Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Storm UI spengo configuration issue when accessing via AWS load balancer

Highlighted

Storm UI spengo configuration issue when accessing via AWS load balancer

Contributor

I have HCP 1.5 kerberised cluster setup on AWS under private VPC. I have configured AWS Loadbalancer to access my Storm UI component. I have setup kerberose client and configured my browser for sepngo authentication. However I am getting 403 error when accessing storm UI using loadbalancer. After analysis I found my browser client uses host name ( Load balancer's domain name) component in kerberose principle (HTTP/myLoadBalancerDns.us-east-1.elb.amazonaws.com@EXAMPLE.COM). I have created this principal and the successfully obtained tgt for this principal from my windows client using keytab file as well.

Seems authentication is going on but authorisation is having issue. What should be missing here ? I could see all the other storm components have an entry in `storm_jaas.conf` file in my storm installation file. Am I missing something here for the newly created principle ? How to configure spengo in storm for accessing over load balancer.

Parent question linked with this : https://community.hortonworks.com/questions/221868/403-error-with-unsupported-key-type-message-upon-...

My storm_jass.conf file

StormServer {                          
   com.sun.security.auth.module.Krb5LoginModule required                       
   useKeyTab=true                      
   keyTab="/etc/security/keytabs/nimbus.service.keytab"                        
   storeKey=true                       
   useTicketCache=false                
   principal="nimbus/sdssystemmaster2.example.com@EXAMPLE.COM";              
};                                     
StormClient {                          
   com.sun.security.auth.module.Krb5LoginModule required                       
   useKeyTab=true                      
   keyTab="/etc/security/keytabs/storm.headless.keytab"                        
   storeKey=true                       
   useTicketCache=false                
   serviceName="nimbus"                
   principal="storm-sdssystembed@EXAMPLE.COM";                                
};                                     
RegistryClient {                       
   com.sun.security.auth.module.Krb5LoginModule required                       
   useKeyTab=true                      
   keyTab="/etc/security/keytabs/storm.headless.keytab"                        
   storeKey=true                       
   useTicketCache=false                
   principal="storm-sdssystembed@EXAMPLE.COM";                                
};                                     
com.sun.security.jgss.krb5.initiate {
    com.sun.security.auth.module.Krb5LoginModule required                      
    renewTGT=false                     
    doNotPrompt=true
    useKeyTab=true
    keyTab="/etc/security/keytabs/nimbus.service.keytab"
    principal="nimbus/sdssystemmaster2.example.com@EXAMPLE.COM"
    storeKey=true
    useTicketCache=false;
};
Client {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/etc/security/keytabs/storm.headless.keytab"
   storeKey=true
   useTicketCache=false
   serviceName="zookeeper"
   principal="storm-sdssystembed@EXAMPLE.COM";
};
KafkaClient {
   com.sun.security.auth.module.Krb5LoginModule required
   useKeyTab=true
   keyTab="/etc/security/keytabs/storm.headless.keytab"
   storeKey=true
   useTicketCache=false
   serviceName="kafka"
   principal="storm-sdssystembed@EXAMPLE.COM";
};

Don't have an account?
Coming from Hortonworks? Activate your account here