Support Questions

Find answers, ask questions, and share your expertise

Who agreed with this topic

Impossible to open UI's on Kerberized Cluster HDP 3.1

avatar

Hello all!


This is my first question here! I am trying to set a secure cluster using Kerberos. I have already install my own Kerberos server, and works like a charm on the console.

The problem comes when I am trying to access to the Hadoop components UI's (HDFS, Hive, etc). I know I need to configure my browsers, and there is the problem.

I have downloaded MIT Kerberos ticket system for Windows 10, installed it, and configure the krb5.ini file. It is perfectly generating the kerberos ticket (visually I can see it generated it).

Following the instructions for configuring browsers to access Kerberized cluster, link, also, from external sources, like this one, (this last one made me realize I need to write down the kdc address, but I actually have included all), or this .


Firefox

network.negotiate-auth.delegation-uris = http://192.168.0.30, http://192.168.0.50, http://192.168.0.81, http://192.168.0.101, http://192.168.0.102, 192.168.0.30, 192.168.0.81, 192.168.0.101, 192.168.0.102, 192.168.0.50
network.negotiate-auth.trusted-uris = http://192.168.0.30, http://192.168.0.81, http://192.168.0.101, http://192.168.0.102, 192.168.0.30, 192.168.0.81, 192.168.0.101, 192.168.0.102
network.auth.use-sspi = false


IE

I have done the thing of putting in Internet Options -> Security -> Trusted Zones -> Add IP,

Local Intranet zone -> Automatic Logon only in Local Intranet


Chrome

Same same...

google-chrome --auth-server-whitelist = "admin/admin"

or

google-chrome --auth-server-whitelist = "192.168.0.81"


Other observations:

If I use command line to run kinit, it shows zero tickets, even though in MIT Kerberos app it has


Browsers answers:

java.lang.IllegalArgumentException: Malformed gss token

Many others like:

Authentification failure. 


I am out of ideas, I really trust that there is no security without Kerberos, and the next step will be to add Apache Knox, but this is for future. Can someone, please, point me anything? I have used all the google/bing links about this problems. I know this probably is related to the browsers, but I cannot discard.


Note:

Yes, in Ubuntu 16.04 console I am able to connect to beeline, HDFS, ..., everything is managed perfectly by Ranger (Awesome!)

I am documenting all this process, so I am okay to write a guide in future for the community as giveback.


--------------------------------------------------------------------------------------------------------------------------------------------------------------


Cluster info:

HDP 3.1

Kerberos: 5

Accessing Machine: Windows 10, or Mac OSx

Browsers: Any, IE, Chrome, Firefox.

OS: Ubuntu 16.04


IP Address:

kerberos server: 192.168.0.30

ambari server: 192.168.0.50

hdp-master-001: 192.168.0.81

hdp-worker-001: 192.168.0.101

hdp-worker-002: 192.168.0.102


krb5.ini

[libdefaults]  default_realm = CLUSTER001
[realms]  EXAMPLE.COM = {    admin_server = 192.168.0.30
kdc = 192.168.0.30 }


Who agreed with this topic