Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Authentication failed when trying to open /webhdfs/v1/?op=LISTSTATUS: Unauthorized.

avatar

I get this after 'kerberizing' my cluster when open "Browse the File System" from HDFS U.I. Authentication failed when trying to open /webhdfs/v1/?op=LISTSTATUS: Unauthorized. Any ideas how to fix it ?

11 REPLIES 11

avatar

also cannot access "view logs" on same U.I. - error dr.who not authorized

avatar
Super Guru

@Phil G

Can you make sure you have property in hdfs-site.xml - "dfs.web.authentication.kerberos.principal" and set to right value

Pls refer - http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.0/bk_hdfs_admin_tools/content/ch11.html

avatar

value is correct

avatar

Try the same command after performing kinit -

kinit -kt <PATH_TO_KEYTAB> <YOUR-PRINCIPAL-ID>

avatar

keytab file seems to have correct principals, I loaded it in ktutil (/etc/security/keytabs/spnego.service.keytab) but kinit returns

kinit: Keytab contains no suitable keys for HTTP/_HOST@MYREALM.COM while getting initial credentials

avatar

after some fiddling kinit loads keytab but issue remains

avatar

@Phil G ,

With kerberos enabled you need to enable SPNEGO authentication for kerberos.

Could you follow the below link,

http://docs.hortonworks.com/HDPDocuments/Ambari-2.2.1.1/bk_Ambari_Security_Guide/content/_configurin...

Hope this helps.

avatar
Super Guru
@Phil G

Please find steps below and make sure it works -

  1. klist -kt /etc/security/keytabs/spnego.service.keytab
  2. kinit -kt /etc/security/keytabs/spnego.service.keytab <Principal> <-- [you will get principal from above command]
  3. klist <-- Make sure not you have valid ticket
  4. curl --negotiate -u:<anyuser> "http://$<Host_Name>:$<Port>/webhdfs/v1/user/?op=LISTSTATUS"

Why "anyuser" in above command ? Pls refer - http://docs.hortonworks.com/HDPDocuments/HDP1/HDP-1.2.4/bk_webhdfs/content/ch_webhdfs-user.html

avatar
Contributor

for default your are using dr.who to open the page, bu dr.who don't have the permission. you can check "hadoop.http.staticuser.user" in core-site.xml