Run kudu fsck in a kerberised CDH cluster

Question

I am trying to have the cloudera manager run a check on a kudu cluster, which eventually will be the following command, run as the kudu user::

kudu cluster ksck master_host

The output of this command is:

Not authorized: leader master liveness check error: Could not connect to the cluster: Client connection negotiation failed: client connection to 10.x.y.z:7051: server requires authentication, but client does not have Kerberos credentials available

If I run this command manually from the command line, as kudu, I have the same error. If I try to run kinit, a password is asked for the kudu user, but as far as I understand it, all the "backend" users are passwordless.

If I update $HOME/.klogin to allow my user with ksu I do have a krb ticket (klist shows it) but it is still not a ticket for the kudu user, and I end up having the same error message.

My kerberos-fu is weak, but as far as I thought, the cluster was well configured, spark/impala/kudu work well together, without authorisation issue. The inspector is all green, there are kudu credentials for all hosts of the cluster.

How could I have this command run properly from the cloudera manager?

Answer 1

Half answer:

To run the command in the command line, you can run it from the account of a user who is in the superuser_acl setting from kudu. Then as this user run kinit and then you can run the kudu cluster ksck command.

This does not explain why the same user from cloudera manger still cannot run the rebalance, but at least I have a woarkaround.