Support Questions
Find answers, ask questions, and share your expertise

Atlas in a kerberized hdp cluster 2.4

Solved Go to solution
Highlighted

Atlas in a kerberized hdp cluster 2.4

Expert Contributor

Hi All,

The when I access the atlas UI

http://<ambari-host>:21000/#!/search?user.name=ambari-server

getting error

HTTP ERROR 401 Problem accessing /. Reason: Authentication required

Any helps, thanks.

Avijeet

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Atlas in a kerberized hdp cluster 2.4

Guru

Hello @Avijeet Dash

Assuming you've enabled Kerberos for Atlas service and Atlas service is up & running, from the error message it looks like the client (browser) is missing a Kerberos ticket. The quickest way to check would be to go any cluster node and use curl to access the Atlas UI like this:

kinit <username>
curl -i -u : --negotiate http://<ambari-host>:21000/#!/search?user.name=<username>;

If everything works fine, this request should return '200 OK'. That would mean that your browser (and/or the node running browser) is not configured to perform Kerberos authentication. Then you'll need to follow this link to enable Kerberos support in browser.

If above curl command doesn't return '200 OK', then we'll need to investigate that first.

Hope this helps.

View solution in original post

8 REPLIES 8
Highlighted

Re: Atlas in a kerberized hdp cluster 2.4

@Avijeet Dash Seems like Atlas is not in running state. Can you please provide the snapshot of atlas application.log when this issue is seen? This will help to debug the issue further.

Highlighted

Re: Atlas in a kerberized hdp cluster 2.4

Expert Contributor

Hi @Ayub Pathan

I see something as below in application.log

2016-09-23 12:26:10,246 WARN - [qtp1286783232-15 - 2d78d5b1-8b49-44f9-8ba5-15a604c12e9a:] ~ AuthenticationToken ignored: org.apache.hadoop.security.authentication.util.SignerException: Invalid signed text: (AuthenticationFilter:528)

Thanks,

Avijeet

Highlighted

Re: Atlas in a kerberized hdp cluster 2.4

@Avijeet Dash The log you pasted is just a warning, that may be not the cause for the issue. Can you also clear the cookies from your browser and try, sometimes it happens that the stale cookie might result in this issue.

Can you please attach the application log for debugging?

Also, seems like your cluster is a secure one(HDP-2.4). HDP-2.5 has many enhancements with respect to security, recommendation is to upgrade the cluster to the latest HDP release.

Thanks

Ayub Khan

Highlighted

Re: Atlas in a kerberized hdp cluster 2.4

Expert Contributor

@Ayub Pathan

Can you pls confirm Atlas UI works in hdp2.4 kerberized environment. I am logging in to kerberized ambari as ambari-server, and has done kinit ambari-sever on the ambari-server and atlas server.

Highlighted

Re: Atlas in a kerberized hdp cluster 2.4

@Avijeet Dash Yes, Atlas UI should work in kerberized environment as well. Can you try logging in as Atlas user?

Highlighted

Re: Atlas in a kerberized hdp cluster 2.4

Guru

Hello @Avijeet Dash

Assuming you've enabled Kerberos for Atlas service and Atlas service is up & running, from the error message it looks like the client (browser) is missing a Kerberos ticket. The quickest way to check would be to go any cluster node and use curl to access the Atlas UI like this:

kinit <username>
curl -i -u : --negotiate http://<ambari-host>:21000/#!/search?user.name=<username>;

If everything works fine, this request should return '200 OK'. That would mean that your browser (and/or the node running browser) is not configured to perform Kerberos authentication. Then you'll need to follow this link to enable Kerberos support in browser.

If above curl command doesn't return '200 OK', then we'll need to investigate that first.

Hope this helps.

View solution in original post

Highlighted

Re: Atlas in a kerberized hdp cluster 2.4

Expert Contributor

Hi @Vipin Rathor

The browers are running in our desktops..right..The servers are running in cloud / azure

you mean to say the browser will do a kinit?

Thanks,

Avijeet

Re: Atlas in a kerberized hdp cluster 2.4

Guru

Hi @Avijeet Dash The browser can not do kinit, it can use a Kerberos ticket if available on the system. If it is Windows desktop, then it can automatically get a ticket from AD during user login. It it is non-Windows desktop, then the logged-in user need to acquire ticket by manually doing kinit.