Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Livy HTTP 403 Error

Labels:
avatar
author-rank slachterman
Guru

Created on ‎12-18-2016 10:11 PM - edited ‎08-18-2019 04:59 AM

I am attempting to use the Livy interpreter in Zeppelin in a Kerberized cluster running HDP 2.5.

I am seeing Error running rest call; nested exception is org.springframework.web.client.HttpClientErrorException: 403 Forbidden in the UI, but don't see additional information in the zeppelin or livy logs.

10397-screen-shot-2016-12-18-at-40528-pm.png

This seems to be a SPNEGO authentication issue of some kind. I tried using curl to connect from the Zeppelin node and was able to authenticate using --negotiate with the ticket in the cache.

How can I troubleshoot this error further?

6,449 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank slachterman
Guru

Created ‎12-19-2016 12:36 AM

I had the same issue as described here: https://community.hortonworks.com/questions/69697/getting-error-user-session-not-found-403-when-usin...

Changing livy.superusers in the Custom Livy conf in Spark configuration so that the cluster name is in lowercase allowed that first 403 error to go away. I am now running into another issue where the error in the UI is "Cannot start spark" and in the logs there appears to be an issue authenticating to the Hive metastore using Kerberos.

This may be https://issues.apache.org/jira/browse/SPARK-13478 for Spark 1.6.2 and Zeppelin 0.6.0, I'm researching further.

View solution in original post

5,513 Views
0
7 REPLIES 7

avatar
author-rank mqureshi
Super Guru

Created ‎12-19-2016 12:00 AM

@slachterman

Not sure if I have enough information but couple of things come to mind. In a Kerberized environment, you need to do a kinit and then use proxy user. How are you doing that? I guess you already know this but you cannot for example use keytab and proxy user together. See the details below:

https://issues.cloudera.org/browse/LIVY-98

Also, I have not used livy with zeppelin but according to the docs, you should use "livy.spark" (May be this is just another way of doing it but I thought I'll point out).

https://zeppelin.apache.org/docs/0.6.0/interpreter/livy.html

5,513 Views

avatar
author-rank slachterman
Guru

Created ‎12-19-2016 12:29 AM

Thanks @mqureshi, I was testing with impersonation turned off for the Livy interpreter. The curl test was just to confirm that the zeppelin service could authenticate to the Livy REST API using SPNEGO. My assumption with impersonation turned off is that Livy would launch the Spark application as the livy principal.

Interestingly, with impersonation enabled, I am seeing a different error: java.net.ConnectException: Connection refused (Connection refused).

By the way, behavior is the same with interpreter specified as 'livy.spark'.

5,513 Views
0 Kudos

avatar
author-rank slachterman
Guru

Created ‎12-19-2016 12:36 AM

I had the same issue as described here: https://community.hortonworks.com/questions/69697/getting-error-user-session-not-found-403-when-usin...

Changing livy.superusers in the Custom Livy conf in Spark configuration so that the cluster name is in lowercase allowed that first 403 error to go away. I am now running into another issue where the error in the UI is "Cannot start spark" and in the logs there appears to be an issue authenticating to the Hive metastore using Kerberos.

This may be https://issues.apache.org/jira/browse/SPARK-13478 for Spark 1.6.2 and Zeppelin 0.6.0, I'm researching further.

5,514 Views
0

avatar
author-rank jzhang
Super Collaborator

Created ‎12-19-2016 03:37 AM

Right, spark of HDP fix this issue as we backport this to HDP 2.5

5,513 Views

avatar
author-rank slachterman
Guru

Created ‎12-19-2016 06:28 PM

@jzhang I am seeing this issue in an HDP 2.5 cluster (Zeppelin 0.6.0 and Spark 1.6.2). In which HDP release was the fix backported?

5,513 Views
0 Kudos

avatar
author-rank jzhang
Super Collaborator

Created ‎12-20-2016 01:31 AM

The hive metastore security issue should be fixed in HDP 2.5. (Please use yarn-cluster mode, yarn-client mode still has this issue) Could you attach the logs and configs ?

5,513 Views
0 Kudos

avatar
author-rank slachterman
Guru

Created ‎12-20-2016 05:34 PM

@jzhang good call, I changed to yarn-cluster mode for the Livy interpreter and was not able to reproduce the error in HDP 2.5.

5,513 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements