Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

OOZIE / YARN WEB UI do not authenticate - HTTP 403 java.lang.IllegalArgumentException

avatar
author-rank josr89
Explorer

Created ‎09-08-2022 01:37 AM

Hello community,

 

After a recent Domain Controler update, our fully kerberized Cloudera cluster 3.1.1 does not allow us to login the web interfaces of Oozie and YARN (the underneath services are working fine, apps are up and running)

 

When authenticating, we receive in the browser the following message: HTTP 403 - Authentication exception: java.lang.IllegalArgumentException.

 

We have tried with different browsers, and configured them to work with the Kerberos authentication as explained in other threads.

 

It is important to mention, that the authentication worked fine before the Domain Controller update.

 

Any ideas on how to solve this? thanks for your support.

1,478 Views
0 Kudos
2 REPLIES 2

avatar
author-rank JimHalfpenny
Contributor

Created ‎09-08-2022 02:46 AM

Hi,

  • What do the logs say on the Oozie and YARN servers show in response to this error? You may find a stack trace or more descriptive error message in the logs compared to what you see back in the browser.
  • Try using your browser debugger to see what request is being sent to the web server. Check to see if you are seeing the expected WWW-Authenticate and Authorization headers from the server and client respectively. The top of this page gives and indication of what you should be seeing - https://docs.oracle.com/javase/10/security/part-vi-http-spnego-authentication.htm
  • What changed on the DC exactly? Was it a patch or was the version of Windows upgraded?

Cheers,

Jim

1,460 Views
0 Kudos

avatar
author-rank josr89
Explorer

Created ‎09-08-2022 07:25 AM

Hi Jim, thanks for your prompt answer.

 

Here my answers:

 

1) what do the logs say? nothing relevant, just the illegal argument exception, for example:

 

 

2022-09-08 16:15:42,386 WARN  server.AuthenticationFilter (AuthenticationFilter.java:doFilter(608)) - Authentication exception: java.lang.IllegalArgumentException

 

2)Thanks for the information provided, but I am not able to identify if the config is ok or not. One important thing perhaps to mention is that the Yarn Server is in one domain (let´s call it A) but the user authentication is done to a different domain (let´s call it B). For what I see in the headers, the server side and the client side are making reference of domain A, which makes sense, but I can´t identify in which moment the illegal argument comes up

 

3) the domain controllers were deprecated, and we had to reconfigure the Kerberos information by the servers in the Cluster plus run the Ambari Ldap Setup to make reference to the new DC. We did not modify anything regarding Yarn, Oozie or the other services.

 

Thanks for your help,

Jesus

 

1,441 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements