Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Disable HTTP authentication for Storm UI after kerberos

Disable HTTP authentication for Storm UI after kerberos

New Contributor

Hello All,

We have configured Ranger plugin for Storm authorization and its kerberos cluster.

We have disabled by HTTP authentication, by changing the configuration ui.filter as null.

We can able to view the UI, but if we send any request request like getTopology, its failing (as the user is considered as null)

Curl Output :

HTTP/1.1 500 Server Error

Date: Thu, 11 Jan 2018 21:42:45 GMT

Cache-Control: no-cache, no-store

Content-Type: application/json;charset=utf-8

Content-Length: 5459

Server: Jetty(7.x.y-SNAPSHOT)

{"error":"Internal Server Error","errorMessage":"AuthorizationException(msg:UI request 'getTopology' for 'unknown' user is not authorized)\n\tat org.apache.storm.ui.core$assert_authorized_user.invoke(core.clj:109)\n\tat org.apache.storm.ui.core$fn__10090.invoke(core.clj:1060)

Storm Log :

2018-01-12 08:42:45.723 o.a.r.a.s.a.RangerStormAuthorizer qtp192318053-37 [INFO] NULL User found from principal [null]: Skipping authorization; allowedFlag => [false], Audit Enabled:false

2018-01-12 08:42:45.723 o.a.r.a.s.a.RangerStormAuthorizer qtp192318053-37 [DEBUG] [req 4] Access from: [null] user: [null], op: [getTopology],topology: [crowdstrike] => returns [false], Audit Enabled:false

2018-01-12 08:42:45.723 o.a.r.p.c.RangerPluginClassLoader qtp192318053-37 [DEBUG] ==> RangerPluginClassLoader.deactivate()

2018-01-12 08:42:45.723 o.a.r.p.c.RangerPluginClassLoader qtp192318053-37 [DEBUG] <== RangerPluginClassLoader.deactivate()

2018-01-12 08:42:45.723 o.a.r.a.s.a.RangerStormAuthorizer qtp192318053-37 [DEBUG] <== RangerStormAuthorizer.permit() 2018-01-12 08:42:45.724 o.a.s.s.o.e.j.s.Server qtp192318053-37 [DEBUG] RESPONSE /api/v1/topology/crowdstrike-2-1508896804 500 handled=true

If we configure ui.filter: "org.apache.hadoop.security.authentication.server.AuthenticationFilter"

The curl output is as expected, we dont get any authorization failure.

We want to disable UI authentication, is there anyway to avoid this issue, please suggest, thanks

Regards,

Prakash R

Don't have an account?
Coming from Hortonworks? Activate your account here