I'm working with Kerberized HDP 2.6 cluster with Livy2 service, talking to Spark LLAP.
Under any of the host server I'm able to successfully connect to Livy i.e. through curl:
curl --negotiate -u : host-with-livy.com:8998/sessions
Question: how to connect to livy service from other instances, which are not in the cluster?
For example, I'm trying to connect from a dockerized ubuntu instance, sitting in one of the host machines (so it's able to connect to any of the machines, but can have a different hostname set, i.e. dockerized-instance.host-with-livy.com). What I've tried:
- installed the kerberos client, copied the krb5.conf file from the server.
- created krbtgt/...@REALM.COM, HTTP/...@REALM.COM principles in the Kerberos server, created their keytabs
- kinit is successful, trying to connect to livy through curl does create a second ticket for HTTP/...@REALM when checking through klist.
- (is this enough, or am I missing some crucial steps?)
However, connecting to livy draws an error:
error 403: org.apache.hadoop.security.authentication.client.AuthenticationException
I've noticed in the livy2-conf file that livy.server.auth.kerberos.principal=HTTP/_HOST@REALM.COM -- if I understand correctly, my guess is that only the _hosts from the cluster will be able to authenticate? If so, is it possible to specify additional connection settings, allowing connections from external instances, such as the mentioned dockerized instance?
Second question: Am I missing some steps while configuring the kerberos client? Since setting livy.server.auth.kerberos.principal=HTTP/...@REALM to match the hostname of the dockerized instance and replacing the appropriate keytabs in livy.server.auth.kerberos.keytab setting, theconnection still fails, suggesting that I'm doing something wrong.
Any help would be appreciated!
