Hello all!
This is my first question here! I am trying to set a secure cluster using Kerberos. I have already install my own Kerberos server, and works like a charm on the console.
The problem comes when I am trying to access to the Hadoop components UI's (HDFS, Hive, etc). I know I need to configure my browsers, and there is the problem.
I have downloaded MIT Kerberos ticket system for Windows 10, installed it, and configure the krb5.ini file. It is perfectly generating the kerberos ticket (visually I can see it generated it).
Following the instructions for configuring browsers to access Kerberized cluster, link, also, from external sources, like this one, (this last one made me realize I need to write down the kdc address, but I actually have included all), or this .
Firefox
network.negotiate-auth.delegation-uris = http://192.168.0.30, http://192.168.0.50, http://192.168.0.81, http://192.168.0.101, http://192.168.0.102, 192.168.0.30, 192.168.0.81, 192.168.0.101, 192.168.0.102, 192.168.0.50
network.negotiate-auth.trusted-uris = http://192.168.0.30, http://192.168.0.81, http://192.168.0.101, http://192.168.0.102, 192.168.0.30, 192.168.0.81, 192.168.0.101, 192.168.0.102
network.auth.use-sspi = false
IE
I have done the thing of putting in Internet Options -> Security -> Trusted Zones -> Add IP,
Local Intranet zone -> Automatic Logon only in Local Intranet
Chrome
Same same...
google-chrome --auth-server-whitelist = "admin/admin"
or
google-chrome --auth-server-whitelist = "192.168.0.81"
Other observations:
If I use command line to run kinit, it shows zero tickets, even though in MIT Kerberos app it has
Browsers answers:
java.lang.IllegalArgumentException: Malformed gss token
Many others like:
Authentification failure.
I am out of ideas, I really trust that there is no security without Kerberos, and the next step will be to add Apache Knox, but this is for future. Can someone, please, point me anything? I have used all the google/bing links about this problems. I know this probably is related to the browsers, but I cannot discard.
Note:
Yes, in Ubuntu 16.04 console I am able to connect to beeline, HDFS, ..., everything is managed perfectly by Ranger (Awesome!)
I am documenting all this process, so I am okay to write a guide in future for the community as giveback.
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Cluster info:
HDP 3.1
Kerberos: 5
Accessing Machine: Windows 10, or Mac OSx
Browsers: Any, IE, Chrome, Firefox.
OS: Ubuntu 16.04
IP Address:
kerberos server: 192.168.0.30
ambari server: 192.168.0.50
hdp-master-001: 192.168.0.81
hdp-worker-001: 192.168.0.101
hdp-worker-002: 192.168.0.102
krb5.ini
[libdefaults] default_realm = CLUSTER001
[realms] EXAMPLE.COM = { admin_server = 192.168.0.30
kdc = 192.168.0.30 }
