Support Questions

Find answers, ask questions, and share your expertise

Unable to access STORM WEB UI in keberized cluster

Contributor

Hi,

While accessing Storm web UI in kerberized cluster from my local windows machine using Chrome browser, I do see below error:

org.apache.hadoop.security.authentication.client.AuthenticationException: GSSException: Defective token detected (Mechanism level: GSSHeader did not find the right tag)

I did follow below weblink but I am still facing an issue:

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_security/content/_configuring_http_authe...

Question:

Should my desktop/windows machine through which I am browsing the Storm UI should be kerberized?

If it is mandatory, how can I make my windows machine as kerberos client?

7 REPLIES 7

Super Mentor

@Sriram

You will need to make sure that your browser has the following settings: (Please change the Hostname to your Storm Host in the following browser parameter.)

In Firefox:

network.negotiate-auth.delegation-uris=sandbox.hortonworks.com,.hortonworks.com
network.negotiate-auth.trusted-uris=sandbox.hortonworks.com,.hortonworks.com

- After configuring the browser you will need to do "kinit" on your Windows Machine to get a valid Storm service kerberos ticket. So please copy the storm keytab to your windows machine and then do kinit.

Then reopen the browser and access the Storm UI again.

For more information please refer to: https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_security/content/secure-storm-ui.html

Contributor

Thanks Jay

Do I need to make my windows machine as Kerberos Client and I am using Chrome browser and the instructions for Chrome browser is not clear.

Super Mentor

@Sriram

Yes, Kerberos clients need to be installed to your windows machine so that it can do "kinit" using the storm Keytab.

So you will need to manually install kerberos client to your Windows Machine and then SCP (WinSCP) the Storm keytab from the Cluster to your windows machine. Then do a kinit,.

Contributor

Thanks Jay.... I will work on Kerberising my windows machine and this is something I did not do!

Super Mentor
@Sriram

Some additional information on Windows Kerberos client installation you can get from:

https://community.hortonworks.com/content/kbentry/28537/user-authentication-from-windows-workstation...

Contributor

@Jay Kumar SenSharma ...I cannot make my windows machine as Kerberos client. Can I still access the Storm UI?

I am ready to make any sort of configuration changes

@Sriram

if you cannot install the kerberos client in your windows machine, I'd suggest you to use the Storm view in Ambari (https://docs.hortonworks.com/HDPDocuments/Ambari-2.6.1.5/bk_ambari-views/content/configuring_storm_view.html) so that you can view the storm UI data within Ambari.

Please note that this view has been marked as deprecated as mentinoed in the document.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.