Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger KMS Rest API commands not working in kerberized cluster

Labels:
avatar
author-rank vandana_6
Rising Star

Created ‎01-27-2017 02:32 PM

Hi,

While executing the following Ranger KMS rest API command, we have encountered the exception:

command: curl -u admin:admin -X GET http://<ranger-KMS-server>:9292/kms/v1/keys/names

Exception: Authentication required-This request requires HTTP authentication.

We have created the keyadmin principal with the password keyadmin1 as configured in kms-properties. We can create keys and list keys via Ranger KMS UI. Please advice a solution ASAP.

3,102 Views
1 ACCEPTED SOLUTION

avatar
author-rank slachterman
Guru

Created ‎01-31-2017 05:59 PM

@Vandana K R you need to use curl's negotiate option to authenticate via SPNEGO:

kinit -kt /etc/security/keytabs/rangerkms.service.keytab rangerkms/HOST@DOMAIN
curl --negotiate -u : -H 'Content-Type: application/json' http://HOST:9292/kms/v1/key/mykey/_metadata

View solution in original post

2,814 Views
0 Kudos
6 REPLIES 6

avatar
author-rank vperiasamy author-rank
Guru

Created ‎01-27-2017 09:45 PM

Have you tried kinit'ing with the keyadmin principal and then trying the curl call with kerberos auth?

2,814 Views
0 Kudos

avatar
author-rank vandana_6
Rising Star

Created ‎01-30-2017 06:17 AM

@vperiasamy I tried kiniting the keyadmin principal. But still facing the same authentication error.

2,814 Views
0 Kudos

avatar
author-rank slachterman
Guru

Created ‎01-31-2017 05:59 PM

@Vandana K R you need to use curl's negotiate option to authenticate via SPNEGO:

kinit -kt /etc/security/keytabs/rangerkms.service.keytab rangerkms/HOST@DOMAIN
curl --negotiate -u : -H 'Content-Type: application/json' http://HOST:9292/kms/v1/key/mykey/_metadata
2,815 Views
0 Kudos

avatar
author-rank vandana_6
Rising Star

Created ‎02-01-2017 10:54 AM

@slachterman thank you it worked with negotiate.

Now when I disabled the kerberos and tried the same rest api command , same exception recreated.

command: curl -u keyadmin:keyadmin1 -X GET http://<ranger-KMS-server>:9292/kms/v1/keys/names

Exception: Authentication required-This request requires HTTP authentication.

Please advice

2,814 Views
0 Kudos

avatar
author-rank slachterman
Guru

Created ‎02-01-2017 02:45 PM

Hi @Vandana K R, that is really a separate question, would you mind accepting my answer if it resolved your issue and creating a separate post for this issue? That will make it easier for others to find this resolution in the future.

2,814 Views
0 Kudos

avatar
author-rank vandana_6
Rising Star

Created ‎02-02-2017 05:21 AM

thank you,my issue has been resolved with negotiate option.

2,814 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements