Reply
New Contributor
Posts: 4
Registered: ‎04-11-2017

Re: How to merge oozie HA HTTP keberos principals with Cloudera Manager handling Kerboeros principal

 

 We see similar issue and get below error when accessing the load balanced Oozie UI:
 
HTTP Status 403 - GSSException: No valid credentials provided (Mechanism level: Failed to find any Kerberos credentails)
 
Error goes away if we individually load the underlying Oozie instance UI's and then hit the load balanced Oozie UI.
We were told that our load balancer is not passing the SPNEGO authentication properly.  
 
Any one else have this issue?

Posts: 704
Topics: 1
Kudos: 164
Solutions: 88
Registered: ‎04-22-2014

Oozie through load balancer gets error: HTTP Status 403 - GSSException: No valid credentials...

Hello @pankajsaha,

 

The issue you describe may be different and the original thread was quite large, so I created a new thread for you.

 

Since you are able to connect to the Oozie UIs directly, that indicates they are set up for Kerberos properly and that your client can get Service Tickets for those servers.

The "Failed to find any Kerberos credentails" error, though, indicates that perhaps your client cannot get a Service Ticket for your Load Balancer.

 

The reason you are able to connect via the load balancer after you have already connected to the Oozie UIs directly is that you have already gotten a token set in your cookies that is used for authentication.  If you restart the browser, you will need to authenticate again.

 

As for the problem itself, the process is like this:

-- browser connects to the host you specify in the url

-- LB refers to one of the Oozie server

-- Oozie server replies with 401 (auth required)

-- Browser obtains Service Ticket for host specified in the url

-- Browser passes AS_REQ to LB to Oozie server

 

Finding out where the issue is occurring in this system is important.  The first thing I would suggest is verifying that on your browser host, the browser is able to get a Service Ticket for the host specified in the browser URL.

 

What OS are you using for your browser?

Posts: 704
Topics: 1
Kudos: 164
Solutions: 88
Registered: ‎04-22-2014

Re: Oozie through load balancer gets error: HTTP Status 403 - GSSException: No valid credentials...

OOOPS... meant AP_REQ rather than AS_REQ in my previous post.

New Contributor
Posts: 4
Registered: ‎04-11-2017

Re: Oozie through load balancer gets error: HTTP Status 403 - GSSException: No valid credentials...

Thanks for your response!  

 

Browser is running Windows 10.  We can sometimes reproduce this issue using "curl" from a Redhat 7 host

 

Regarding "Browser obtains Service Ticket for host specified in the url"  -  How can we check this on either Windows or Redhat host?  Sorry, I am not familiar with the terminology

 

 

Announcements