Support Questions
Find answers, ask questions, and share your expertise

I installed storm with ambari and enabled kerberos, but storm-ui can not be viewed.

Explorer

I installed storm with ambari cluster and enabled kerberos. But I can not view storm ui, it returns 403 status. I find that in /etc/storm/2.6.3.0-235/0/storm_jaas.conf, it does not have config of storm ui, I can not find any content about spnego.service.keytab. And every time I change the storm_jaas.conf, it will be overwrite by ambari. The content is that:

StormServer {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/etc/security/keytabs/nimbus.service.keytab"
   storeKey=true
   useTicketCache=false
   principal="nimbus/am1.ics.com@ICS.COM";
};
StormClient {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/etc/security/keytabs/storm.headless.keytab"
   storeKey=true
   useTicketCache=false
   serviceName="nimbus"
   principal="storm-ics_bigdata@ICS.COM";
};
RegistryClient {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/etc/security/keytabs/storm.headless.keytab"
   storeKey=true
   useTicketCache=false
   principal="storm-ics_bigdata@ICS.COM";
};
com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required
    renewTGT=false
    doNotPrompt=true
    useKeyTab=true
    keyTab="/etc/security/keytabs/nimbus.service.keytab"
    principal="nimbus/am1.ics.com@ICS.COM"
    storeKey=true
    useTicketCache=false;
};

Client {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/etc/security/keytabs/storm.headless.keytab"
   storeKey=true
   useTicketCache=false
   serviceName="zookeeper"
   principal="storm-ics_bigdata@ICS.COM";
};


KafkaClient {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/etc/security/keytabs/storm.headless.keytab"
   storeKey=true
   useTicketCache=false
   serviceName="kafka"
   principal="storm-ics_bigdata@ICS.COM";
};


But in the ambari storm config, it shows that in the image attached.

And the storm in ambari shows warning of supervisor that "Connection failed: [Errno 111] Connection refused to am3.ics.com:56431" all the time.

Who can help me about storm in ambari with kerberos enabled?

67468-微信截图-20180401102058.png

2 REPLIES 2

@Wang Ao,

You have to enable SPNEGO authentication to see the UI in kerberized environment. Please follow the steps mentioned in the doc.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_security/content/ch_enable_spnego_auth_f...

.

-Aditya

Explorer

Hello, thank you for helping me. I have tried to follow the instructions in the guide book. But I still can not view storm ui, and besides the hadoop have the following warnings:

64981-微信截图-20180402102442.png

Could you please tell you what's wrong with it?