Support Questions

Find answers, ask questions, and share your expertise

Configuring ambari views on Kerberized Cluster

Explorer

Hi Folks,

In the kerberized cluster, we integrated AD for Ambari authentication. Using the AD users, I am able to login to Ambari. But when I log in by default it lands on the views. But When I click any of the views, I see an error.

500 Authentication requiredCollapse Stack Trace

org.apache.hadoop.security.AccessControlException: Authentication required at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.validateResponse(WebHdfsFileSystem.java:334)
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.access$200(WebHdfsFileSystem.java:91) 
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.runWithRetry(WebHdfsFileSystem.java:608) 
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.access$100(WebHdfsFileSystem.java:458) 
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner$1.run(WebHdfsFileSystem.java:487)

While configuring the file view here are the properties I've used :

Settings:

WebHDFS Username ${username}

WebHDFS Authorization = auth=KERBEROS;proxyuser=admin

Cluster Configuration

Related to the cluster HDFS and name node details.

After Kerberization I created a user "ambari­-user/ambari-Host_name_here@KDCRealm.com

And also created a key tab, copied on the ambari -server machine.

Stopped Ambari server and then

$ambari­-server setup­security

Specified the keytab of the Ambari-user (newly created the User in KDC) and started the Ambari-Server.

Trying to access the Ambari -view but getting the above error.

Did any one face similar issue?

I am following the HDP documention section Configuring Ambari User Views with a Secure Cluster : http://hortonworks.com/wp-content/uploads/2015/04/AmbariUserViewsTechPreview_v1.pdf

Regards,

DP

1 ACCEPTED SOLUTION

@Darpan Patel

http://docs.hortonworks.com/HDPDocuments/Ambari-2....

If the cluster your views will communicate with is Kerberos-enabled, you need to configure the Ambari Server instance(s) for Kerberos and be sure to configure the views to work with Kerberos.

View solution in original post

25 REPLIES 25

Okay, what's the status of the Files view now? Can you now browse the files? Also try to restart ambari-server just in case.

Regarding Hive error, what's your Hive transport mode, binary or http? Only Hive view packaged with Ambari-2.1.2.1 (and I guess 2.2) supports http mode, old Ambari versions support only binary mode.

Explorer

@Predrag Minovic

The hive.server2.transport.mode is set to http. File explorer is working. We are on Ambari version: 2.1.2 Thank you. Is there any thing possibly missing?

Is there any special reason you are using http Hive transport mode? [For example, Knox requires http mode.] If not, then set the transport mode to binary and Hive view should work. If you want to keep the http transport than you need Ambari-2.1.2.1 or 2.2.

@Darpan Patel Regarding NN HA support, as I mentioned above, based on our recent experience with Ambari-2.1.2.1 in a kerberized cluster, Files and Hive views support NN HA, while Pig view doesn't. I haven't had time to explore Ambari-2.2 yet.

Contributor

@Darpan Patel

Darpan, I have one question related to what you did. I am newbie to Kerberos. I am actually running a similar configuration, where I have AD that holds all principals. Regarding what you have said:

>>After Kerberization I created a user "ambari­-user/ambari-Host_name_here@KDCRealm.com

you did this in the AD right ?

>>And also created a key tab, copied on the ambari -server machine

How did you do that? You created the keytab at the ambari-server host ? or created it in AD and somehow you copied the keytab to /etc/security/keytabs of your ambari server host ?

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.