Community Articles

Find and share helpful community-sourced technical articles.
avatar
Expert Contributor

Background

After Kerberos HDP/HDF cluster, some native admin UI will return "401 Authentication required".

For example, Ambari Infra Solr Admin UI

11228-screen-shot-2017-01-07-at-173334.png

This is because the web UI is configured for SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism) to extend Kerberos to HTTP. Client must have a valid Kerberos ticket and send by browser.

Mac Kerberos Client Configuration

Kerberos software is installed by default in Mac OS, but need to add configure file to access your KDC server.

$ sudo vi /Library/Preferences/edu.mit.Kerberos
[domain_realm]
  .hortonworks.com = "HORTONWORKS.COM"
  hortonworks.com = "HORTONWORKS.COM"
[libdefaults]
  default_realm = "HORTONWORKS.COM" 
  dns_fallback = "yes"
  noaddresses = "TRUE"
[realms]
HORTONWORKS.COM = { 
  admin_server = "ad.hortonworks.com" 
  default_domain = "hortonworks.com" 
  kdc = "ad.hortonworks.com" 
}

Firefox Configuration

type about:config

search negotiate-auth

11229-screen-shot-2017-01-07-at-184132.png

Option1 Command Line

command line to init a kerberos ticket

$ kinit hadoopadmin@HORTONWORKS.COM
hadoopadmin@HORTONWORKS.COM's password:

list the ticket

$ klist

Option2 Ticket Viewer

Go to Ticket Viewer Folder CoreServices

11230-screen-shot-2017-01-07-at-172643.png

Go to the folder: /System/Library/CoreServices/

11231-screen-shot-2017-01-07-at-173035.png

Find Ticket Viewer

11232-screen-shot-2017-01-07-at-173145.png

Add Identity

11233-screen-shot-2017-01-07-at-173704.png

Then you can see the identity

11234-screen-shot-2017-01-07-at-173841.png

Access UI again

11235-screen-shot-2017-01-07-at-185950.png

6,241 Views
Comments
avatar

@wbu Thank you for the post but could you please help me understand that how you have created HORTONWORKS.COM (REALM) and "hadoopadmin" principal on mac for which you have generated a ticket using principal's password? I am using "kadmin -l" to init a new REALM "EXAMPLE.COM" in line with cluster REALM and also the username "hadoopadmin" but when I try adding a REALM using "init -r <realm name>", I get:

kadmin: create_random_entry(krbtgt/EXAMPLE.COM@EXAMPLE.COM): randkey failed: Principal does not exist
init -r <realm name>

Or if I try adding a principal "add -r hadoopadmin@EXAMPLE.COM", I get:

kadmin: adding hadoopadmin@EXAMPLE.COM: Principal does not exist
vi /Library/Preferences/edu.mit.Kerberos OR vi /etc/krb5.conf
  .example.com = "EXAMPLE.COM"
  example.com = "EXAMPLE.COM"
[libdefaults]
  default_realm = "EXAMPLE.COM"
  dns_fallback = "yes"
  noaddresses = "TRUE"
[realms]
EXAMPLE.COM = {
  admin_server = "ad.example.com"
  default_domain = "example.com"
  kdc = "ad.example.com"
}

As far as I understand, on mac machine following steps must be performed before doing the above given steps:

1. Create vi /etc/krb5.conf

2. Create a new REALM "EXAMPLE.COM" (same as Hadoop cluster Kerberos REALM)

2. Create a new user principal "hadoopadmin" (same as Hadoop cluster Kerberos principal used to access the services)

3. Then only I can create a ticket (kinit) with the same password used in Step 2 while creating the user principal

Regards,