Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Unauthorized connection for super-user: root from IP 192.168.70.104 How to resolve???

avatar
Explorer

1. I am using HDP 2.6 and ambari 2.5. on a 5 node cluster. The cluster was setup with vagrant following these instructions

https://cwiki.apache.org/confluence/display/AMBARI/Quick+Start+for+New+VM+Users . The base box is Centos 7.0

2. I am trying to use File View and I cannot upload a file. I get:

Unauthorized connection for super-user: root from IP 192.168.70.104

3. In Ambari Web. I logged in admin/admin. I have followed the instructions

https://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_ambari_views_guide/content/_configuring_... and created a proxy for admin, I changed the settings to 777. I also added admin as a user of this File View instance.

4. I have the sandbox setup and I can upload files on the sandbox.

5. If I vagrant ssh c7001.ambari.apache.org (node with ambari-server running) I can put a file into the hdfs and it shows up in the file view under /user/admin (The default directory that I set up see (3). )

However, I cannot upload anything from my local filesystem with File View.

1 ACCEPTED SOLUTION

avatar
Master Mentor

@John Cleveland

Looks like you have not added the mentioned IP Address properly inside the property: hadoop.proxyuser.root.hosts

If ambari-server daemon is running as root, you set up a proxy user for root in core-site by adding and changing properties in HDFS > Configs > Custom core-site:
hadoop.proxyuser.root.groups=*
hadoop.proxyuser.root.hosts=*
OR
hadoop.proxyuser.root.hosts=192.168.70.104

Here You can also define a comma separate IP Address list so that File View access will be allowed from the mentioned address to avoid this error:

Unauthorized connection for super-user: root from IP 192.168.70.104

.

View solution in original post

4 REPLIES 4

avatar
Master Mentor

@John Cleveland

Looks like you have not added the mentioned IP Address properly inside the property: hadoop.proxyuser.root.hosts

If ambari-server daemon is running as root, you set up a proxy user for root in core-site by adding and changing properties in HDFS > Configs > Custom core-site:
hadoop.proxyuser.root.groups=*
hadoop.proxyuser.root.hosts=*
OR
hadoop.proxyuser.root.hosts=192.168.70.104

Here You can also define a comma separate IP Address list so that File View access will be allowed from the mentioned address to avoid this error:

Unauthorized connection for super-user: root from IP 192.168.70.104

.

avatar
Explorer

My proxy users for both root and admin are *.

1. What does the * mean?

2. I have noticed that I get 192.168.70.104/5 in the error message ... these are my data nodes. So I will change the * to a comma separated list of the datanodes (for the proxy hosts) and see what happens

thanks

avatar
Master Mentor

@John Cleveland

Good to know that your issue is resolved.

Few details:

hadoop.proxyuser.<USER>.hosts

From File View perspective: Here we need to replace the <USER> with the username who is actually running the Ambari Server (Or Standalone Ambari FileView Server) . So if you are running ambari server as "root" user then you will need to set the property for "root" user as "hadoop.proxyuser.root.groups". The Value of this property can be a comma separated list of addresses where you are running the ambari server (OR Standalone View Ambari Server for hosting the View) . Because View Server will actually send requests to Hadoop. So hadoop need to allow access from the host where the FileView is running. Setting * means you can use the FileView (Standalone Ambari View Server) which is installed to any host. (In a kerberized environment we need to replace the <USER> with the ambari server kerberos principal name).

From Generic Hadoop Perspective: In general, By Using proxy user using properties "hadoop.proxyuser.$superuser.hosts" along with either or both of "hadoop.proxyuser.$superuser.groups" and "hadoop.proxyuser.$superuser.users".

By specifying as below in core-site.xml, the superuser named super can connect only from host1 and host2 to impersonate a user belonging to group1 and group2.

Following document explains it with examples: https://hadoop.apache.org/docs/r2.7.3/hadoop-project-dist/hadoop-common/Superusers.html

avatar
Explorer

For some reason

hadoop.proxyuser.root.hosts=c7001.ambari.apache.org??? I changed it to * and I can now upload files.