Support Questions

Find answers, ask questions, and share your expertise

Unable to access NameNode UI. Getting "HTTP Status 401 - Authentication required" error

avatar
Rising Star

Hi,

We are running a self-signed certificate Ambari cluster (with HTTPS) and we also enabled the cluster with FreeIPA+Kerberos.

Ambari URL: https://xxxx.xxxx.nm1:8443 (its not .com)
HDP: 3.0.1 (Latest)

After successfully integrating FreeIPA+Kerberos with Ambari cluster, we are unable to access few important GUIs such as Namenode UI, Resource Manager UI and Oozie UI. The error we are getting below is this:

HTTP ERROR 401
Problem accessing /index.html. 
Reason:Authentication required

I've tried all possible scenarios to debug this error like running the following command in my MAC terminal but its of no use.

defaults write com.google.Chrome AuthServerWhitelist "*.REALM_NAME.COM"
defaults write com.google.Chrome AuthNegotiateDelegateWhitelist  "*.REALM_NAME.COM"

I ran the same above command in Google Chrome console (option+command+j in MAC) and got this error:

Uncaught SyntaxError: Unexpected identifier

The following Keytabs are present in /etc/security/keytabs :

  • kerberos.service_check.113018.keytab
  • ambari.server.keytab
  • spnego.service.keytab
  • yarn-ats.hbase-regionserver.service.keytab
  • yarn-ats.hbase-master.service.keytab
  • smokeuser.headless.keytab
  • oozie.service.keytab
  • nn.service.keytab
  • hive.service.keytab
  • ams-monitor.keytab
  • nm.service.keytab
  • hive.llap.task.keytab
  • hbase.headless.keytab
  • spark.service.keytab
  • spark.headless.keytab
  • rm.service.keytab
  • hdfs.headless.keytab
  • ambari-infra-solr.service.keytab
  • zk.service.keytab
  • yarn.service.keytab
  • yarn-ats.hbase-client.headless.keytab
  • dn.service.keytab

There is a valid ticket HDFS user as well but still unable to access the UI:

hdfs@xxxxxxx:/etc/security/keytabs$ klist
Ticket cache: FILE:/tmp/krb5cc_1213
Default principal: nn/xxxxxx.xxxxxx.nm1@REALM.COM

Valid starting	      Expires		   Service principal
11/30/18 16:13:31     12/01/18 16:13:31	   krbtgt/REALM.COM@REALM.COM
	  renew until 12/07/18 16:13:31

I also tried using "spnego.service.keytab" but still no use:

root@xxxxxxx102:/etc/security/keytabs# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/xxxxxx102.xxxxx.nm1@REALM.COM
Valid starting	     Expires		 Service principal
11/30/18 17:23:38    12/01/18 17:23:38   krbtgt/REALM.COM@REALM.COM
	renew until 12/07/18 17:23:38

Kindly provide your technical suggestions. It would be very helpful and highly appreciated.

Should I disable the Kerberos HTTP authentication ? If yes, please guide me the same for NN, RM and Oozie URLs

Thanks,

Shesh Kumar

3 REPLIES 3

avatar
Expert Contributor

Hi @Shesh Kumar,

Did you after:

  1. defaults write com.google.ChromeAuthServerWhitelist"*.REALM_NAME.COM"
  2. defaults write com.google.ChromeAuthNegotiateDelegateWhitelist"*.REALM_NAME.COM"

Then go to chrome://policy/ and reload

Also, you can try with firefox:

  1. Open Firefox and enter about:config in the address bar. Dismiss any warnings that appear.
  2. In the Filter field, enter negotiate.
  3. Double-click the network.negotiate-auth.trusted-uris preference.

    This preference lists the trusted sites for Kerberos authentication.

  4. In the dialog box, enter the domain, such as example.com.
  5. Click the OK button.

    The domain that you just entered in the network.negotiate-auth.trusted-uris should now appear in Value column. The setting takes effect immediately; you do not have to restart Firefox.

Hope this help you.

Regards,

AQ

avatar
Rising Star

Hi @aquilodran,

I did try the steps which you recommend. But unfortunately it did not work. To make it work, I edited few properties in HDFS service

allow anonymous = true

http auth = simple (previous val was 'kerberos')

Thank you!

avatar
Cloudera Employee

Hi,

 

Did you tried disabling SPNEGO authentication in Configuration properties and tried restarting the service?

 

Thanks

AKR