Support Questions
Find answers, ask questions, and share your expertise
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Two HDF schema registries behind AES ELB and Kerberos Authentication (SPNEGO) enabled

Two HDF schema registries behind AES ELB and Kerberos Authentication (SPNEGO) enabled

Rising Star

I have HDF in AWS and ELB behind of two schema registries. ELB has static hostname via Rout53. During the installation process when Kerberos enabled Kerberos SPN will automatically generated to registry.yaml file using pattern HTTP/hostname@REALM:

lines from /var/lib/ambari-server/resources/mpacks/hdf-ambari-mpack-

if security_enabled:

_hostname_lowercase = config['agentLevelParams']['hostname'].lower()

registry_ui_keytab_path = config['configurations']['registry-env']['registry_ui_keytab']

_registry_ui_jaas_principal_name = config['configurations']['registry-env']['registry_ui_principal_name']

Because when I ask resources via ELB Kerberos SPN in different registry services do not match with a service ticket I get from KDC. In example my ELB DNS name is and registries DNS names are and and when I am requesting resource from service principal I am going to send via ELB will be HTTP/ but it does not much with HTTP/ or/and HTTP/

One solution is to set up one common kerberos SPN in to both registries HTTP/ I tried it out and it worked, but it is manual work and after restarting registry service via ambari it will regenerate registry.yaml file and old SPN are back.

So I do not have any possibility to interact here?


Margus Roo

Don't have an account?
Coming from Hortonworks? Activate your account here