Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

I've enabled Kerberos in my Sandbox. Once i get a valid token i can connect to any service with in cluster. I think this is because of SPNEGO. Is there any way to disable SPNEGO to all users and let service/batch accounts use it?

Solved Go to solution
Highlighted

I've enabled Kerberos in my Sandbox. Once i get a valid token i can connect to any service with in cluster. I think this is because of SPNEGO. Is there any way to disable SPNEGO to all users and let service/batch accounts use it?

Expert Contributor
 
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: I've enabled Kerberos in my Sandbox. Once i get a valid token i can connect to any service with in cluster. I think this is because of SPNEGO. Is there any way to disable SPNEGO to all users and let service/batch accounts use it?

Super Guru
@Raja Sekhar Chintalapati

It's not because of SPNEGO, its because, once you get authenticated to KDC, you get initial ticket called TGT, using TGT further authentication happens to get Service level ticket.

If you want to decide which user can access what then probably you are looking for authorization and Rager is the solution for you.

Note - SPNEGO provides a mechanism for extending Kerberos to Web applications through the standard HTTP protocol.

Please do let me know if you need any further help.

View solution in original post

3 REPLIES 3
Highlighted

Re: I've enabled Kerberos in my Sandbox. Once i get a valid token i can connect to any service with in cluster. I think this is because of SPNEGO. Is there any way to disable SPNEGO to all users and let service/batch accounts use it?

Super Guru
@Raja Sekhar Chintalapati

It's not because of SPNEGO, its because, once you get authenticated to KDC, you get initial ticket called TGT, using TGT further authentication happens to get Service level ticket.

If you want to decide which user can access what then probably you are looking for authorization and Rager is the solution for you.

Note - SPNEGO provides a mechanism for extending Kerberos to Web applications through the standard HTTP protocol.

Please do let me know if you need any further help.

View solution in original post

Re: I've enabled Kerberos in my Sandbox. Once i get a valid token i can connect to any service with in cluster. I think this is because of SPNEGO. Is there any way to disable SPNEGO to all users and let service/batch accounts use it?

Expert Contributor

thank you, this gives me a good idea. let me play with ranger and see what i can accomplish

Highlighted

Re: I've enabled Kerberos in my Sandbox. Once i get a valid token i can connect to any service with in cluster. I think this is because of SPNEGO. Is there any way to disable SPNEGO to all users and let service/batch accounts use it?

Super Guru

@Kuldeep Kulkarni great stuff. I find myself getting this confused as well.

Don't have an account?
Coming from Hortonworks? Activate your account here