Support Questions

Find answers, ask questions, and share your expertise

HDFS with kerberos authorization access test

New Contributor

Hi Guys,

Question:

If I want to test the LDAP users with kerberos authorization to access the HDFS, how could I do this?

Version:

My Ambar server Version is 2.5.0.3、HDP 2.6.0.3-8

Descriptions:

I already set up the Ambari server and enable Kerberos and LDAP. Now I want to test authorization on the HDFS view. I create Instance from "Manage Ambari" => "Views" => "FILES" => Create Instance and set some permissions . I set up the setting "WebHDFS authorization" = auth=KERBEROS;* and set an LDAP user ID.

But when I change the User ID to log in Ambari server, it can't be used

Service checks completed.

Error message:

Failed to transition to undefined

Usernames not matched: name=root != expected=ambari-server-c1

PS. Before testing, I used kinit created the user's keytab and put it on /etc/security/keytabs/ file, and Verify the keytab it didn't show any error message.

1 ACCEPTED SOLUTION

Super Mentor

You should use AmbariServer user principal to setup the "proxyuser".

If your cluster is configured for Kerberos, double-check WebHDFS Authorization setting and confirm the “proxyuser=” part of the string is set to the Ambari Server principal name.

Example:
auth=KERBEROS;proxyuser=ambari-server-c1

.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.2.0/bk_ambari-views/content/Troubleshooting.htm...

.

You can find the ambari server principal inside the file like:

# cat /etc/ambari-server/conf/krb5JAASLogin.conf
com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    renewTGT=false
    doNotPrompt=true
    useKeyTab=true
    keyTab="/etc/security/keytabs/ambari.server.keytab"
    principal="ambari-server-c1@EXAMPLE.COM"
    storeKey=true
    useTicketCache=false;
};

.

View solution in original post

3 REPLIES 3

Super Mentor

You should use AmbariServer user principal to setup the "proxyuser".

If your cluster is configured for Kerberos, double-check WebHDFS Authorization setting and confirm the “proxyuser=” part of the string is set to the Ambari Server principal name.

Example:
auth=KERBEROS;proxyuser=ambari-server-c1

.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.2.0/bk_ambari-views/content/Troubleshooting.htm...

.

You can find the ambari server principal inside the file like:

# cat /etc/ambari-server/conf/krb5JAASLogin.conf
com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    renewTGT=false
    doNotPrompt=true
    useKeyTab=true
    keyTab="/etc/security/keytabs/ambari.server.keytab"
    principal="ambari-server-c1@EXAMPLE.COM"
    storeKey=true
    useTicketCache=false;
};

.

Super Mentor

You will also need to setup the HDFS proxyuser property as described in:

https://docs.hortonworks.com/HDPDocuments/Ambari-2.5.2.0/bk_ambari-views/content/configuring_your_cl...

Example: Assuming your ambari server principal name is "ambari-server-c1"

hadoop.proxyuser.ambari-server-c1.groups=*
hadoop.proxyuser.ambari-server-c1.hosts=*

.

New Contributor

Dear Jay,

Oh!! Thank you very much.

I think I should enter the limited user, so I just entered "auth=KERBEROS;proxyuser=ambari1" or "auth=KERBEROS;proxyuser=ambari1@example.com" into the field.

It shows the error message:

Invalid value: "ambari1@example.com" does not belong to the domain ^[A-Za-z_][A-Za-z0-9._-]*[$]?$

Then I wahched your answer again, and check config file "/etc/ambari-server/conf/krb5JAASLogin.conf" .

After I changed the right principal name "auth=KERBEROS;proxyuser=ambari-server-c1" . It's work now !!!!

Thank you very much !!! 🙂

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.