After "Enable Kerberos" when I access Storm UI, the reponse is:
Problem accessing /. Reason:
I can't find the reason, can anyone help me?
I have kini'ed with the client from where I'm supposed to run . But when I execute the curl command I'm still getting the 401. Can you let me know if I have to mention my user in any config file to get access?
When enabling kerberos for the cluster, Storm web authentication is also enabled. Note that this is unlike some other hadoop components like HDFS and YARN which requires explicit steps to enable web authentication (link). This is the reason you are not able to access Storm web ui without authenticating yourself.
Storm web ui is activated or not can be confirmed by checking value of properties "ui.filter" and "ui.filter.params" in storm-site yaml.
you can authenticate (kinit) yourself before using Storm web ui to make this work. For doing this the client machine from where you are accessing storm web ui should have /etc/krb5.conf file configured to talk to the KDC server. you can create a principal and keytab with your name and then do kinit.
Quoting from the Apache Storm documentation at http://storm.apache.org/releases/0.10.0/SECURITY.html on how to configure your browsers to use the authenticated session once made by doing kinit from command line
Once configured users needs to do kinit before accessing UI. Ex: curl -i --negotiate -u:anyUser -b ~/cookiejar.txt -c ~/cookiejar.txt http://storm-ui-hostname:8080/api/v1/cluster/summary 1. Firefox: Goto about:config and search for network.negotiate-auth.trusted-uris double-click to add value "http://storm-ui-hostname:8080" 2. Google-chrome: start from command line with: google-chrome --auth-server-whitelist="storm-ui-hostname" --auth-negotiate-delegate-whitelist="storm-ui-hostname" 3. IE: Configure trusted websites to include "storm-ui-hostname" and allow negotiation for that website
Caution: In AD MIT Keberos setup the key size is bigger than the default UI jetty server request header size. Make sure you set ui.header.buffer.bytes to 65536 in storm.yaml. More details are on STORM-633
I got similar error. I was able to successfully kinit and start Safari browser from the same command line session, but I got the below error. Any idea?
2017-01-06 14:25:26.937 o.a.h.s.a.s.AuthenticationFilter [WARN] AuthenticationToken ignored: org.apache.hadoop.security.authentication.util.SignerException: Invalid signed text
1. Configure your laptop OS Kerberos client
2. Use command line or tool to init a kerberos ticket
3. Configure your browser for SPNEGO
There're some articles for different OS and Browser. I have one for Mac and Firefox.
Another workaround for Storm UI is to use Ambari Storm View.
@wbu i am trying the same thing but for HiveServer2 WebUI. I am running into the same error:
1) Have Configured mac with kerberos client
2) Have kinit initialized. If i do a klist i can see a valid ticket. Validity is for a day.
3) Configured browser for SPNEGO. Using chrome browser.
But still getting the same error. Is there anything else i am missing ?