Uploaded image for project: 'Ambari'
  1. Ambari
  2. AMBARI-11179

Kerberos: Oozie auth rules do not look correct

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 2.1.0
    • 2.1.0
    • ambari-server

    Description

      0) create cluster, hDP 2.2, build 1203
      1) Kerb cluster (hdfs, yarn,zk)
      2) add ozzie
      3) add hbase
      4) everything seems ok.
      5) I went and looked at oozie configs, oozie.authentication.kerberos.name.rules property looks like this...is this correct?

      RULE:[1:$1@$0](ambari-qa-MyCluster@EXAMPLE.COM)s/.*/ambari-qa/
RULE:[1:$1@$0](hbase-MyCluster@EXAMPLE.COM)s/.*/hbase/
RULE:[1:$1@$0](hdfs-MyCluster@EXAMPLE.COM)s/.*/hdfs/
RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//
RULE:[1:$1@$0](.*@.*TODO-KERBEROS-DOMAIN)s/@.*//
RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUSER/
RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
RULE:[2:$1@$0](dn@EXAMPLE.COM)s/.*/hdfs/
RULE:[2:$1@$0](hbase@EXAMPLE.COM)s/.*/hbase/
RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
RULE:[2:$1@$0](jhs@EXAMPLE.COM)s/.*/mapred/
RULE:[2:$1@$0](jn@EXAMPLE.COM)s/.*/hdfs/
RULE:[2:$1@$0](nm@EXAMPLE.COM)s/.*/yarn/
RULE:[2:$1@$0](nn@EXAMPLE.COM)s/.*/hdfs/
RULE:[2:$1@$0](oozie@EXAMPLE.COM)s/.*/oozie/
RULE:[2:$1@$0](rm@EXAMPLE.COM)s/.*/yarn/
RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
RULE:[2:$1@$0](yarn@EXAMPLE.COM)s/.*/yarn/
DEFAULT

      Solution
      Remove the following values for oozie-site/oozie.authentication.kerberos.name.rules

      common-services/OOZIE/4.0.0.2.0/configuration/oozie-site.xml:145
            RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUxSER/
      RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
      RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
      RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
      DEFAULT
      common-services/OOZIE/5.0.0.2.3/configuration/oozie-site.xml:24
            RULE:[2:$1@$0]([jt]t@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-MAPREDUxSER/
      RULE:[2:$1@$0]([nd]n@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HDFSUSER/
      RULE:[2:$1@$0](hm@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
      RULE:[2:$1@$0](rs@.*TODO-KERBEROS-DOMAIN)s/.*/TODO-HBASE-USER/
      DEFAULT

      Attachments

        1. AMBARI-11179_01.patch
          2 kB
          Robert Levas

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. AMBARI-11882 Kerberos: Oozie auth rules do not look correct

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link ReviewBoard

          Activity

            People

              rlevas Robert Levas
              rlevas Robert Levas
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: