Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

How do I restart docker-machine boot2docker and KDC to authenticate with Apache NiFi?

Labels:
avatar
author-rank jaslan author-rank
Contributor

Created ‎12-05-2017 03:24 PM

I was following the blog by Bryan Bende https://bryanbende.com/development/2016/08/31/apache-nifi-1.0.0-kerberos-authentication and I was able to successfully setup a docker-machine boot2docker and KDC and have configured my browsers to authenticate via SPNEGO. However, when I restarted my OSX I could no longer get NiFi to authenticate via SPNEGO...

So I tried:

docker-machine start boot2docker
eval "$(docker-machine env boot2docker)"

But this gave me an error:

Error checking TLS connection: Error checking and/or regenerating the certs: There was an error validating certificates for host "192.168.99.100:2376": dial tcp 192.168.99.100:2376: i/o timeoutYou can attempt to regenerate them using 'docker-machine regenerate-certs [name]'.Be advised that this will trigger a Docker daemon restart which will stop running containers.

So I tried:

docker-machine rm boot2docker
docker-machine create --driver virtualbox boot2docker
docker-machine env boot2docker
eval $(docker-machine env boot2docker)
./kdc stop
./kdc clean
./kdc build
./kdc start
$(./kdc shellinit)
kinit bbende@NIFI.APACHE.ORG

When I run klist:

klist
Credentials cache: API:5D669ADD-9028-441F-A6E0-C2C78DA04CC5
        Principal: bbende@NIFI.APACHE.ORG

  Issued                Expires               Principal
Dec 4 10:12:29 2017  Dec 31 20:12:27 2017  krbtgt/NIFI.APACHE.ORG@NIFI.APACHE.ORG

So I think I have everything running correctly now but the browsers will not authenticate. Does anyone have any suggestions?

4,095 Views
1 ACCEPTED SOLUTION

avatar
author-rank kevdoran author-rank
Contributor

Created ‎12-05-2017 03:36 PM

Hi @Scott Aslan,

I have seen this behavior before. Those steps to re-initialize your KDC environment are correct. However, it appears on some Mac machines the native library that is used by browsers for kerberos/spnego authentication can get into a bad state, possibly caching values. For me, the current version of Chrome seems to be especially finicky with Kerberos, but relaunching the browsers seems to fix this issue.

Try this:

1. Closing all browsers (Chrome, Firefox, Safari, etc)

2. In the shell that you ran $(./kdc shellinit), relaunch your browser from the terminal using the `open` command:

open /Applications/Firefox.app

or 

open /Applications/Google\ Chrome.app

This is because your krb5.conf file is not in the default location, so launching the browser from the shel that has the KDC environment variables should point the browser to the correct configuration file and keytab.

Hope this helps!

View solution in original post

3,742 Views
5 REPLIES 5

avatar
author-rank kevdoran author-rank
Contributor

Created ‎12-05-2017 03:36 PM

Hi @Scott Aslan,

I have seen this behavior before. Those steps to re-initialize your KDC environment are correct. However, it appears on some Mac machines the native library that is used by browsers for kerberos/spnego authentication can get into a bad state, possibly caching values. For me, the current version of Chrome seems to be especially finicky with Kerberos, but relaunching the browsers seems to fix this issue.

Try this:

1. Closing all browsers (Chrome, Firefox, Safari, etc)

2. In the shell that you ran $(./kdc shellinit), relaunch your browser from the terminal using the `open` command:

open /Applications/Firefox.app

or 

open /Applications/Google\ Chrome.app

This is because your krb5.conf file is not in the default location, so launching the browser from the shel that has the KDC environment variables should point the browser to the correct configuration file and keytab.

Hope this helps!

3,743 Views

avatar
author-rank jaslan author-rank
Contributor

Created ‎12-05-2017 03:46 PM

Awesome! Thanks @kdoran this was exactly what was required!

3,742 Views

avatar
author-rank samarsimha
Contributor

Created ‎03-30-2019 02:48 AM

My SPNEGO is not working , my settings are exactly like @Scott Aslan

what i have observed is , if you login using username/password for first time , and if you clear browser cache launch nifi it will not show login page until you do kinit again , once you do kinit it will present the login screen again next time you launch nifi , I have always launch from terminal after seeing this post @kdoran. how can i avoid login page using spnego ?

using firefox, and nifi version 1.9.0

3,742 Views
0 Kudos

avatar
author-rank kevdoran author-rank
Contributor

Created ‎04-01-2019 01:41 PM

@Samar Aarkotti I think to have it work reliably you need to put your krb5.conf settings in the default location. Note that the settings above are just useful for development and testing, which is why those settings for custom locations are needed. Hope this helps.

3,742 Views
0 Kudos

avatar
author-rank samarsimha
Contributor

Created ‎04-01-2019 04:07 PM

Thanks @kdoran currently i am doing POC in development environment itself, and Spnego is not working, tried various methods to make it work. deleting the authorizations.xml , users.xml, flowfiles archive ...etc and restarted everything again.

but spnego is not working. when i launch nifi it is alway's showing login page. tried with all browsers. am i missing something here ?


posted the same question seperately :

https://community.hortonworks.com/questions/243723/kerberos-spnego-authentication.html


3,742 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements