Re: Trying to create hbase tables after enabling Kerberos with Ambari

Tue, 22 Mar 2016 14:23:05 -0700 

Roberta,
please try this resource https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/ 

Hope it helps.

Regards,
Henning

Am 22/03/16 um 20:49 schrieb Roberta Marton:



As I work more with Kerberos, I have questions that I cannot seem to 
figure out from the documentation and scanning the internet.  Maybe 
you can answer them.


From Ambari documentation:


“Each service and sub-service in Hadoop must have its own principal. A 
principal name in a given realm consists of a primary name and an 
instance name, which in this case is the FQDN of the host that runs 
that service. As services do not login with a password to acquire 
their tickets, their principal's authentication credentials are stored 
in a keytab file, which is extracted from the Kerberos database and 
stored locally with the service principal on the service component host.”



As part of enabling Kerberos, Ambari creates all these service 
principals and keytabs.  So my question is, how are tickets managed 
between the Hadoop services?  For example, HBase needs to talk to HDFS 
to write some data.  If I instigate this request, does HBase send my 
ticket to services, like HDFS, or does it intercept the request and 
send its own ticket to HDFS to manage the request.



How does HBase (and other Hadoop services) manage their own ticket 
renewal and expiration?  Do they use a thread to automatically renew 
the ticket like suggested in many forums?  What happens if the ticket 
expires in the middle of a request?  Is there code in each service to 
determine that a ticket is about to expire, and perform a kinit to 
create a new ticket and send it seamlessly down the line?


   Regards,

   Roberta


*From:* Robert Levas [mailto:rle...@hortonworks.com 
<mailto:rle...@hortonworks.com>]

*Sent:* Tuesday, March 22, 2016 6:45 AM
*To:* user@ambari.apache.org <mailto:user@ambari.apache.org>

*Subject:* Re: Trying to create hbase tables after enabling Kerberos 
with Ambari


Henning…

I didn’t know about that hadoop command.  This is awesome. Thanks!

    hadoop org.apache.hadoop.security.HadoopKerberosName
    trafodion-robertaclus...@trafkdc.com
    <mailto:trafodion-robertaclus...@trafkdc.com>

Rob


*From: *Henning Kropp <hkr...@microlution.de 
<mailto:hkr...@microlution.de>>
*Reply-To: *"user@ambari.apache.org <mailto:user@ambari.apache.org>" 
<user@ambari.apache.org <mailto:user@ambari.apache.org>>

*Date: *Monday, March 21, 2016 at 5:49 PM

*To: *"user@ambari.apache.org <mailto:user@ambari.apache.org>" 
<user@ambari.apache.org <mailto:user@ambari.apache.org>>
*Subject: *Re: Trying to create hbase tables after enabling Kerberos 
with Ambari


Hi,


what Robert suggested sounds to me exactly what you would need. It 
would help if you could provide your auth_to_local setting and the 
output of hbase> whoami


Another way to test your auth_to_locals setting would be to execute:

    % hadoop org.apache.hadoop.security.HadoopKerberosName 
trafodion-robertaclus...@trafkdc.com 
<mailto:trafodion-robertaclus...@trafkdc.com>



Please be aware that the rules are applied in order, so it is 
important to have the rule from Robert before the default rule.


A more simple rule could also be:

    RULE:[1:$1@$0](trafidion-robertaclus...@trafkdc.com 
<mailto:trafidion-robertaclus...@trafkdc.com>)s/.*/trafodion/



The above rule will only work for this principal/user. Put it as the 
first line of your auth to local and use HadoopKerberosName to test if 
it is working.


Regards,
Henning

Am 21/03/16 um 21:40 schrieb Roberta Marton:

    Thanks for your suggestion.  My property settings did have the
    second rule defined but not the first.

    However, it did not seem to help.

    I tried setting the rule several other ways but nothing seems to
    work.  I still get the same behavior.

