Support Questions

openbusinessintelligence · ‎05-18-2016

I have successfully kerberized a cluster running with Ambari 2.2.1.0 and HDP 2.3.2.

All services are running without alerts.

I have successfully kerberized ambari-server according to the instructions creating an ambari-server@REALM kerberos user.

In the File Explorer view settings,

auth=KERBEROS;proxyuser=ambari-server

is entered.

In the custom core-site settings, the following proxyuser-settings are present (everything set to "*"):

hadoop.proxyuser.HTTP.groups
hadoop.proxyuser.HTTP.hosts
hadoop.proxyuser.ambari-server.groups
hadoop.proxyuser.ambari-server.hosts
hadoop.proxyuser.falcon.groups
hadoop.proxyuser.falcon.hosts
hadoop.proxyuser.hbase.groups
hadoop.proxyuser.hbase.hosts
hadoop.proxyuser.hcat.groups
hadoop.proxyuser.hcat.hosts
hadoop.proxyuser.hdfs.groups
hadoop.proxyuser.hdfs.hosts
hadoop.proxyuser.hive.groups
hadoop.proxyuser.hive.hosts
hadoop.proxyuser.hue.groups
hadoop.proxyuser.hue.hosts
hadoop.proxyuser.knox.groups
hadoop.proxyuser.knox.hosts
hadoop.proxyuser.oozie.groups
hadoop.proxyuser.oozie.hosts
hadoop.proxyuser.root.groups
hadoop.proxyuser.root.hosts
hadoop.proxyuser.yarn.groups
hadoop.proxyuser.yarn.hosts

However, neither the File Explorer view nor WebHDFS on URL http://<namenode>:50070/explorer.html#/ are accessible.

The File View in Ambari shows the following error:

500 Usernames not matched: name=root != expected=ambari-server

Which setting is missing?

openbusinessintelligence · ‎05-19-2016

@emaxwell

Basically, the problem was that I secured ambari-server with a kerberos-key ambari-server@REAM. As ambari-server runs from root, I had to create root@REALM and re-secure ambari-server with it, now it works! Thanks!

In the documentation, it should explicitly explained that the kerberos-key need to have the same name of the linux-user running ambari-server.

View solution in original post

emaxwell · ‎05-18-2016

@Nicola Marangoni

What user is your Ambari view server running as? It looks like "ambari-server" in your configs, is that correct? If so, then you need to add the following parameters to the custom core-site.xml in HDFS configs:

hadoop.proxyuser.ambari-server.groups=*
hadoop.proxyuser.ambari-server.hosts=*

This assumes that you have run ambari-server setup and changed the user that the server runs as to "ambari-server". If you haven't done that, then Ambari is still running as the root user and your proxy user settings will not work.

If your Ambari view server runs as root, then you need to change your settings to:

auth=KERBEROS;proxyuser=roo

bandarusridhar1 · ‎05-18-2016

yes, perfect

auth=KERBEROS;proxyuser=root

MarceloSaiedOK · ‎11-10-2017

Hi.

where did you changed this config?

thanks

openbusinessintelligence · ‎05-19-2016

@emaxwell

Basically, the problem was that I secured ambari-server with a kerberos-key ambari-server@REAM. As ambari-server runs from root, I had to create root@REALM and re-secure ambari-server with it, now it works! Thanks!

In the documentation, it should explicitly explained that the kerberos-key need to have the same name of the linux-user running ambari-server.

MarceloSaiedOK · ‎11-10-2017

Hi.
the root@REALM needs to be created in AD? or elseware
apreciate to have ea little more detailed instructions.
thanks very much :-).

Cloudera Community

Support Questions

Views not accessible in a kerberized cluster

Configure TEZ View for Kerberized HDP Cluster.

Configure Hive view for Kerberized Cluster

Kerberos authentication from MacOS Monterey to acc...

Accessing the remote CDP cluster HBase data from a...

Configuring ambari views on Kerberized Cluster

Configure Pig View in Kerberized HDP Cluster.

Unable to have view in kerberized cluster.

Oozie Hive 2 Action in a Kerberized cluster

Secured access to Hive using Zeppelin's jdbc(hive)...

Ambari Views - kerberized hadoop cluster