Support Questions

Find answers, ask questions, and share your expertise

Kerberised Webhdfs from client machine

avatar
Explorer

Hi,I have a Kerberized cluster.I want to run webhdfs/REST call from my laptop. I donot have knox as of now.How can i do that?

1 REPLY 1

avatar

@Mudit Kumar

To connect to HDFS that required a Kerberos ticket for authentication, you need to get a valid Kerberos ticket from a relevant KDC and use a client that can send that ticket when requested - all on the client host.

First, you need a Kerberos infrastructure on your laptop. If you are running Mac OS, then one should already be installed. If you are running Windows, you will probably need to install something. There are several ways to do this, I suggest searching the Internet for possibly solutions. For example - http://web.mit.edu/kerberos/kfw-4.1/kfw-4.1.html

Once you have a Kerberos infrastructure installed, you need to set up a krb5.conf file so that kinit knows where the KDC is so you can authenticate and request service tickets.

To get a Kerberos ticket, you need to authenticate using kinit:

HW14041:~ rlevas$ kinit rlevas@EXAMPLE.COM
rlevas@EXAMPLE.COM's password:

Upon success, you should have a Kerberos ticket:

HW14041:~ rlevas$ klist
Credentials cache: API:47BBBB94-9891-4D2A-B8F0-9E796DC30BD1
        Principal: rlevas@EXAMPLE.COM
  Issued                Expires               Principal
Jun 26 12:17:06 2018  Jun 27 12:17:05 2018  krbtgt/EXAMPLE.COM@EXAMPLE.COM

Now you can use a client that knows how to authenticate using Kerberos, like curl:

curl -i --negotiate -u : "http://c6401.ambari.apache.org:50070/webhdfs/v1/tmp?op=LISTSTATUS"

Note: --negotiate tells curl to use Kerberos for authentication; and -u tells curl that authentication data should be sent to the server, even though it is empty. Both are important for this call.

I hope this helps.