-server ambari-server 4096 Apr 17 23:35 >>> .ambari_1429306535374-0.d >>> >>> Disk space and available inodes is not an issue. I really don't see a >>> reason why the files cannot be writen to that directory. >>> >>> Inside of the first f

Re: Ambari 2.0 Kerberos Activation - Failed to create keytab

e kerberos keytab is exported to the host >directory. Might the missing execute flag be a cause for the permission >denied error? > >The installation runs on CentOS 6.6 and Java Version is 1.7.0_71 > >Am 17.04.2015 um 23:14 schrieb Robert Levas: >> Hi Frank, >> >> Can you

Re: Ambari 2.0 Kerberos Activation - Failed to create keytab

Hi Frank, Can you check to see if /var/lib/ambari-server/data/tmp/ exists on the Ambari server host? If so, what permissions does it have? Ideally, /var/lib/ambari-server/data/tmp/ exists and all directories in the path are executable by the user that Ambari runs as. Both of these are essential