Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

SPNEGO access for oozie/timelineserver ui with multiple windows tickets

Solved Go to solution

SPNEGO access for oozie/timelineserver ui with multiple windows tickets

We have a user at xxxx who wants to access the web ui but gets a 401 on his windows machine. We have a valid ticket for the realm of the cluster but also a ticket for a different realm. ( the primary realm of the machine ) . We have done the steps for preparing firefox as specified in the storm ui question but it does not work. Any idea how to specify a principal?

Also little addon. We sometimes see a 302 in CURL instead of a 200. We can also see this in the Ambari alerts. But ambari seems to think its ok ( as in timeline server is 302 and oozie 200 but I got 302 in oozie curl ) What does this mean exactly?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: SPNEGO access for oozie/timelineserver ui with multiple windows tickets

The HTTP 302 code is a redirect response. This shouldn't affect your ability to authenticate with the web app via your browser. So something with your configuration may be wrong. I assume that you entered the Oozie UI server information in as a trusted URI.

Also, maybe this might help - http://www.microhowto.info/howto/configure_firefox_to_authenticate_using_spnego_and_kerberos.html

View solution in original post

5 REPLIES 5
Highlighted

Re: SPNEGO access for oozie/timelineserver ui with multiple windows tickets

I can't think of anything obvious, but theres some online instructions on using Chrome; that may behave differently:

http://www.ghostar.org/2015/06/google-chrome-spnego-and-webhdfs-on-hadoop/

Highlighted

Re: SPNEGO access for oozie/timelineserver ui with multiple windows tickets

The HTTP 302 code is a redirect response. This shouldn't affect your ability to authenticate with the web app via your browser. So something with your configuration may be wrong. I assume that you entered the Oozie UI server information in as a trusted URI.

Also, maybe this might help - http://www.microhowto.info/howto/configure_firefox_to_authenticate_using_spnego_and_kerberos.html

View solution in original post

Highlighted

Re: SPNEGO access for oozie/timelineserver ui with multiple windows tickets

Thanks for the links, but I think we followed the instructions from the wiki ( adding the url into the firefox settings) do you think its possible that the issue is having multiple kerberos tickets in the windows machine? Does SPNEGO send all in other words or only the primary one ( which would be the wrong one the user directly gets from AD )

Highlighted

Re: SPNEGO access for oozie/timelineserver ui with multiple windows tickets

What Kerberos client is installed on the Windows machine?

How did the 2nd ticket get established? If using MIT Kerberos libraries, one would kinit to do this.

Highlighted

Re: SPNEGO access for oozie/timelineserver ui with multiple windows tickets

Mentor
Don't have an account?
Coming from Hortonworks? Activate your account here