question Re: Unauthorized connection for super-user: root from IP 192.168.70.104 How to resolve??? in Archives of Support Questions (Read Only)

Unauthorized connection for super-user: root from IP 192.168.70.104 How to resolve???

jcleve72 — Thu, 01 Jun 2017 06:36:31 GMT

1. I am using HDP 2.6 and ambari 2.5. on a 5 node cluster. The cluster was setup with vagrant following these instructions

https://cwiki.apache.org/confluence/display/AMBARI/Quick+Start+for+New+VM+Users . The base box is Centos 7.0

2. I am trying to use File View and I cannot upload a file. I get:

Unauthorized connection for super-user: root from IP 192.168.70.104

3. In Ambari Web. I logged in admin/admin. I have followed the instructions

https://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_ambari_views_guide/content/_configuring_your_cluster_for_files_view.html and created a proxy for admin, I changed the settings to 777. I also added admin as a user of this File View instance.

4. I have the sandbox setup and I can upload files on the sandbox.

5. If I vagrant ssh c7001.ambari.apache.org (node with ambari-server running) I can put a file into the hdfs and it shows up in the file view under /user/admin (The default directory that I set up see (3). )

However, I cannot upload anything from my local filesystem with File View.

Re: Unauthorized connection for super-user: root from IP 192.168.70.104 How to resolve???

jsensharma — Thu, 01 Jun 2017 07:49:27 GMT

@John Cleveland

Looks like you have not added the mentioned IP Address properly inside the property: hadoop.proxyuser.root.hosts

If ambari-server daemon is running as root, you set up a proxy user for root in core-site by adding and changing properties in HDFS > Configs > Custom core-site:

hadoop.proxyuser.root.groups=*
hadoop.proxyuser.root.hosts=*
OR
hadoop.proxyuser.root.hosts=192.168.70.104

Here You can also define a comma separate IP Address list so that File View access will be allowed from the mentioned address to avoid this error:

Unauthorized connection for super-user: root from IP 192.168.70.104

Re: Unauthorized connection for super-user: root from IP 192.168.70.104 How to resolve???

jcleve72 — Thu, 01 Jun 2017 09:56:15 GMT

My proxy users for both root and admin are *.

1. What does the * mean?

2. I have noticed that I get 192.168.70.104/5 in the error message ... these are my data nodes. So I will change the * to a comma separated list of the datanodes (for the proxy hosts) and see what happens

thanks

Re: Unauthorized connection for super-user: root from IP 192.168.70.104 How to resolve???

jcleve72 — Thu, 01 Jun 2017 10:39:37 GMT

For some reason

hadoop.proxyuser.root.hosts=c7001.ambari.apache.org??? I changed it to * and I can now upload files.

Re: Unauthorized connection for super-user: root from IP 192.168.70.104 How to resolve???

jsensharma — Thu, 01 Jun 2017 10:59:36 GMT

@John Cleveland

Good to know that your issue is resolved.

Few details:

hadoop.proxyuser.<USER>.hosts

From File View perspective: Here we need to replace the <USER> with the username who is actually running the Ambari Server (Or Standalone Ambari FileView Server) . So if you are running ambari server as "root" user then you will need to set the property for "root" user as "hadoop.proxyuser.root.groups". The Value of this property can be a comma separated list of addresses where you are running the ambari server (OR Standalone View Ambari Server for hosting the View) . Because View Server will actually send requests to Hadoop. So hadoop need to allow access from the host where the FileView is running. Setting * means you can use the FileView (Standalone Ambari View Server) which is installed to any host. (In a kerberized environment we need to replace the <USER> with the ambari server kerberos principal name).

From Generic Hadoop Perspective: In general, By Using proxy user using properties "hadoop.proxyuser.$superuser.hosts" along with either or both of "hadoop.proxyuser.$superuser.groups" and "hadoop.proxyuser.$superuser.users".

By specifying as below in core-site.xml, the superuser named super can connect only from host1 and host2 to impersonate a user belonging to group1 and group2.

Following document explains it with examples: https://hadoop.apache.org/docs/r2.7.3/hadoop-project-dist/hadoop-common/Superusers.html