question Can't connect to Livy through Kerberos in Support Questions https://community.cloudera.com/t5/Support-Questions/Can-t-connect-to-Livy-through-Kerberos/m-p/226069#M187930 <P>I'm working with Kerberized HDP 2.6 cluster with Livy2 service, talking to Spark LLAP. </P><P>Under any of the host server I'm able to successfully connect to Livy i.e. through curl:</P><PRE>curl --negotiate -u : host-with-livy.com:8998/sessions</PRE><P>Question: how to connect to livy service from other instances, which are not in the cluster? </P><P>For example, I'm trying to connect from a dockerized ubuntu instance, sitting in one of the host machines (so it's able to connect to any of the machines, but can have a different hostname set, i.e. dockerized-instance.host-with-livy.com). What I've tried:</P><OL> <LI>installed the kerberos client, copied the krb5.conf file from the server. </LI><LI>created krbtgt/...@REALM.COM, HTTP/...@REALM.COM principles in the Kerberos server, created their keytabs </LI><LI>kinit is successful, trying to connect to livy through curl does create a second ticket for HTTP/...@REALM when checking through klist.</LI><LI><EM>(is this enough, or am I missing some crucial steps?)</EM></LI></OL><P>However, connecting to livy draws an error:</P><PRE>error 403: org.apache.hadoop.security.authentication.client.AuthenticationException</PRE><P>I've noticed in the livy2-conf file that <EM>livy.server.auth.kerberos.</EM><EM>principal=HTTP/<STRONG>_HOST</STRONG>@REALM.COM</EM> -- if I understand correctly, my guess is that only the _<STRONG>hosts</STRONG> from the cluster will be able to authenticate? If so, is it possible to specify additional connection settings, allowing connections from external instances, such as the mentioned dockerized instance?</P><P><STRONG>Second question:</STRONG> Am I missing some steps while configuring the kerberos client? Since setting <EM>livy.</EM><EM>server.</EM><EM>auth.</EM><EM>kerberos.</EM><EM>principal=HTTP/...@REALM </EM>to match the hostname of the dockerized instance and replacing the appropriate keytabs in livy.server.auth.kerberos.<EM>keytab </EM>setting<EM>, </EM>theconnection still fails, suggesting that I'm doing something wrong.</P><P>Any help would be appreciated!</P> Mon, 26 Jun 2017 21:01:48 GMT mRabramS 2017-06-26T21:01:48Z