Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Configuring ambari views on Kerberized Cluster

avatar
Rising Star

Hi Folks,

In the kerberized cluster, we integrated AD for Ambari authentication. Using the AD users, I am able to login to Ambari. But when I log in by default it lands on the views. But When I click any of the views, I see an error.

500 Authentication requiredCollapse Stack Trace

org.apache.hadoop.security.AccessControlException: Authentication required at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.validateResponse(WebHdfsFileSystem.java:334)
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.access$200(WebHdfsFileSystem.java:91) 
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.runWithRetry(WebHdfsFileSystem.java:608) 
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.access$100(WebHdfsFileSystem.java:458) 
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner$1.run(WebHdfsFileSystem.java:487)

While configuring the file view here are the properties I've used :

Settings:

WebHDFS Username ${username}

WebHDFS Authorization = auth=KERBEROS;proxyuser=admin

Cluster Configuration

Related to the cluster HDFS and name node details.

After Kerberization I created a user "ambari­-user/ambari-Host_name_here@KDCRealm.com

And also created a key tab, copied on the ambari -server machine.

Stopped Ambari server and then

$ambari­-server setup­security

Specified the keytab of the Ambari-user (newly created the User in KDC) and started the Ambari-Server.

Trying to access the Ambari -view but getting the above error.

Did any one face similar issue?

I am following the HDP documention section Configuring Ambari User Views with a Secure Cluster : http://hortonworks.com/wp-content/uploads/2015/04/AmbariUserViewsTechPreview_v1.pdf

Regards,

DP

1 ACCEPTED SOLUTION

avatar
Master Mentor
@Darpan Patel

http://docs.hortonworks.com/HDPDocuments/Ambari-2....

If the cluster your views will communicate with is Kerberos-enabled, you need to configure the Ambari Server instance(s) for Kerberos and be sure to configure the views to work with Kerberos.

View solution in original post

25 REPLIES 25

avatar
Rising Star

Thanks @Predrag Minovic

Indeed this is quite detailed. I've a user ambariserver and principal ambariserver/ambari_host_name@KDCRealm.com

I also verified following two properties are added in the custom core site.

hadoop.proxyuser.ambariserver.groups=*
hadoop.proxyuser.ambariserver.hosts=*

PIG/Hive view, I've added following two properties in the webhcat-site.xml

webhcat.proxyuser.ambariserver.groups=*
webhcat.proxyuser.ambariserver.hosts=*

Accessing the Hive View we see error.

H020 Could not establish connecton to HiveServer2_HOST:10000:org.apache.thrift.transport.TTransportException

avatar
Master Guru

Okay, what's the status of the Files view now? Can you now browse the files? Also try to restart ambari-server just in case.

Regarding Hive error, what's your Hive transport mode, binary or http? Only Hive view packaged with Ambari-2.1.2.1 (and I guess 2.2) supports http mode, old Ambari versions support only binary mode.

avatar
Rising Star

@Predrag Minovic

The hive.server2.transport.mode is set to http. File explorer is working. We are on Ambari version: 2.1.2 Thank you. Is there any thing possibly missing?

avatar
Master Guru

Is there any special reason you are using http Hive transport mode? [For example, Knox requires http mode.] If not, then set the transport mode to binary and Hive view should work. If you want to keep the http transport than you need Ambari-2.1.2.1 or 2.2.

avatar
Master Guru

@Darpan Patel Regarding NN HA support, as I mentioned above, based on our recent experience with Ambari-2.1.2.1 in a kerberized cluster, Files and Hive views support NN HA, while Pig view doesn't. I haven't had time to explore Ambari-2.2 yet.

avatar
Rising Star

@Darpan Patel

Darpan, I have one question related to what you did. I am newbie to Kerberos. I am actually running a similar configuration, where I have AD that holds all principals. Regarding what you have said:

>>After Kerberization I created a user "ambari­-user/ambari-Host_name_here@KDCRealm.com

you did this in the AD right ?

>>And also created a key tab, copied on the ambari -server machine

How did you do that? You created the keytab at the ambari-server host ? or created it in AD and somehow you copied the keytab to /etc/security/keytabs of your ambari server host ?