Support Questions

Find answers, ask questions, and share your expertise

Atlas no Kerberos Login possible

Contributor

After installing Atlas 0.7.0 on Ambari 2.4.2 with HDP 2.5.3 and successfully kerberizing the cluster, no kerberos principal is able to login to the Atlas Dashboard. Ranger is installed and the Atlas Plugin is enabled.

While searching through the community sites, i found that there is a default user: admin:admin, which is working.

Kerberos is enabled as authentication in atlas but the application.log just says: UNKNOWN.

How can i setup Atlas to allow existing ambari/kerberos user to login to atlas dashboard?

Thanks,

Normen

6 REPLIES 6

@Normen Zoch

If I have understood your question correctly, you need something like single sign-on feature which allows you to login once and access all applications.

In this case, you want something like - once you login to ambari UI, atlas dashboard should also be accessible without login prompt.

This is provided by KnoxSSO, which available in atlas-0.8 release.

https://issues.apache.org/jira/browse/ATLAS-1244

@Normen Zoch

Apart from the properties you have mentioned, you need to add one more property.

atlas.authentication.method.kerberos.name.rules = RULE:[2:$1@$0](atlas@EXAMPLE.COM)s/.*/atlas/

Change the rule as per your need and restart Atlas service. You can refer here for auth-to-local rules syntax.

Contributor

Hello Ayub,

Nooo...but close. Currently i can only login to the Atlas Dashboard with the default user: admin:admin.

This is quite lame and not to mention insecure. I want to use my already existing ambari (kerberos) users to login to the Atlas Dashboard.

Kerberos authentication is already enabled:

atlas.authentication.keytab=/etc/security/keytabs/

atlas.service.keytabatlas.authentication.method.file=true

atlas.authentication.method.file.filename=/etc/atlas/conf/users-credentials.properties

atlas.authentication.method.kerberos=true

atlas.authentication.method.kerberos.keytab=/etc/security/keytabs/spnego.service.keytab

atlas.authentication.method.kerberos.principal=HTTP/_HOST@my.net

Now i want to use these Users to login to the Atlas Dashboad.

Best,

Normen

Contributor

Yes, the rule i present. Nevertheless im not able to login with my Kerberos Users. I got the error message:

Invalid User credentials. Please try again.

And none of my users are shown up in the application.log or the audit.log or in the .out log files.

Any clue on this? I mean let me ask you, how do YOU setup your login methods? Do you even use Kerberos?

Best,

Normen

Contributor

Hello Ayub or anyone. What did you do, do get Kerberos logins with Atlas Dashbaord working?

Thanks,

Normen

Mentor

@Normen Zoch

I think the only autntication methods you can use are

None that equates to admin/admin
AD-- Active Directory authentication
LDAP---Any LDAP compliant authenitcation

Kerberos is used internally by the hadoop component to authenticate but you will need AD or LDAP to accomplish your security task.(see attached)


atlas-auth.png
Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.