    Roberta

    *From:*Robert Levas [mailto:rle...@hortonworks.com
    <mailto:rle...@hortonworks.com>]
    *Sent:* Monday, March 21, 2016 11:21 AM
    *To:* user@ambari.apache.org <mailto:user@ambari.apache.org>
    *Subject:* Re: Trying to create hbase tables after enabling
    Kerberos with Ambari

    Hi Roberta…

    It seems like you need an auth-to-local run set up to translate
    trafodion-robertaclus...@trafkdc.com
    <mailto:trafodion-robertaclus...@trafkdc.com>to trafodion.

    To can do this by editing the hadoop.security.auth_to_local
    property under HDFS->Configs->Advanced->Advanced core-site.

    Adding the following rule should do the trick:

        RULE:[1:$1@$0](.*-robertaclus...@trafkdc.com)s/-robertaCluster@.*//
        <mailto:.*-robertaclus...@trafkdc.com%29s/-robertaCluster@.*//>

    You will need to add this rule to the ruleset before/above less
    general rules like

        RULE:[1:$1@$0](.*@TRAFKDC.COM)s/@.*//
        <mailto:.*@TRAFKDC.COM%29s/@.*//>

    After adding this rule, save the config and restart the
    recommended services.

    I hope this helps,

    Rob

    *From: *Roberta Marton <roberta.mar...@esgyn.com
    <mailto:roberta.mar...@esgyn.com>>
    *Reply-To: *"user@ambari.apache.org
    <mailto:user@ambari.apache.org>" <user@ambari.apache.org
    <mailto:user@ambari.apache.org>>
    *Date: *Monday, March 21, 2016 at 2:08 PM
    *To: *"user@ambari.apache.org <mailto:user@ambari.apache.org>"
    <user@ambari.apache.org <mailto:user@ambari.apache.org>>
    *Subject: *Trying to create hbase tables after enabling Kerberos
    with Ambari

    I am trying to install Kerberos on top of my Hortonworks
    installation.  I have tried this with both versions 2.2 and 2.3
    and get similar results.

    After I enable Kerberos, I create a Linux user called trafodion
    and grant this user all HBase permissions.

    I connect as trafodion but get permission errors when I try to
    create a table.

    Details:

    [trafodion@myhost ~]$ whoami

    trafodion

    [trafodion@myhost ~]$ klist

    Ticket cache: FILE:/tmp/krb5cc_503 <FILE:///%5C%5Ctmp%5Ckrb5cc_503>

    Default principal: trafodion-robertaclus...@trafkdc.com
    <mailto:trafodion-robertaclus...@trafkdc.com>

    Valid starting     Expires            Service principal

    03/21/16 16:39:33  03/22/16 16:39:33
    krbtgt/trafkdc....@trafkdc.com <mailto:krbtgt/trafkdc....@trafkdc.com>

    renew until 03/21/16 16:39:33

    hbase shell

    hbase(main):002:0> whoami

    trafodion-robertaclus...@trafkdc.com
    <mailto:trafodion-robertaclus...@trafkdc.com>(auth:KERBEROS)OIw

    2016-03-21 17:06:22,925 WARN  [main]
    security.UserGroupInformation: No groups available for user
    trafodion-robertaCluster

    hbase(main):003:0> user_permission

    User Table,Family,Qualifier:Permission

    trafodion hbase:acl,,: [Permission:
    actions=READ,WRITE,EXEC,CREATE,ADMIN]

    ambari-qa hbase:acl,,: [Permission:
    actions=READ,WRITE,EXEC,CREATE,ADMIN]

    2 row(s) in 1.7630 seconds

    hbase(main):004:0> create 't1', 'f1', 'f2'

    ERROR: org.apache.hadoop.hbase.security.AccessDeniedException:
    Insufficient permissions for user 'trafodion-robertaCluster'
    (global, action=CREATE)

    I am able to perform ‘user_permission’ but not ‘create’

    Any suggestion on how to proceed?

    Roberta

























					Reply via email to