Member since
04-06-2017
38
Posts
1
Kudos Received
0
Solutions
11-06-2017
05:32 AM
Thanks Jay. Everything is working now. Yes, the Regular Ambari has kerberos enabled. The links in the last message has been helpful. All the settings were correct except Authentication Method was set wrongly as SIMPLE. After changing the setting to Kerberos and adding the principle it started working. Also the keytabs on the standalone host was missing. Added the kebtab and kinit of prinicipal everything is fine. Thank you for prompt help.
... View more
11-06-2017
03:50 AM
I have LDAP & SSL working fine on HDP2.6.0.3 cluster where we have setup a standalone instance of Ambari Views on a edge node for security reasons. Now getting an Authentication error while trying to access the 'file views' using admin user. Log don't show any specific information.
Failed to transition to undefined
Authentication required
Failed to transition to undefined
Server status: 500
Server Message:
Authentication required
Error trace:
org.apache.hadoop.security.AccessControlException: Authentication required
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.validateResponse(WebHdfsFileSystem.java:460)
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.access$200(WebHdfsFileSystem.java:114)
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.runWithRetry(WebHdfsFileSystem.java:750)
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.access$100(WebHdfsFileSystem.java:592)
at org.apache.hadoop.hdfs.web.W...
... View more
- Tags:
- ambari-view
- Security
Labels:
- Labels:
-
Apache Ambari
10-31-2017
11:54 AM
Hello Nixon, I am not adding new user. I am trying to change the password for the existing admin user. I change the user-credentials.properties file but no success. Thanks for offering the help.
... View more
10-30-2017
12:12 PM
Hello, I try to change the default Atlas admin UI password using following steps but it does not work. Step 1: Generate the sha256 password string # echo -n "Password" | sha256sum e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a Step 2: Modify the users-credentials.properties file # /etc/atlas//0/users-credentials.properties #username=group::sha256-password admin=ADMIN::e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a <---- replace this string rangertagsync=RANGER_TAG_SYNC ::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d Note: Replace sha256 string which was generated in step one. Step 3: Navigate to Ambari and restart the Atlas service. Step 4: Login with the new password. But it does not work. Any instructions or missing step in the above procedure. Thank you.
... View more
Labels:
- Labels:
-
Apache Atlas
10-23-2017
04:36 AM
Hello Sen, my webhdfs is working with {{webhdfs_service_urls}} and change the default to adminui but still getting 404
... View more
10-23-2017
03:43 AM
Hello Andreas, Looks like I am in a similar situation as yours. Oozie & hive are working but yarn, Ambari & Ranger UI are failing with 404. Did you manage to solve the issue. Can you please guide on the steps. Thank you.
... View more
10-23-2017
03:34 AM
The cluster is kerberozied and ldap configured with Active directory. AD KDC is getting used, not local KDC
... View more
10-23-2017
03:32 AM
Hello Jay, I have tried creating ui.xml and adminui.xml (both names) but I am still getting 404 for ambari UI via knox. curl -vik -u <username> 'https://<ip knox_node>:8442/gateway/default/ui/ambari ( we used port 8442 for HTTPS/ssl) the webhdfs, oozie and hive is working. curl -vik -u <username> 'https://<ip knox node>:8442/gateway/default/oozie' curl -vik -u <username> 'https://<ip knox node>:8442/gateway/default/hive' Any thoughts , what else is required. Thanks
... View more
08-10-2017
12:51 PM
Hello Geoffrey, I agree. The challenge we face last time is that cluster unkerberization via Ambari get stuck and then doing it manually using the link https://stackoverflow.com/questions/29744821/how-to-disable-hadoop-kerberos help a bit but not completely. We now have to re-initialize the whole cluster and this time, using Ambari it gets setup successfully. Looks like it is important to have a pre-kerberozation check list to make sure that the cluster is in proper state before start of this exercise. Thanks for your time and sharing the knowhow. Appreciate it. Best Regards,
... View more
08-10-2017
02:15 AM
Hello Geoffrey, Just wondering if you have similar instructions unkerberoize the cluster in case we fail to successfully setup the keberos. Thanks for the instructions and help.
... View more
08-09-2017
02:15 PM
Hello Team, Just wondering if we have an updated documentation for kerberos setup on HDP 2.6. I am mainly interested in the checks we should be doing before starting kerberos setup using Ambari. The challenge using Ambari for kerberos setup is that if it gets stuck then getting cluster back is a nightmare. Even the 'skip' button on Ambari becomes unavailable many times. The cluster all services green on Ambari may not be complete confirmation that cluster is in the good state to start the kerberos installation. with Manual installation, atleast we know the steps followed and rollback may be a bit easier. Thanks
... View more
06-27-2017
12:20 PM
1 Kudo
Have anyone tried kadmin (connecting to AD KDC) after
kerberising the hadoop cluster using Ambari? I am using the same credentials and it is saying “Required
KADM5 principal missing while initializing kadmin interface”. What is the recommended best way to AD KDC connection? Thanks for help
... View more
Labels:
- Labels:
-
Apache Ambari
-
Apache Hadoop
06-01-2017
01:41 PM
Thanks Graham and Robert. This is helpful.
