Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Configuring ambari views on Kerberized Cluster

Labels:
avatar
author-rank darpan_be
Rising Star

Created ‎12-21-2015 05:56 PM

Hi Folks,

In the kerberized cluster, we integrated AD for Ambari authentication. Using the AD users, I am able to login to Ambari. But when I log in by default it lands on the views. But When I click any of the views, I see an error.

500 Authentication requiredCollapse Stack Trace

org.apache.hadoop.security.AccessControlException: Authentication required at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.validateResponse(WebHdfsFileSystem.java:334)
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.access$200(WebHdfsFileSystem.java:91) 
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.runWithRetry(WebHdfsFileSystem.java:608) 
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.access$100(WebHdfsFileSystem.java:458) 
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner$1.run(WebHdfsFileSystem.java:487)

While configuring the file view here are the properties I've used :

Settings:

WebHDFS Username ${username}

WebHDFS Authorization = auth=KERBEROS;proxyuser=admin

Cluster Configuration

Related to the cluster HDFS and name node details.

After Kerberization I created a user "ambari­-user/ambari-Host_name_here@KDCRealm.com

And also created a key tab, copied on the ambari -server machine.

Stopped Ambari server and then

$ambari­-server setup­security

Specified the keytab of the Ambari-user (newly created the User in KDC) and started the Ambari-Server.

Trying to access the Ambari -view but getting the above error.

Did any one face similar issue?

I am following the HDP documention section Configuring Ambari User Views with a Secure Cluster : http://hortonworks.com/wp-content/uploads/2015/04/AmbariUserViewsTechPreview_v1.pdf

Regards,

DP

12,256 Views
1 ACCEPTED SOLUTION

avatar
author-rank nsabharwal
Master Mentor

Created ‎12-21-2015 06:13 PM

@Darpan Patel

http://docs.hortonworks.com/HDPDocuments/Ambari-2....

If the cluster your views will communicate with is Kerberos-enabled, you need to configure the Ambari Server instance(s) for Kerberos and be sure to configure the views to work with Kerberos.

View solution in original post

7,472 Views
25 REPLIES 25

avatar
author-rank darpan_be
Rising Star

Created ‎12-23-2015 02:51 PM

Thanks @Predrag Minovic

Indeed this is quite detailed. I've a user ambariserver and principal ambariserver/ambari_host_name@KDCRealm.com

I also verified following two properties are added in the custom core site.

hadoop.proxyuser.ambariserver.groups=*
hadoop.proxyuser.ambariserver.hosts=*

PIG/Hive view, I've added following two properties in the webhcat-site.xml

webhcat.proxyuser.ambariserver.groups=*
webhcat.proxyuser.ambariserver.hosts=*

Accessing the Hive View we see error.

H020 Could not establish connecton to HiveServer2_HOST:10000:org.apache.thrift.transport.TTransportException
3,214 Views
0 Kudos

avatar
author-rank pminovic author-rank
Master Guru

Created ‎12-23-2015 03:06 PM

Okay, what's the status of the Files view now? Can you now browse the files? Also try to restart ambari-server just in case.

Regarding Hive error, what's your Hive transport mode, binary or http? Only Hive view packaged with Ambari-2.1.2.1 (and I guess 2.2) supports http mode, old Ambari versions support only binary mode.

1,765 Views
0 Kudos

avatar
author-rank darpan_be
Rising Star

Created ‎12-23-2015 03:39 PM

@Predrag Minovic

The hive.server2.transport.mode is set to http. File explorer is working. We are on Ambari version: 2.1.2 Thank you. Is there any thing possibly missing?

1,765 Views
0 Kudos

avatar
author-rank pminovic author-rank
Master Guru

Created ‎12-23-2015 04:14 PM

Is there any special reason you are using http Hive transport mode? [For example, Knox requires http mode.] If not, then set the transport mode to binary and Hive view should work. If you want to keep the http transport than you need Ambari-2.1.2.1 or 2.2.

1,765 Views
0 Kudos

avatar
author-rank pminovic author-rank
Master Guru

Created ‎12-24-2015 04:53 AM

@Darpan Patel Regarding NN HA support, as I mentioned above, based on our recent experience with Ambari-2.1.2.1 in a kerberized cluster, Files and Hive views support NN HA, while Pig view doesn't. I haven't had time to explore Ambari-2.2 yet.

1,765 Views
0 Kudos

avatar
author-rank ali_gouta
Rising Star

Created ‎01-04-2016 09:46 PM

@Darpan Patel

Darpan, I have one question related to what you did. I am newbie to Kerberos. I am actually running a similar configuration, where I have AD that holds all principals. Regarding what you have said:

>>After Kerberization I created a user "ambari­-user/ambari-Host_name_here@KDCRealm.com

you did this in the AD right ?

>>And also created a key tab, copied on the ambari -server machine

How did you do that? You created the keytab at the ambari-server host ? or created it in AD and somehow you copied the keytab to /etc/security/keytabs of your ambari server host ?

1,765 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements