Support Questions

aervits · ‎03-08-2017

Oozie UI is the only one I'm getting 401 on, I enabled SPNEGO and configured my browser (Firefox) to accept the domain. Still getting 401 error. Any suggestions, issue is similar to https://community.hortonworks.com/questions/25915/oozie-ui-is-not-accessible-in-kerberised-cluster-t...

aervits · ‎03-09-2017

@Predrag Minovic I changed the following properties

oozie.service.ProxyUserService.proxyuser.ambari-server-mycluster.groups=*
oozie.service.ProxyUserService.proxyuser.ambari-server-mycluster.hosts=*

based on this jira https://issues.apache.org/jira/browse/FALCON-326 as I was getting error in oozie-error.log below

/admin/configuration?doAs=admin] error, User [ambari-server-mycluster] not defined as proxyuser
java.security.AccessControlException: User [ambari-server-mycluster] not defined as proxyuser
        at org.apache.oozie.service.ProxyUserService.validate(ProxyUserService.java:149)
        at org.apache.oozie.servlet.JsonRestServlet.getUser(JsonRestServlet.java:567)

now I'm able to load workflow manager, which was my intended goal though I didn't specify in the question but my Oozie UI still doesn't load but error message changed to

HTTP Status 401 - org.apache.hadoop.security.authentication.util.SignerException: Invalid signed text:

this most likely has to do with all other properties I was messing with.

View solution in original post

vperiasamy · ‎03-08-2017

If this is HA envrinonment, please follow steps mentioned here. https://community.hortonworks.com/articles/35019/oozie-ha-configuration-with-kerberos.html

pminovic · ‎03-09-2017

Have you set in about:config "network.auth.use-sspi = false". SSPI is the default protocol used by Firefox on Windows. Also if Firefox runs in another (trusted) realm make sure Firefox negotiates with Oozie server in the right realm. And if you are on Mac you need Kerberos on Mac, which is pre-installed if you are on OS X 10.2 and later, otherwise you can get it from here, together with a matching krb5.conf file. Then you do kinit, and retry to access from Firefox.

aervits · ‎03-09-2017

@Predrag Minovic I changed the following properties

oozie.service.ProxyUserService.proxyuser.ambari-server-mycluster.groups=*
oozie.service.ProxyUserService.proxyuser.ambari-server-mycluster.hosts=*

based on this jira https://issues.apache.org/jira/browse/FALCON-326 as I was getting error in oozie-error.log below

/admin/configuration?doAs=admin] error, User [ambari-server-mycluster] not defined as proxyuser
java.security.AccessControlException: User [ambari-server-mycluster] not defined as proxyuser
        at org.apache.oozie.service.ProxyUserService.validate(ProxyUserService.java:149)
        at org.apache.oozie.servlet.JsonRestServlet.getUser(JsonRestServlet.java:567)

now I'm able to load workflow manager, which was my intended goal though I didn't specify in the question but my Oozie UI still doesn't load but error message changed to

HTTP Status 401 - org.apache.hadoop.security.authentication.util.SignerException: Invalid signed text:

this most likely has to do with all other properties I was messing with.

aervits · ‎03-09-2017

I'll post this as separate question

Cloudera Community

Support Questions

HDP 2.5.3 Kerborized getting HTTP 401 error on Oozie UI only