Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Storm UI issue after kerberising cluster

Highlighted

Storm UI issue after kerberising cluster

Explorer

Hi ,

I have kerbrezied my cluster which have storm. I am able to see UI on the machine on which storm is installed.

But, How can I see storm UI from my machine which is not part of cluster. I am able to see UI of ambari and also all other services UI. But not able to see storm UI. Please anyone can help.

3 REPLIES 3
Highlighted

Re: Storm UI issue after kerberising cluster

Super Mentor

@Niraj Parmar

You will need to make sure that your browser has the following settings:

Suppose your "Storm UI" host name is "kjss5.example.com" then add the following entry:

Open the Firefox "about:config" and then search for the following two properties and set the values to the hostname/domain that are secured:

network.negotiate-auth.delegation-uris=kjss5.example.com
network.negotiate-auth.trusted-uris=kjss5.example.com

.

Next you will need to copy the Storm Keytab to your local machine (where you are running the browser), then do a kinit

Now reopen the browser and you should be able to access the Storm UI.

For more information please see:https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.0/bk_secure-storm-ambari/content/ch_secure-storm-ui.html

.

Highlighted

Re: Storm UI issue after kerberising cluster

Explorer

@Jay SenSharma

I have tried above option on the machine were I have installed Storm using below option

  1. network.negotiate-auth.trusted-uris=kjss5.example.com and it is working .. means I am getting storm UI.

But how to access Storm UI from my windows machine without kerberizing my windows machine.??

Thanks in advance..

Highlighted

Re: Storm UI issue after kerberising cluster

@Niraj Parmar

When accessing a web-based user interface that requires Kerberos authentication, you will need to ensure that your web browser is properly configured to send a Kerberos token.

On the client machine, you will need to make a Kerberos identity has been established. This may be done sing different mechanism depending on the OS being used. For example on a Linux host, you might use kinit. Then, the web browser needs to be configured properly. Instructions on doing this is dependent on the type of web browser and OS. I usually refer to https://ping.force.com/Support/PingFederate/Integrations/How-to-configure-supported-browsers-for-Ker... to help with this. Or maybe do an internet search for your particular web browser and operating system.

If you have done this, then maybe there is an issue with the Kerberos identity. If the principal belongs to a different realm from what is configured for the cluster, a cross-realm trust relationship must be established so that the cluster's realm will trust the tokens coming from the alternate KDC. Establishing the trust relationship can be done by following steps outlined in the HCC article titled One Way Trust - MIT KDC to Active Directory.

If you are seeing a specific error, posting that may help debug the issue. Possible take a look at the Storm UI logs to see if there are any interesting messages there. It may be necessary to turn on Kerberos debugging to get more information as well. This can be done by setting the Java system properly 'sun.security.krb5.debug` to true. For example

-Dsun.security.krb5.debug=true

Maybe the following page will help with setting this property - https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.3/bk_installing_manually_book/content/configu...

Don't have an account?
Coming from Hortonworks? Activate your account here