Cloudera Community

Community Articles

Find and share helpful community-sourced technical articles.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Configure Mac and Firefox to access HDP/HDF SPNEGO UI

avatar
author-rank wbu author-rank
Expert Contributor

Created on ‎01-07-2017 06:17 PM - edited ‎09-16-2022 01:38 AM

Background

After Kerberos HDP/HDF cluster, some native admin UI will return "401 Authentication required".

For example, Ambari Infra Solr Admin UI

11228-screen-shot-2017-01-07-at-173334.png

This is because the web UI is configured for SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) to extend Kerberos to HTTP. Client must have a valid Kerberos ticket and send by browser.

Mac Kerberos Client Configuration

Kerberos software is installed by default in Mac OS, but need to add configure file to access your KDC server.

$ sudo vi /Library/Preferences/edu.mit.Kerberos
[domain_realm]
  .hortonworks.com = "HORTONWORKS.COM"
  hortonworks.com = "HORTONWORKS.COM"
[libdefaults]
  default_realm = "HORTONWORKS.COM" 
  dns_fallback = "yes"
  noaddresses = "TRUE"
[realms]
HORTONWORKS.COM = { 
  admin_server = "ad.hortonworks.com" 
  default_domain = "hortonworks.com" 
  kdc = "ad.hortonworks.com" 
}

Firefox Configuration

type about:config

search negotiate-auth

11229-screen-shot-2017-01-07-at-184132.png

Option1 Command Line

command line to init a kerberos ticket

$ kinit hadoopadmin@HORTONWORKS.COM
hadoopadmin@HORTONWORKS.COM's password:

list the ticket

$ klist

Option2 Ticket Viewer

Go to Ticket Viewer Folder CoreServices

11230-screen-shot-2017-01-07-at-172643.png

Go to the folder: /System/Library/CoreServices/

11231-screen-shot-2017-01-07-at-173035.png

Find Ticket Viewer

11232-screen-shot-2017-01-07-at-173145.png

Add Identity

11233-screen-shot-2017-01-07-at-173704.png

Then you can see the identity

11234-screen-shot-2017-01-07-at-173841.png

Access UI again

11235-screen-shot-2017-01-07-at-185950.png

6,166 Views
Comments

Re: Configure Mac and Firefox to access HDP/HDF SPNEGO UI

avatar
author-rank abhishek_sakhuj
Explorer

Created on ‎02-21-2018 12:37 PM

@wbu Thank you for the post but could you please help me understand that how you have created HORTONWORKS.COM (REALM) and "hadoopadmin" principal on mac for which you have generated a ticket using principal's password? I am using "kadmin -l" to init a new REALM "EXAMPLE.COM" in line with cluster REALM and also the username "hadoopadmin" but when I try adding a REALM using "init -r <realm name>", I get:

kadmin: create_random_entry(krbtgt/EXAMPLE.COM@EXAMPLE.COM): randkey failed: Principal does not exist
init -r <realm name>

Or if I try adding a principal "add -r hadoopadmin@EXAMPLE.COM", I get:

kadmin: adding hadoopadmin@EXAMPLE.COM: Principal does not exist

vi /Library/Preferences/edu.mit.Kerberos OR vi /etc/krb5.conf
  .example.com = "EXAMPLE.COM"
  example.com = "EXAMPLE.COM"
[libdefaults]
  default_realm = "EXAMPLE.COM"
  dns_fallback = "yes"
  noaddresses = "TRUE"
[realms]
EXAMPLE.COM = {
  admin_server = "ad.example.com"
  default_domain = "example.com"
  kdc = "ad.example.com"
}

As far as I understand, on mac machine following steps must be performed before doing the above given steps:

1. Create vi /etc/krb5.conf

2. Create a new REALM "EXAMPLE.COM" (same as Hadoop cluster Kerberos REALM)

2. Create a new user principal "hadoopadmin" (same as Hadoop cluster Kerberos principal used to access the services)

3. Then only I can create a ticket (kinit) with the same password used in Step 2 while creating the user principal

Regards,

Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements
Version history
Last update:
‎09-16-2022 01:38 AM
Updated by:
Expert Contributor Expert Contributor
Contributors