Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Two HDF schema registries behind AES ELB and Kerberos Authentication (SPNEGO) enabled

Highlighted

Two HDF schema registries behind AES ELB and Kerberos Authentication (SPNEGO) enabled

Rising Star

I have HDF in AWS and ELB behind of two schema registries. ELB has static hostname via Rout53. During the installation process when Kerberos enabled Kerberos SPN will automatically generated to registry.yaml file using pattern HTTP/hostname@REALM:

lines from /var/lib/ambari-server/resources/mpacks/hdf-ambari-mpack-3.3.1.0-10/common-services/REGISTRY/0.3.0/package/scripts/params.py


if security_enabled:

_hostname_lowercase = config['agentLevelParams']['hostname'].lower()

registry_ui_keytab_path = config['configurations']['registry-env']['registry_ui_keytab']

_registry_ui_jaas_principal_name = config['configurations']['registry-env']['registry_ui_principal_name']


Because when I ask resources via ELB Kerberos SPN in different registry services do not match with a service ticket I get from KDC. In example my ELB DNS name is registry.example.com and registries DNS names are registry1.example.com and registry2.example.com and when I am requesting resource from registry.example.com service principal I am going to send via ELB will be HTTP/registry.example.com@EXAMPLE.COM but it does not much with HTTP/registry1.example.com@EXAMPLE.COM or/and HTTP/registry2.example.com.

One solution is to set up one common kerberos SPN in to both registries HTTP/registry.example.com@EXAMPLE.COM. I tried it out and it worked, but it is manual work and after restarting registry service via ambari it will regenerate registry.yaml file and old SPN are back.


So I do not have any possibility to interact here?


Br,

Margus Roo