Support Questions

Find answers, ask questions, and share your expertise

Views not accessible in a kerberized cluster

avatar

I have successfully kerberized a cluster running with Ambari 2.2.1.0 and HDP 2.3.2.

All services are running without alerts.

I have successfully kerberized ambari-server according to the instructions creating an ambari-server@REALM kerberos user.

In the File Explorer view settings,

auth=KERBEROS;proxyuser=ambari-server

is entered.

In the custom core-site settings, the following proxyuser-settings are present (everything set to "*"):

hadoop.proxyuser.HTTP.groups
hadoop.proxyuser.HTTP.hosts
hadoop.proxyuser.ambari-server.groups
hadoop.proxyuser.ambari-server.hosts
hadoop.proxyuser.falcon.groups
hadoop.proxyuser.falcon.hosts
hadoop.proxyuser.hbase.groups
hadoop.proxyuser.hbase.hosts
hadoop.proxyuser.hcat.groups
hadoop.proxyuser.hcat.hosts
hadoop.proxyuser.hdfs.groups
hadoop.proxyuser.hdfs.hosts
hadoop.proxyuser.hive.groups
hadoop.proxyuser.hive.hosts
hadoop.proxyuser.hue.groups
hadoop.proxyuser.hue.hosts
hadoop.proxyuser.knox.groups
hadoop.proxyuser.knox.hosts
hadoop.proxyuser.oozie.groups
hadoop.proxyuser.oozie.hosts
hadoop.proxyuser.root.groups
hadoop.proxyuser.root.hosts
hadoop.proxyuser.yarn.groups
hadoop.proxyuser.yarn.hosts

However, neither the File Explorer view nor WebHDFS on URL http://<namenode>:50070/explorer.html#/ are accessible.

The File View in Ambari shows the following error:

500 Usernames not matched: name=root != expected=ambari-server

Which setting is missing?

1 ACCEPTED SOLUTION

avatar

@emaxwell

Basically, the problem was that I secured ambari-server with a kerberos-key ambari-server@REAM. As ambari-server runs from root, I had to create root@REALM and re-secure ambari-server with it, now it works! Thanks!

In the documentation, it should explicitly explained that the kerberos-key need to have the same name of the linux-user running ambari-server.

View solution in original post

5 REPLIES 5

avatar

@Nicola Marangoni

What user is your Ambari view server running as? It looks like "ambari-server" in your configs, is that correct? If so, then you need to add the following parameters to the custom core-site.xml in HDFS configs:

hadoop.proxyuser.ambari-server.groups=*
hadoop.proxyuser.ambari-server.hosts=*

This assumes that you have run ambari-server setup and changed the user that the server runs as to "ambari-server". If you haven't done that, then Ambari is still running as the root user and your proxy user settings will not work.

If your Ambari view server runs as root, then you need to change your settings to:

auth=KERBEROS;proxyuser=roo

avatar

yes, perfect

auth=KERBEROS;proxyuser=root

avatar
Rising Star

Hi.

where did you changed this config?

thanks

avatar

@emaxwell

Basically, the problem was that I secured ambari-server with a kerberos-key ambari-server@REAM. As ambari-server runs from root, I had to create root@REALM and re-secure ambari-server with it, now it works! Thanks!

In the documentation, it should explicitly explained that the kerberos-key need to have the same name of the linux-user running ambari-server.

avatar
Rising Star

Hi.
the root@REALM needs to be created in AD? or elseware
apreciate to have ea little more detailed instructions.
thanks very much :-).