Support Questions
Find answers, ask questions, and share your expertise

kerberos spnego authentication not working for ambari hadoop server rest api url

Explorer

I have a hadoop server which namenode, datanode , YARN component etc are spnego kerberized and when we hit their url's on web we get as below -

url - http://host:50070/jmx?qry=Hadoop:*
here 50070 is namenode port output :

HTTP ERROR 403

Problem accessing /index.html. Reason:

    GSSException: Defective token detected (Mechanism level: GSSHeader did not 

above response on web indicates that url is kerberized.

 

 

I tried to enable spnego kerberos for ambari with using command "ambari-server setup-security" and completed kerberos configuration.

but when hit the url of ambari services rest api then getting proper output -

 

url - http://host:8080/api/v1/clusters/cluster_name/services/HDFS

 

I could see the proper output for above url on web . why both url's output is not same , it should be same if enabled kerberos .

 

please help and thanks in advance!!!

4 REPLIES 4

Mentor

@Nitin0858 

Can you share the 2 contents so we can help with the analysis?

Explorer

@Shelton

 

Enabling kerberos we have to set properties as below to HDFS,YARN etc etc .

hadoop.security.authentication    kerberos

hadoop.security.authorization      true

hadoop.http.authentication.simple.anonymous.allowed   false

 

after configuring kerberos properly then when we hit the url of any component of hadoop server on browser then will get  HTTP ERROR 403 .

 

REST api url pattern -

http://host:8080/api/v1/clusters/<cluster_name>/services/<service_name>

 

but when we hit the same service rest api url on browser then we could see the response on browser details are as below -

 

{
"href" : "http://host:8080/api/v1/clusters/cluster_name/services/HDFS",
"ServiceInfo" : {
"cluster_name" : "<cluster_name>",
"maintenance_state" : "OFF",
"service_name" : "HDFS",
"state" : "STARTED"
},
"alerts_summary" : {
"CRITICAL" : 0,
"MAINTENANCE" : 0,
"OK" : 26,
"UNKNOWN" : 1,
"WARNING" : 0
},
"alerts" : [

..........................

 

 

 

but response should not  be display on browser if url is kerberized and we should get http error 403 .

 

 

so here we want to kerberize rest api url .

please help for same.

Mentor

@Nitin0858 
Did you enable your Ambari manually  because those parameters you are referring to are set automatically when enabling through Ambari else if you did it manually as I suspect you need to perform the steps mentioned  Set Up Kerberos for Ambari Server

 

Please revert 

Explorer

@Shelton

 

I have already executed steps that you have provided in the link but still ambari services rest api url is not kerberized .

 

is there any other configuration required ? or

ambari services rest api url do not support kerberos authentication ?