Re: Authentication error in file view access via A...

gvishal · ‎11-06-2017

Thanks Jay. Everything is working now. Yes, the Regular Ambari has kerberos enabled. The links in the last message has been helpful. All the settings were correct except Authentication Method was set wrongly as SIMPLE. After changing the setting to Kerberos and adding the principle it started working. Also the keytabs on the standalone host was missing. Added the kebtab and kinit of prinicipal everything is fine. Thank you for prompt help.

gvishal · ‎11-06-2017

I have LDAP & SSL working fine on HDP2.6.0.3 cluster where we have setup a standalone instance of Ambari Views on a edge node for security reasons. Now getting an Authentication error while trying to access the 'file views' using admin user. Log don't show any specific information. Failed to transition to undefined Authentication required Failed to transition to undefined Server status: 500 Server Message: Authentication required Error trace: org.apache.hadoop.security.AccessControlException: Authentication required at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.validateResponse(WebHdfsFileSystem.java:460) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.access$200(WebHdfsFileSystem.java:114) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.runWithRetry(WebHdfsFileSystem.java:750) at org.apache.hadoop.hdfs.web.WebHdfsFileSystem$AbstractRunner.access$100(WebHdfsFileSystem.java:592) at org.apache.hadoop.hdfs.web.W...

gvishal · ‎10-31-2017

Hello Nixon, I am not adding new user. I am trying to change the password for the existing admin user. I change the user-credentials.properties file but no success. Thanks for offering the help.

gvishal · ‎10-30-2017

Hello, I try to change the default Atlas admin UI password using following steps but it does not work. Step 1: Generate the sha256 password string # echo -n "Password" | sha256sum e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a Step 2: Modify the users-credentials.properties file # /etc/atlas//0/users-credentials.properties #username=group::sha256-password admin=ADMIN::e7cf3ef4f17c3999a94f2c6f612e8a888e5b1026878e4e19398b23bd38ec221a <---- replace this string rangertagsync=RANGER_TAG_SYNC ::e3f67240f5117d1753c940dae9eea772d36ed5fe9bd9c94a300e40413f1afb9d Note: Replace sha256 string which was generated in step one. Step 3: Navigate to Ambari and restart the Atlas service. Step 4: Login with the new password. But it does not work. Any instructions or missing step in the above procedure. Thank you.

gvishal · ‎10-23-2017

Hello Sen, my webhdfs is working with {{webhdfs_service_urls}} and change the default to adminui but still getting 404

gvishal · ‎10-23-2017

Hello Andreas, Looks like I am in a similar situation as yours. Oozie & hive are working but yarn, Ambari & Ranger UI are failing with 404. Did you manage to solve the issue. Can you please guide on the steps. Thank you.

gvishal · ‎10-23-2017

The cluster is kerberozied and ldap configured with Active directory. AD KDC is getting used, not local KDC

gvishal · ‎10-23-2017

Hello Jay, I have tried creating ui.xml and adminui.xml (both names) but I am still getting 404 for ambari UI via knox. curl -vik -u <username> 'https://<ip knox_node>:8442/gateway/default/ui/ambari ( we used port 8442 for HTTPS/ssl) the webhdfs, oozie and hive is working. curl -vik -u <username> 'https://<ip knox node>:8442/gateway/default/oozie' curl -vik -u <username> 'https://<ip knox node>:8442/gateway/default/hive' Any thoughts , what else is required. Thanks

gvishal · ‎09-19-2017

The certs customer provided us don’t have passphrases for the private keys. Ambari setup-security is asking for them and doesn’t seem to consider it optional.Is it possible to get Ambari to play nicely with certificates whose private keys don’t have passphrases?

gvishal · ‎08-10-2017

Hello Geoffrey, I agree. The challenge we face last time is that cluster unkerberization via Ambari get stuck and then doing it manually using the link https://stackoverflow.com/questions/29744821/how-to-disable-hadoop-kerberos help a bit but not completely. We now have to re-initialize the whole cluster and this time, using Ambari it gets setup successfully. Looks like it is important to have a pre-kerberozation check list to make sure that the cluster is in proper state before start of this exercise. Thanks for your time and sharing the knowhow. Appreciate it. Best Regards,

gvishal · ‎08-10-2017

Hello Geoffrey, Just wondering if you have similar instructions unkerberoize the cluster in case we fail to successfully setup the keberos. Thanks for the instructions and help.

gvishal · ‎08-09-2017

Hello Team, Just wondering if we have an updated documentation for kerberos setup on HDP 2.6. I am mainly interested in the checks we should be doing before starting kerberos setup using Ambari. The challenge using Ambari for kerberos setup is that if it gets stuck then getting cluster back is a nightmare. Even the 'skip' button on Ambari becomes unavailable many times. The cluster all services green on Ambari may not be complete confirmation that cluster is in the good state to start the kerberos installation. with Manual installation, atleast we know the steps followed and rollback may be a bit easier. Thanks

gvishal · ‎06-27-2017

Thanks Robert and bhatt. This is helpful

gvishal · ‎06-27-2017

Have anyone tried kadmin (connecting to AD KDC) after kerberising the hadoop cluster using Ambari? I am using the same credentials and it is saying “Required KADM5 principal missing while initializing kadmin interface”. What is the recommended best way to AD KDC connection? Thanks for help

gvishal · ‎06-01-2017

Thanks Graham and Robert. This is helpful.

