Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

HDFS with kerberos authorization access test

Solved Go to solution

HDFS with kerberos authorization access test

New Contributor

Hi Guys,

Question:

If I want to test the LDAP users with kerberos authorization to access the HDFS, how could I do this?

Version:

My Ambar server Version is 2.5.0.3、HDP 2.6.0.3-8

Descriptions:

I already set up the Ambari server and enable Kerberos and LDAP. Now I want to test authorization on the HDFS view. I create Instance from "Manage Ambari" => "Views" => "FILES" => Create Instance and set some permissions . I set up the setting "WebHDFS authorization" = auth=KERBEROS;* and set an LDAP user ID.

But when I change the User ID to log in Ambari server, it can't be used

Service checks completed.

Error message:

Failed to transition to undefined

Usernames not matched: name=root != expected=ambari-server-c1

PS. Before testing, I used kinit created the user's keytab and put it on /etc/security/keytabs/ file, and Verify the keytab it didn't show any error message.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: HDFS with kerberos authorization access test

Super Mentor

You should use AmbariServer user principal to setup the "proxyuser".

If your cluster is configured for Kerberos, double-check WebHDFS Authorization setting and confirm the “proxyuser=” part of the string is set to the Ambari Server principal name.

Example:
auth=KERBEROS;proxyuser=ambari-server-c1

.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.2.0/bk_ambari-views/content/Troubleshooting.htm...

.

You can find the ambari server principal inside the file like:

# cat /etc/ambari-server/conf/krb5JAASLogin.conf
com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    renewTGT=false
    doNotPrompt=true
    useKeyTab=true
    keyTab="/etc/security/keytabs/ambari.server.keytab"
    principal="ambari-server-c1@EXAMPLE.COM"
    storeKey=true
    useTicketCache=false;
};

.

3 REPLIES 3

Re: HDFS with kerberos authorization access test

Super Mentor

You should use AmbariServer user principal to setup the "proxyuser".

If your cluster is configured for Kerberos, double-check WebHDFS Authorization setting and confirm the “proxyuser=” part of the string is set to the Ambari Server principal name.

Example:
auth=KERBEROS;proxyuser=ambari-server-c1

.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.2.0/bk_ambari-views/content/Troubleshooting.htm...

.

You can find the ambari server principal inside the file like:

# cat /etc/ambari-server/conf/krb5JAASLogin.conf
com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    renewTGT=false
    doNotPrompt=true
    useKeyTab=true
    keyTab="/etc/security/keytabs/ambari.server.keytab"
    principal="ambari-server-c1@EXAMPLE.COM"
    storeKey=true
    useTicketCache=false;
};

.

Re: HDFS with kerberos authorization access test

Super Mentor

You will also need to setup the HDFS proxyuser property as described in:

https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.2.0/bk_ambari-views/content/configuring_your_cl...

Example: Assuming your ambari server principal name is "ambari-server-c1"

hadoop.proxyuser.ambari-server-c1.groups=*
hadoop.proxyuser.ambari-server-c1.hosts=*

.

Re: HDFS with kerberos authorization access test

New Contributor

Dear Jay,

Oh!! Thank you very much.

I think I should enter the limited user, so I just entered "auth=KERBEROS;proxyuser=ambari1" or "auth=KERBEROS;proxyuser=ambari1@example.com" into the field.

It shows the error message:

Invalid value: "ambari1@example.com" does not belong to the domain ^[A-Za-z_][A-Za-z0-9._-]*[$]?$

Then I wahched your answer again, and check config file "/etc/ambari-server/conf/krb5JAASLogin.conf" .

After I changed the right principal name "auth=KERBEROS;proxyuser=ambari-server-c1" . It's work now !!!!

Thank you very much !!! :)

Don't have an account?
Coming from Hortonworks? Activate your account here