Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

SPNEGO access for oozie/timelineserver ui with multiple windows tickets

avatar
author-rank bleonhardi
Master Guru

Created on ‎10-23-2015 03:43 AM - edited ‎09-16-2022 02:45 AM

We have a user at xxxx who wants to access the web ui but gets a 401 on his windows machine. We have a valid ticket for the realm of the cluster but also a ticket for a different realm. ( the primary realm of the machine ) . We have done the steps for preparing firefox as specified in the storm ui question but it does not work. Any idea how to specify a principal?

Also little addon. We sometimes see a 302 in CURL instead of a 200. We can also see this in the Ambari alerts. But ambari seems to think its ok ( as in timeline server is 302 and oozie 200 but I got 302 in oozie curl ) What does this mean exactly?

2,154 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rlevas
Guru

Created ‎10-23-2015 04:53 PM

The HTTP 302 code is a redirect response. This shouldn't affect your ability to authenticate with the web app via your browser. So something with your configuration may be wrong. I assume that you entered the Oozie UI server information in as a trusted URI.

Also, maybe this might help - http://www.microhowto.info/howto/configure_firefox_to_authenticate_using_spnego_and_kerberos.html

View solution in original post

1,615 Views
0 Kudos
5 REPLIES 5

avatar
author-rank stevel author-rank
Guru

Created ‎10-23-2015 10:08 AM

I can't think of anything obvious, but theres some online instructions on using Chrome; that may behave differently:

http://www.ghostar.org/2015/06/google-chrome-spnego-and-webhdfs-on-hadoop/

1,615 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎10-23-2015 04:53 PM

The HTTP 302 code is a redirect response. This shouldn't affect your ability to authenticate with the web app via your browser. So something with your configuration may be wrong. I assume that you entered the Oozie UI server information in as a trusted URI.

Also, maybe this might help - http://www.microhowto.info/howto/configure_firefox_to_authenticate_using_spnego_and_kerberos.html

1,616 Views
0 Kudos

avatar
author-rank bleonhardi
Master Guru

Created ‎10-26-2015 04:52 AM

Thanks for the links, but I think we followed the instructions from the wiki ( adding the url into the firefox settings) do you think its possible that the issue is having multiple kerberos tickets in the windows machine? Does SPNEGO send all in other words or only the primary one ( which would be the wrong one the user directly gets from AD )

1,615 Views
0 Kudos

avatar
author-rank rlevas
Guru

Created ‎10-26-2015 01:32 PM

What Kerberos client is installed on the Windows machine?

How did the 2nd ticket get established? If using MIT Kerberos libraries, one would kinit to do this.

1,615 Views
0 Kudos

avatar
author-rank aervits
Master Mentor

Created ‎02-02-2016 05:23 PM

@Benjamin Leonhardi 🙂

1,615 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements