Support Questions

Find answers, ask questions, and share your expertise

Clear and working Kerberos Setup for Ambari Server needed

Contributor

Hello Folx,

As many before me, i got stucked during the Kerberos Setup with the not working Views due to the missing kerberized Ambari Server itself. After several and various tryouts, the Ambari-server is finally destroyed beyond repair.

So,

Can someone please check if these steps are correct?

- Im using the current HDP 2.5 Stack with Ambari 2.4.1 on CentoOS 6.8

- Setup Ambari again (Clear Logs, etc.) with 7 Nodes.

- Ambari-Server is (and will be) running as root

- Node0 - Node6 for the Hadoop Cluster, while Node0 is my Ambari-Server.

- Node7 is the Kerberos KDC and Kadmin Server

After get the Ambari Server in Basic conf (hdfs, yarn, tez, mapreduce2) running, what are the precise next steps?

1. Do i have to create the Ambari-server pricipal or not? According to the Kerberos Automated Wizard, everything will be taken care of, which are not. It has to be created manually anyway as it seems as decribed in:

https://community.hortonworks.com/questions/73783/kerberos-wizard-does-not-kerberize-ambari.html

2. If i have to do that manually, what are the commands to - precisely - do that? Which user do i use to get the amabri-ser itself kerberized?

My Ambari-Server run as: root

My Ambari Dashbaord user is: admin

Since my kerberos Server is not part of the hadoop deployment i'll understand that i have to copy the created keytab file on Node7 (KDC) to my Node0 (Ambari-server)

3. If that is running well, how do i fix that HTTP Error 401, which will no doubtly come. Did i fixed that with Point 2 already?

4. If that is working, i'll need to switch the entire Ambari server into kerberos by:

#ambari-server setup security -> 3. Setup Kerberos & Jaas or do i have to do that earlier?

When i did that, it was not working due to incorrect Setup of the ambari principal. I also found out how to disable that "Setup Security" in the /etc/ambari-server/conf/ambari.properties file

5. Setup SPNEGO

http://dev.hortonworks.com.s3.amazonaws.com/HDPDocuments/HDP2/HDP-2.5.0/bk_security/content/_configu...

6. My Browser in on my Windows Workstation while my Ambari-Server is hosted.

Do i need to prepare "somehow" my Browsers or do i have to hack my hadoop.auth cookie in order to ingest the used kerberos token which i'll see when i do a curl on console?

Are these steps correct in that order? Did i miss something?

My Goal is: Clicking on the Various Quicklinks in my kerberized Ambari-Server and do not get an 401 HTTP Error.

Thank you very much,

Best Regards,

Normen

3 REPLIES 3

Mentor

Start with proper version of Ambari, 2.4.2, it is the recommended stable version. step 1-5 should be taken care of by automated Kerberos wizard, run step 4 before step 3. Then restart Ambari server to pick up principal. After that go on to step 6.

@Normen Zoch

If your problem is only accessing the Quicklinks (Service URLs) then you can fix that problem by following https://community.hortonworks.com/articles/76873/configure-mac-and-firefox-to-access-hdphdf-spnego.h... article.

Here is the better approach:

1. If you have Ambari2.4.2 - you don't need to create separate principal for ambari and configure it manuallly - it takes care of that when you Kerberize the cluster itself.

2. you don't need to kerberize the Ambari-server to access quick links - it is needed to work with some of the views/alerts stuff link that.

My understanding is that you have the cluster running with kerberized - just following above document should resolve the issue.

Contributor

Hello Guys and thanks for the fast reply.

Currently while upgrading to 2.4.2 the Issue of not having the ambari server principal created still exist.

It precisely happens which is is decribed in:

https://community.hortonworks.com/questions/73783/kerberos-wizard-does-not-kerberize-ambari.html

During Kerberos Setup, the Setup process "Configure Ambari Identity" fails and an retry works but while performing the retry, no ambari-server principal is created. This is clearly a bug.

I would recommend to add the Sudo check of the ambari server user when starting the kerberos wizard like you can in the ambari setup, when performing the cleanup python script and you can re-run the check. Like that.

I will destroy the Ambari Server again, setup Kerberos again and see how far i come this time, having

http://docs.hortonworks.com/HDPDocuments/Ambari-2.4.2.0/bk_ambari-security/content/sudoer_configurat... in mind.

I'll keep you posted.

Regards,

Normen

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.