... View more
06-01-2017
12:10 AM
Hello Team, Do we need to re-do the Kerberos and SSL set up again after the upgrade to HDP 2.5 from HDP 2.3 or HDP 2.4. Thanks
... View more
Labels:
04-20-2017
01:26 AM
In a kerberozed cluster. How to block local user authentication for Ranger and only Accept Active Directory users. Can Ranger locally create users as well?
... View more
- Tags:
- ranger-admin
- Security
Labels:
- Labels:
-
Apache Ranger
04-15-2017
07:18 AM
We have a Kerberozed Hadoop cluster with Ranger. How to configure the Ranger to block local user authentication and only allowed to accept Active Directory (AD) users. Thanks
... View more
Labels:
- Labels:
-
Apache Ranger
04-07-2017
02:24 PM
Dear Stanca, I agree with you on all the points but you know sometimes lack of knowledge makes things difficult. As a culture in Finland & Sweden, some of these senior Non-IT executives wants to see specific written words, especially when competitor has something in writing. Last reply from Jay and your reply are both helpful to do the test which we are proposing now to prove in terms of disabling the SSL and enabling only TLS , followed by using Openssl_Client test. You would also agree that in a competitive situation (cloudera writing 'TLS' and hortonworks Not in their documentation), it is hard to argue why cloudera is saying and Horton not saying. Thanks for the details & help.
... View more
04-07-2017
12:25 PM
Dear Jay, You understood it correctly. Customer is looking a similar documentation from Horton as it is from Apache in your link above. specifically mentioning TLS. The argument is how do we know ensure Hortonworks has implemented what Apache Hadoop is saying. Hortonworks documentation did not provide it in writing / in their documentation. Your openssl_s command test is surely one way and will help. But do you think a page/ document from Horton exist any where stating that all hadoop.ssl.enabled.protocols property in core-site.xml file can use TLS protocol. Thanks for help.
... View more
04-07-2017
10:41 AM
We have a tricky situation where customer is looking for written proof of 'TLS' support for services on HDP2.5 for webUIs. They claim that it is only Kafka which says that but no other service , https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/ch_wire-kafka.html Is there a documentation , link or written proof where he can specifically see 'TLS' support for HDP services. The argument is cloudera documentation clearly state is everywhere. The issue is - he suspect that Horton still use the old protocols / ciphers and not TLS except Kafka. Any pointers , link or documentation he can refer to
... View more
Labels:
04-07-2017
10:36 AM
We have tricky situation where customer wants a written proof of ssl supporting TLS on services running with HDP2.5. He says that Hortonworks documentation don't say that services use TLS1.1/2 except Kafka as per the link https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/ch_wire-kafka.html Is there any documentation or written proof / link available which they can refer and see the word 'TLS ' specifically. The argument is that cloudera documentation clearly states it everywhere. Why Hortonworks do not ?
... View more
Labels:
04-05-2017
05:54 AM
Hello, Please help to understand the cryto algorithms used for :
1)
HDFS encryption at rest 2)
SSL/TLS communications 3)
Kerberos We have a HDP 2.5 Thanks, Vishal.
... View more
- Tags:
- Encryption
- Security
Labels:
- Labels:
-
Cloudera Navigator Encrypt
03-30-2017
09:00 AM
Where does it gets stored, in postgres database or .conf file. Thanks
... View more
03-29-2017
02:23 AM
How is PostgreS DB authentication secured?
... View more
Labels:
- Labels:
-
Apache Hadoop
03-29-2017
02:20 AM
which version of HDP supports revocation checking on SSL/TLS
communications? How is this done (CRL or
OCSP)?
... View more
Labels:
- Labels:
-
Hortonworks Data Platform (HDP)
03-29-2017
02:18 AM
How are authentication credentials stored and protected
within the local KDC created during Kerberos implementation? What
encryption algorithm can be used ?
... View more
Labels:
- Labels:
-
Cloudera Navigator Encrypt
03-29-2017
02:14 AM
Is there any mechanism to backup keys, other than
PostgreS Database backup, such as exporting keys in a pass-phrase protected file on a
USB which is then kept in a safe?
... View more
Labels:
- Labels:
-
Apache Ranger
03-29-2017
02:13 AM
Can we set an expiry on EZK and DEK? Can we rollover DEKs
... View more
Labels:
03-29-2017
02:12 AM
Is
pass-phrase something that we can use to generate encryption keys in Ranger
KMS? Where
can we use pass phrase in Ranger KMS and where does it get stored.
... View more
Labels: