Support Questions

Find answers, ask questions, and share your expertise

OOZIE / YARN WEB UI do not authenticate - HTTP 403 java.lang.IllegalArgumentException

avatar
Explorer

Hello community,

 

After a recent Domain Controler update, our fully kerberized Cloudera cluster 3.1.1 does not allow us to login the web interfaces of Oozie and YARN (the underneath services are working fine, apps are up and running)

 

When authenticating, we receive in the browser the following message: HTTP 403 - Authentication exception: java.lang.IllegalArgumentException.

 

We have tried with different browsers, and configured them to work with the Kerberos authentication as explained in other threads.

 

It is important to mention, that the authentication worked fine before the Domain Controller update.

 

Any ideas on how to solve this? thanks for your support.

2 REPLIES 2

avatar
Contributor

Hi,

  • What do the logs say on the Oozie and YARN servers show in response to this error? You may find a stack trace or more descriptive error message in the logs compared to what you see back in the browser.
  • Try using your browser debugger to see what request is being sent to the web server. Check to see if you are seeing the expected WWW-Authenticate and Authorization headers from the server and client respectively. The top of this page gives and indication of what you should be seeing - https://docs.oracle.com/javase/10/security/part-vi-http-spnego-authentication.htm
  • What changed on the DC exactly? Was it a patch or was the version of Windows upgraded?

Cheers,

Jim

avatar
Explorer

Hi Jim, thanks for your prompt answer.

 

Here my answers:

 

1) what do the logs say? nothing relevant, just the illegal argument exception, for example:

 

 

2022-09-08 16:15:42,386 WARN  server.AuthenticationFilter (AuthenticationFilter.java:doFilter(608)) - Authentication exception: java.lang.IllegalArgumentException

 

2)Thanks for the information provided, but I am not able to identify if the config is ok or not. One important thing perhaps to mention is that the Yarn Server is in one domain (let´s call it A) but the user authentication is done to a different domain (let´s call it B). For what I see in the headers, the server side and the client side are making reference of domain A, which makes sense, but I can´t identify in which moment the illegal argument comes up

 

3) the domain controllers were deprecated, and we had to reconfigure the Kerberos information by the servers in the Cluster plus run the Ambari Ldap Setup to make reference to the new DC. We did not modify anything regarding Yarn, Oozie or the other services.

 

Thanks for your help,

Jesus