Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

kerberos spnego authentication not working for ambari hadoop server rest api url

avatar
author-rank Nitin0858
Explorer

Created ‎08-20-2021 12:19 AM

I have a hadoop server which namenode, datanode , YARN component etc are spnego kerberized and when we hit their url's on web we get as below -

url - http://host:50070/jmx?qry=Hadoop:*
here 50070 is namenode port output :

HTTP ERROR 403

Problem accessing /index.html. Reason:

    GSSException: Defective token detected (Mechanism level: GSSHeader did not

above response on web indicates that url is kerberized.

 

 

I tried to enable spnego kerberos for ambari with using command "ambari-server setup-security" and completed kerberos configuration.

but when hit the url of ambari services rest api then getting proper output -

 

url - http://host:8080/api/v1/clusters/cluster_name/services/HDFS

 

I could see the proper output for above url on web . why both url's output is not same , it should be same if enabled kerberos .

 

please help and thanks in advance!!!

2,323 Views
0 Kudos
4 REPLIES 4

avatar
author-rank Shelton
Master Mentor

Created ‎08-21-2021 03:56 AM

@Nitin0858 

Can you share the 2 contents so we can help with the analysis?

2,288 Views
0 Kudos

avatar
author-rank Nitin0858
Explorer

Created on ‎08-22-2021 11:30 PM - edited ‎08-22-2021 11:37 PM

@Shelton

 

Enabling kerberos we have to set properties as below to HDFS,YARN etc etc .

hadoop.security.authentication    kerberos

hadoop.security.authorization      true

hadoop.http.authentication.simple.anonymous.allowed   false

 

after configuring kerberos properly then when we hit the url of any component of hadoop server on browser then will get  HTTP ERROR 403 .

 

REST api url pattern -

http://host:8080/api/v1/clusters/<cluster_name>/services/<service_name>

 

but when we hit the same service rest api url on browser then we could see the response on browser details are as below -

 

{
"href" : "http://host:8080/api/v1/clusters/cluster_name/services/HDFS",
"ServiceInfo" : {
"cluster_name" : "<cluster_name>",
"maintenance_state" : "OFF",
"service_name" : "HDFS",
"state" : "STARTED"
},
"alerts_summary" : {
"CRITICAL" : 0,
"MAINTENANCE" : 0,
"OK" : 26,
"UNKNOWN" : 1,
"WARNING" : 0
},
"alerts" : [

..........................

 

 

 

but response should not  be display on browser if url is kerberized and we should get http error 403 .

 

 

so here we want to kerberize rest api url .

please help for same.

2,262 Views
0 Kudos

avatar
author-rank Shelton
Master Mentor

Created ‎08-24-2021 02:44 PM

@Nitin0858 
Did you enable your Ambari manually  because those parameters you are referring to are set automatically when enabling through Ambari else if you did it manually as I suspect you need to perform the steps mentioned  Set Up Kerberos for Ambari Server

 

Please revert 

2,206 Views
0 Kudos

avatar
author-rank Nitin0858
Explorer

Created on ‎08-24-2021 09:44 PM - edited ‎08-24-2021 09:49 PM

@Shelton

 

I have already executed steps that you have provided in the link but still ambari services rest api url is not kerberized .

 

is there any other configuration required ? or

ambari services rest api url do not support kerberos authentication ?

2,194 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements