Blog do projektu Open Source JavaHotel

piątek, 30 sierpnia 2019

The 'krb5-conf' configuration is not available

HDP 3.1
A nasty message as visible above suddenly popped up out of the blue. Every configuration change, stopping or starting the service was blocked because of that. The message was related to the Kerberization but "Disable Kerberos" option was also under the spell. It seemed that the only option was to plough under everything and build up the cluster from the bare ground.
The problem is described here but no solution is proposed.
The solution was quite simple. Remove the "Kerberos" marker from the cluster by modifying the Ambari database. In the case of Postgresql database execute the command:
update clusters set security_type='NONE'

After that magic, the "Enable Kerberos" button is active and after performing the "Kerberization" the cluster is happy and healthy again.

niedziela, 4 sierpnia 2019

HDP 3.1, HBase REST API, security gap

I found a nasty problem with HDP 3.1 which cost me several sleepless nights. There is a security gap in HBase REST API. The HBase REST API service does not impersonate users and all HBase commands are executed as hbase user. The same behaviour is passed to Knox HBase. It means that any user having access to HBase REST API or Knox Gateway HBase is authorized to do any action bypassing any security settings in Ranger or HBase service directly.
The only solution I found was to compile the current version of HBase downloaded from GitHub and replace the legacy hbase-rest jar with the new one.

Clone GitHub repository and build the packages
git clone -b branch-2.0
cd hbase
mvn package -DskipTests

As root user
cd /usr/hdp/

Archive existing jar
mkdir arch
mv mv hbase-rest- arch/
unlink hbase-rest.jar

Replace with the new one
ln -s /home/hbase/hbase/hbase-rest/target/hbase-rest-2.0.6-SNAPSHOT.jar hbase-rest.jar

Restart HBase REST API server.