Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ambari 2.4.1 - 401 errors on affected services WebUI after enabling SPNEGO

avatar
Contributor
 
1 ACCEPTED SOLUTION

avatar
Explorer

did you configured Local KDC

https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.1.0/bk_ambari-security/content/installing_and_c... If yes, just add user to kdc and before opening web UI, init kerberos credentials of that user:

to add user: kadmin.local -q "add_principal user_name"

to init credentials: kinit user_name

then open browser

(works only for linux) in windows there are some problems with SPNEGO

View solution in original post

6 REPLIES 6

avatar
Contributor

Hello,

Step by step following the documentation about enabling SPNEGO Authentication for Hadoop, i end up getting 401 authentication errors trying to display webui of affected services (HDFS, YARN , MapReduce)

HTTP ERROR 401

Problem accessing /cluster. Reason:

  1. Authentication required

It's more than obvious i made a noob mistake configuring SPNEGO or Kerberos. Anyway, all services are started with no alert and i am able to run the Spark tour in 5 seconds tutorial in Zeppelin, involving, File download and move on hdfs and Spark read on HDFS to count empty lines.

Not to say i of course double checked the configuration modifications i did and most of the time copy/pasted from the Ambari documentation after reading on external sources what was meant to do what, so ...

Can anyone help me getting out of trouble ?

Regards.

avatar
Explorer

It's normal, you turned on kerberos authentication for web UI's. To open web UI you need to have kerberos credentials! For example in linux, you need to do kinit.

avatar
Contributor

Hi @Roman Glova

Thanks for your answer. Can you be more precise on the way of getting those credentials please ? I'm connecting the Ambari WebUi using the admin generic account; wich account do you mean kerberos is credential checking when i use the ambari quicklink to services web ui ?

Regards.

avatar
Explorer

did you configured Local KDC

https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.1.0/bk_ambari-security/content/installing_and_c... If yes, just add user to kdc and before opening web UI, init kerberos credentials of that user:

to add user: kadmin.local -q "add_principal user_name"

to init credentials: kinit user_name

then open browser

(works only for linux) in windows there are some problems with SPNEGO

avatar
Contributor

@Roman Glova thanks again for your reply.

Tried what you suggested but it's not working. Thinking about it and trying to figure out how it works i think it's maybe due to the fact i'm using vagrant and redirecting machine localports to the host port.

I thought it was obfuscated to the running VM but perhaps is the WebUI waiting credentials for the active user of the hosting system neither than from the hosted (vagrant) system ? Am i true ? In this case i think i have to install kerberos client locally and do some more configuration ? Am i right ?

avatar
Contributor

@Roman Glova Thanks for your answers

As i expected, based on your advice, my local host was not obfuscated due to port fowarding.

Had to (writing it out for poeple like me maybe finding this post having the same problem) :

Specify a public IP in th vagrant file and reload Restart Ambari-server Install Kerberos client as stated here : https://help.ubuntu.com/lts/serverguide/kerberos.html kinit using a previously added user as add_princ on the kerberos server klist to check the credentials have been generated And it's magic, i could log into webui kdestroy will destroy the credentials.