Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Views not accessible in a kerberized cluster

Solved Go to solution

Views not accessible in a kerberized cluster

I have successfully kerberized a cluster running with Ambari 2.2.1.0 and HDP 2.3.2.

All services are running without alerts.

I have successfully kerberized ambari-server according to the instructions creating an ambari-server@REALM kerberos user.

In the File Explorer view settings,

auth=KERBEROS;proxyuser=ambari-server

is entered.

In the custom core-site settings, the following proxyuser-settings are present (everything set to "*"):

hadoop.proxyuser.HTTP.groups
hadoop.proxyuser.HTTP.hosts
hadoop.proxyuser.ambari-server.groups
hadoop.proxyuser.ambari-server.hosts
hadoop.proxyuser.falcon.groups
hadoop.proxyuser.falcon.hosts
hadoop.proxyuser.hbase.groups
hadoop.proxyuser.hbase.hosts
hadoop.proxyuser.hcat.groups
hadoop.proxyuser.hcat.hosts
hadoop.proxyuser.hdfs.groups
hadoop.proxyuser.hdfs.hosts
hadoop.proxyuser.hive.groups
hadoop.proxyuser.hive.hosts
hadoop.proxyuser.hue.groups
hadoop.proxyuser.hue.hosts
hadoop.proxyuser.knox.groups
hadoop.proxyuser.knox.hosts
hadoop.proxyuser.oozie.groups
hadoop.proxyuser.oozie.hosts
hadoop.proxyuser.root.groups
hadoop.proxyuser.root.hosts
hadoop.proxyuser.yarn.groups
hadoop.proxyuser.yarn.hosts

However, neither the File Explorer view nor WebHDFS on URL http://<namenode>:50070/explorer.html#/ are accessible.

The File View in Ambari shows the following error:

500 Usernames not matched: name=root != expected=ambari-server

Which setting is missing?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Views not accessible in a kerberized cluster

@emaxwell

Basically, the problem was that I secured ambari-server with a kerberos-key ambari-server@REAM. As ambari-server runs from root, I had to create root@REALM and re-secure ambari-server with it, now it works! Thanks!

In the documentation, it should explicitly explained that the kerberos-key need to have the same name of the linux-user running ambari-server.

View solution in original post

5 REPLIES 5
Highlighted

Re: Views not accessible in a kerberized cluster

@Nicola Marangoni

What user is your Ambari view server running as? It looks like "ambari-server" in your configs, is that correct? If so, then you need to add the following parameters to the custom core-site.xml in HDFS configs:

hadoop.proxyuser.ambari-server.groups=*
hadoop.proxyuser.ambari-server.hosts=*

This assumes that you have run ambari-server setup and changed the user that the server runs as to "ambari-server". If you haven't done that, then Ambari is still running as the root user and your proxy user settings will not work.

If your Ambari view server runs as root, then you need to change your settings to:

auth=KERBEROS;proxyuser=roo
Highlighted

Re: Views not accessible in a kerberized cluster

yes, perfect

auth=KERBEROS;proxyuser=root

Highlighted

Re: Views not accessible in a kerberized cluster

Contributor

Hi.

where did you changed this config?

thanks

Highlighted

Re: Views not accessible in a kerberized cluster

@emaxwell

Basically, the problem was that I secured ambari-server with a kerberos-key ambari-server@REAM. As ambari-server runs from root, I had to create root@REALM and re-secure ambari-server with it, now it works! Thanks!

In the documentation, it should explicitly explained that the kerberos-key need to have the same name of the linux-user running ambari-server.

View solution in original post

Highlighted

Re: Views not accessible in a kerberized cluster

Contributor

Hi.
the root@REALM needs to be created in AD? or elseware
apreciate to have ea little more detailed instructions.
thanks very much :-).

Don't have an account?
Coming from Hortonworks? Activate your account here