Hello,
I have a KDC sitting on an existing Active Directory instance and have successfully installed kerberos in Hadoop and have been using this successfully with the command line.
However, I cannot get it working with Hue.
I have HA configured therefore have installed and configured Hadoop-HTTPFS. This is working via command line:
hue@edge:~$ kinit -kt /etc/security/keytabs/hue.service.keytab hue
hue@edge:~$ curl -i --negotiate -u : "http://edge:14000/webhdfs/v1/user/?op=LISTSTATUS"
HTTP/1.1 200 OK
......{"FileStatuses":{"FileStatus":[{"pathSuffix":"ambari-qa",...... etc
However when I log into Hue, I first see the "Cannot create home directory" error and then when I try to access the Filebrowser tab, this appears in the server logs:
[04/Jul/2016 08:45:32 -0700] middleware INFO Processing exception: Cannot access: /user/daleb. Note: you are a Hue admin but not a HDFS superuser, "hdfs" or part of HDFS supergroup, "hdfs".: Traceback (most recent call last):
File "/opt/hue/build/env/local/lib/python2.7/site-packages/Django-1.6.10-py2.7.egg/django/core/handlers/base.py", line 112, in get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/opt/hue/build/env/local/lib/python2.7/site-packages/Django-1.6.10-py2.7.egg/django/db/transaction.py", line 371, in inner
return func(*args, **kwargs)
File "/opt/hue/apps/filebrowser/src/filebrowser/views.py", line 108, in index
return view(request, path)
File "/opt/hue/apps/filebrowser/src/filebrowser/views.py", line 186, in view
raise PopupException(msg , detail=e)
PopupException: Cannot access: /user/daleb. Note: you are a Hue admin but not a HDFS superuser, "hdfs" or part of HDFS supergroup, "hdfs".
[04/Jul/2016 08:45:32 -0700] webhdfs ERROR Failed to determine superuser of WebHdfs at http://edge:14000/webhdfs/v1/: Unable to authenticate <Response [401]>
Traceback (most recent call last):
File "/opt/hue/desktop/libs/hadoop/src/hadoop/fs/webhdfs.py", line 149, in superuser
sb = self.stats('/')
File "/opt/hue/desktop/libs/hadoop/src/hadoop/fs/webhdfs.py", line 236, in stats
res = self._stats(path)
File "/opt/hue/desktop/libs/hadoop/src/hadoop/fs/webhdfs.py", line 230, in _stats
raise ex
WebHdfsException: Unable to authenticate <Response [401]>
[04/Jul/2016 08:45:32 -0700] kerberos_ ERROR handle_mutual_auth(): Mutual authentication failed
[04/Jul/2016 08:45:32 -0700] kerberos_ ERROR authenticate_server(): authGSSClientStep() failed:
Traceback (most recent call last):
File "/opt/hue/build/env/local/lib/python2.7/site-packages/requests_kerberos-0.6.1-py2.7.egg/requests_kerberos/kerberos_.py", line 229, in authenticate_server
_negotiate_value(response))
GSSError: (('Unspecified GSS failure. Minor code may provide more information', 851968), ('Bad format in credentials cache', -1765328185))
I have the proxy user configurations set up.
I have created the `hue_krb5_ccache` file but also notice this:
hue@edge:/tmp$ klist -k hue_krb5_ccache
Keytab name: FILE:hue_krb5_ccache
klist: Unsupported key table format version number while starting keytab scan
hue@edge:/tmp# kinit -f -c hue_krb5_ccache
klist: Bad format in credentials cache while setting cache flags (ticket cache FILE:/tmp/hue_krb5_ccache)
Does anyone have any suggestions? I've seen few things regarding the kt_renewer but not quite sure where that fits in with my architecture.
Thanks.
