Support Questions
Find answers, ask questions, and share your expertise

After enabling kerberos, unable to access any of the Web UI.

After enabling kerberos, unable to access any of the Web UI. As per HWX docs, SPNEGO has been enabled, but still facing issue in accessing the Web UI. 

22 REPLIES 22

Mentor

@saivenkatg55 

Did you set these parameters?

 

Configure the following environment properties for MIT Kerberos.

  • KRB5_CONFIG: Path for the kerberos ini file.

  • KRB5CCNAME: Path for the kerberos credential cache file.

Please revert 

the variables are configured in the /etc/krb5.conf

@Shelton After changing the realm in KDC.conf, now able to execute HDFS commands.

After enabling kerberos, unable to access the any of the WEB UI like hdfs,yarn,mapreduce

Expert Contributor

 @saivenkatg55 

There are extended desktop configuration items necessary to clue the windows desktop in to what REALM and KDC the cluster is using, as well as what domain names (the ones used by the cluster) map to which kerberos REALM.

 

You need to run this on windows cmd as admin

 

ksetup /addkdc <REALM> <KDC hostname>
ksetup /addhosttorealmmap <httpFS hostname> <REALM>

 

and set SPNEGO settings on browser

Refer: https://docs.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_browser_access_kerberos_prot...

I am getting below error while doing ktsetup

Failed to create Kerberos key: 5 (0x5)
Failed to open Kerberos Key: 0x5
Failed /AddKdc : 0xc0000001

Expert Contributor

@saivenkatg55 

 

You should be executing the commands as windows admin user only with corresponding realm and kdc parameters

ok. ksetup /addhosttorealmmap <httpFS hostname> <REALM>

 

httpFS hostname mean namenode host name ?

Expert Contributor

httpFS hostname is the hostname of the web UI you want access to.

This command is used to map the domain name being used by cluster nodes to the kerberos REALM they belong to. A specific hostname with domainname can be configured, or all hosts in a domain with a "." before the domain or subdomain. 

Eg:

C:\Windows\system32>ksetup /addhosttorealmmap .example.com CLUSTER.REALM 

 

 It can be run multiple times to add specific domains/hosts to the mapping to the CLUSTER.REALM.

ksetup has done and changed the below property in mozilla firefoz as per HWX docs, but still the name node UI is not opening 

 

  1. For FireFox:

    Navigate to the about:config URL (type about:config in the address box, then press the Enter key).

    Scroll down to network.negotiate-auth.trusted-uris and change its value to your cluster domain name (For example, .hwx.site).

    Change the value of network.negotiate-auth.delegation-uris to your cluster domain name (For example, .hwx.site).

Expert Contributor

What is the windows version being used here?

windows 10 here 

Expert Contributor

For Windows 10, you need to download and install the MIT Kerberos Client:

  • Visit the MIT Kerberos Distribution Page.
  • Download and install (typical installation) the appropriate MIT Kerberos client for Windows - Windows 4.1 64-bit version.
  • The default location of the Kerberos configuration file on Windows machine is "C:\ProgramData\MIT\Kerberos5\krb5.ini" (this is hidden file)

  • Copy the contents from the /etc/krb5.conf file from one of the hosts in the Hadoop cluster (from Linux) into the krb5.ini file on Windows, save the changes and exit.

  • Configure the following environment properties for MIT Kerberos by visiting Control Panel -> System -> Advanced -> Environment Variables on Windows:

    • KRB5_CONFIG: Path of the Kerberos ini file.
    • KRB5CCNAME: Path of the Kerberos credential cache file.
  • Save the changes and reboot the machine.
  • Open MIT Kerberos Ticket Manager and supply the appropriate principal and password to have a valid TGT to authenticate to Kerberos Web Consoles:
  • Configure browser to use SPNEGO to negotiate Kerberos authentication and then try to access the web UI

it is possible to disable SPNEGO autheneticaion with kerberos enabled cluster.

