Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Storm UI Accessed Failed After Enable Kerberos

Storm UI Accessed Failed After Enable Kerberos

Contributor

After "Enable Kerberos" when I access Storm UI, the reponse is:

HTTP ERROR: 401

Problem accessing /. Reason:

Authentication required

I can't find the reason, can anyone help me?

7 REPLIES 7

Re: Storm UI Accessed Failed After Enable Kerberos

Did you configure your client browser to use Kerberos? Have you kinit'ed on the client side successfully?

Re: Storm UI Accessed Failed After Enable Kerberos

New Contributor

I have kini'ed with the client from where I'm supposed to run . But when I execute the curl command I'm still getting the 401. Can you let me know if I have to mention my user in any config file to get access?

Re: Storm UI Accessed Failed After Enable Kerberos

Expert Contributor

@Zhao Chaofeng

When enabling kerberos for the cluster, Storm web authentication is also enabled. Note that this is unlike some other hadoop components like HDFS and YARN which requires explicit steps to enable web authentication (link). This is the reason you are not able to access Storm web ui without authenticating yourself.

Storm web ui is activated or not can be confirmed by checking value of properties "ui.filter" and "ui.filter.params" in storm-site yaml.

you can authenticate (kinit) yourself before using Storm web ui to make this work. For doing this the client machine from where you are accessing storm web ui should have /etc/krb5.conf file configured to talk to the KDC server. you can create a principal and keytab with your name and then do kinit.

Quoting from the Apache Storm documentation at http://storm.apache.org/releases/0.10.0/SECURITY.html on how to configure your browsers to use the authenticated session once made by doing kinit from command line

Once configured users needs to do kinit before accessing UI. Ex: curl -i --negotiate -u:anyUser -b ~/cookiejar.txt -c ~/cookiejar.txt http://storm-ui-hostname:8080/api/v1/cluster/summary 1. Firefox: Goto about:config and search for network.negotiate-auth.trusted-uris double-click to add value "http://storm-ui-hostname:8080" 2. Google-chrome: start from command line with: google-chrome --auth-server-whitelist="storm-ui-hostname" --auth-negotiate-delegate-whitelist="storm-ui-hostname" 3. IE: Configure trusted websites to include "storm-ui-hostname" and allow negotiation for that website

Caution: In AD MIT Keberos setup the key size is bigger than the default UI jetty server request header size. Make sure you set ui.header.buffer.bytes to 65536 in storm.yaml. More details are on STORM-633

Re: Storm UI Accessed Failed After Enable Kerberos

Expert Contributor

I got similar error. I was able to successfully kinit and start Safari browser from the same command line session, but I got the below error. Any idea?

2017-01-06 14:25:26.937 o.a.h.s.a.s.AuthenticationFilter [WARN] AuthenticationToken ignored: org.apache.hadoop.security.authentication.util.SignerException: Invalid signed text

Re: Storm UI Accessed Failed After Enable Kerberos

Contributor

@yjiang

Steps are:

1. Configure your laptop OS Kerberos client

2. Use command line or tool to init a kerberos ticket

3. Configure your browser for SPNEGO

There're some articles for different OS and Browser. I have one for Mac and Firefox.

Another workaround for Storm UI is to use Ambari Storm View.

https://docs.hortonworks.com/HDPDocuments/Ambari-2.4.0.0/bk_ambari-views/content/ch_using_storm_view...

Regards

Re: Storm UI Accessed Failed After Enable Kerberos

New Contributor

@wbu i am trying the same thing but for HiveServer2 WebUI. I am running into the same error:

1) Have Configured mac with kerberos client

2) Have kinit initialized. If i do a klist i can see a valid ticket. Validity is for a day.

3) Configured browser for SPNEGO. Using chrome browser.

But still getting the same error. Is there anything else i am missing ?

Re: Storm UI Accessed Failed After Enable Kerberos

New Contributor

Hi

Having the same problem? Were you able to fix it?

Don't have an account?
Coming from Hortonworks? Activate your account here