 

Expert Contributor

Yes, you can follow below steps to disable SPNEGO authentication

  1. From the Clusters tab, select the service (HDFS, MapReduce, or YARN) for which you want to disable authentication.
  2. Click the Configuration tab.
  3. Under the Scope filter, click service_name (Service-Wide).
  4. Under the Category filter, click Security to display the security configuration options.
  5. In the Enable Kerberos Authentication for HTTP Web-Consoles setting, uncheck the box to disable authentication requirement for the selected service_name (Service-Wide).
  6. Click Save Changes to save the change.  This will require service restart

it is applicable for HWX also?

because , I have added the below property in core-site-xml while enabling 

hadoop.http.authentication.simple.anonymous.allowed
false

hadoop.http.authentication.signature.secret.file
/etc/security/http_secret

hadoop.http.authentication.type
kerberos

hadoop.http.authentication.kerberos.keytab
/etc/security/keytabs/spnego.service.keytab

hadoop.http.authentication.kerberos.principal HTTP/_HOST@ EXAMPLE.COM
hadoop.http.filter.initializers org.apache.hadoop.security.AuthenticationFilterInitializer
hadoop.http.authentication.cookie.domain hortonworks.local

Expert Contributor

To disable the SPNEGO authentication for the Hadoop services, modify the following properties related to the service 

 

Ambari Web > Services > HDFS > Configs >  Advanced core-site:

hadoop.http.authentication.simple.anonymous.allowed = true

hadoop.http.authentication.type = simple 

 

It will require the dependent / affected services to be restarted.

@paras I have disabled the kerberos, but still the name node UI is not working 

[root@hostname~]# netstat -an | grep 50070
tcp 0 0 10.49.70.13:50070 0.0.0.0:* LISTEN
tcp 0 0 10.49.70.13:50070 10.49.70.13:41944 TIME_WAIT
tcp 0 0 10.49.70.13:50070 10.49.70.13:41904 TIME_WAIT
tcp 0 0 10.49.70.13:50070 10.49.70.13:42070 ESTABLISHED
tcp 0 0 10.49.70.13:50070 10.49.70.13:41902 TIME_WAIT
tcp 0 0 10.49.70.13:50070 10.49.70.13:41898 TIME_WAIT
tcp 0 0 10.49.70.13:50070 10.49.70.13:41908 TIME_WAIT
tcp 0 0 10.49.70.13:50070 10.49.70.13:41900 TIME_WAIT
tcp 0 0 10.49.70.13:50070 10.49.70.13:42064 ESTABLISHED
tcp 0 0 10.49.70.13:50070 10.49.70.14:58658 TIME_WAIT
tcp 0 0 10.49.70.13:50070 10.49.70.13:41906 TIME_WAIT
tcp6 0 0 10.49.70.13:41876 10.49.70.13:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:46082 10.49.70.14:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:45984 10.49.70.14:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:42064 10.49.70.13:50070 ESTABLISHED
tcp6 0 0 10.49.70.13:45912 10.49.70.14:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:45880 10.49.70.14:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:41760 10.49.70.13:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:46170 10.49.70.14:50070 ESTABLISHED
tcp6 0 0 10.49.70.13:45946 10.49.70.14:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:41798 10.49.70.13:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:45838 10.49.70.14:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:41976 10.49.70.13:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:41842 10.49.70.13:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:45914 10.49.70.14:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:41882 10.49.70.13:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:41764 10.49.70.13:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:46144 10.49.70.14:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:41840 10.49.70.13:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:45988 10.49.70.14:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:41978 10.49.70.13:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:46084 10.49.70.14:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:46140 10.49.70.14:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:45836 10.49.70.14:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:42070 10.49.70.13:50070 ESTABLISHED
tcp6 0 0 10.49.70.13:46172 10.49.70.14:50070 ESTABLISHED
tcp6 0 0 10.49.70.13:41794 10.49.70.13:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:45876 10.49.70.14:50070 TIME_WAIT
tcp6 0 0 10.49.70.13:42024 10.49.70.13:50070 TIME_WAIT

Expert Contributor

What is the error? Please share the snapshot

Did you restart the cluster services post disabling kerberos?

Are you able to fetch curl output to the namenode web UI?

curl -k "<namenode web UI address>"

 

Previous output does show established connections from 10.49.70.13. Please check if 50070 is the port for namenode web UI.

 

 

@paras Now able to access the namenode UI after disabling kerbeos. But, I see some error in UI

Please find the screenshot nn.png

 

 

Expert Contributor

What is the curl output to the namenode web UI?

curl -k "<namenode web UI address>"

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.