gvishal · ‎06-01-2017

Hello Team, Do we need to re-do the Kerberos and SSL set up again after the upgrade to HDP 2.5 from HDP 2.3 or HDP 2.4. Thanks

gvishal · ‎04-20-2017

In a kerberozed cluster. How to block local user authentication for Ranger and only Accept Active Directory users. Can Ranger locally create users as well?

gvishal · ‎04-15-2017

We have a Kerberozed Hadoop cluster with Ranger. How to configure the Ranger to block local user authentication and only allowed to accept Active Directory (AD) users. Thanks

gvishal · ‎04-07-2017

Dear Stanca, I agree with you on all the points but you know sometimes lack of knowledge makes things difficult. As a culture in Finland & Sweden, some of these senior Non-IT executives wants to see specific written words, especially when competitor has something in writing. Last reply from Jay and your reply are both helpful to do the test which we are proposing now to prove in terms of disabling the SSL and enabling only TLS , followed by using Openssl_Client test. You would also agree that in a competitive situation (cloudera writing 'TLS' and hortonworks Not in their documentation), it is hard to argue why cloudera is saying and Horton not saying. Thanks for the details & help.

gvishal · ‎04-07-2017

Dear Jay, You understood it correctly. Customer is looking a similar documentation from Horton as it is from Apache in your link above. specifically mentioning TLS. The argument is how do we know ensure Hortonworks has implemented what Apache Hadoop is saying. Hortonworks documentation did not provide it in writing / in their documentation. Your openssl_s command test is surely one way and will help. But do you think a page/ document from Horton exist any where stating that all hadoop.ssl.enabled.protocols property in core-site.xml file can use TLS protocol. Thanks for help.

gvishal · ‎04-07-2017

We have a tricky situation where customer is looking for written proof of 'TLS' support for services on HDP2.5 for webUIs. They claim that it is only Kafka which says that but no other service , https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/ch_wire-kafka.html Is there a documentation , link or written proof where he can specifically see 'TLS' support for HDP services. The argument is cloudera documentation clearly state is everywhere. The issue is - he suspect that Horton still use the old protocols / ciphers and not TLS except Kafka. Any pointers , link or documentation he can refer to

gvishal · ‎04-07-2017

We have tricky situation where customer wants a written proof of ssl supporting TLS on services running with HDP2.5. He says that Hortonworks documentation don't say that services use TLS1.1/2 except Kafka as per the link https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.5.3/bk_security/content/ch_wire-kafka.html Is there any documentation or written proof / link available which they can refer and see the word 'TLS ' specifically. The argument is that cloudera documentation clearly states it everywhere. Why Hortonworks do not ?

gvishal · ‎04-05-2017

Hello, Please help to understand the cryto algorithms used for : 1) HDFS encryption at rest 2) SSL/TLS communications 3) Kerberos We have a HDP 2.5 Thanks, Vishal.

gvishal · ‎03-30-2017

Hello, 2 use case - if some one hack the key or we lost the key, can we re-generate new key using the same certificates. Second, if some hack the certificate and we have to compromise the certificate , can we re-generate the keys. thanks

gvishal · ‎03-30-2017

Where does it gets stored, in postgres database or .conf file. Thanks

gvishal · ‎03-30-2017

Do you the script name and path please. Thanks

gvishal · ‎03-29-2017

How is PostgreS DB authentication secured?

gvishal · ‎03-29-2017

Can we implement mutual TLS authentication (client certificate) on all admin interfaces around different tools

gvishal · ‎03-29-2017

which version of HDP supports revocation checking on SSL/TLS communications? How is this done (CRL or OCSP)?

gvishal · ‎03-29-2017

How are authentication credentials stored and protected within the local KDC created during Kerberos implementation? What encryption algorithm can be used ?

Online	Offline
Last Visited	‎04-07-2017 01:16 AM

Date Registered	‎04-06-2017 09:40 PM
Last Visited	‎04-07-2017 01:16 AM
Total Messages Posted	38
Total Kudos Received	1

Re: Authentication error in file view access via A...

Authentication error in file view access via Ambar...

Re: how to change default Atlas UI admin password

how to change default Atlas UI admin password

Re: knox responsed 404 not found when use file vie...

Re: Knox UI Mapping Problem - ResourceManager Web ...

Re: knox responsed 404 not found when use file vie...

Re: knox responsed 404 not found when use file vie...

SSL certificate do not have passphrases for the p...

Re: Kerberos Setup on HDP 2.6

Re: Kerberos Setup on HDP 2.6

Re: Kerberos Setup on HDP 2.6

Re: using Kadmin for connectiong to AD KDC

using Kadmin for connectiong to AD KDC

Re: Does Kerberos needs to be redone after a Hadoo...

Does Kerberos needs to be redone after a Hadoop Up...

How to stop Ranger from creating users

Block Local user Authentication for AD integration

Re: Hortonworks documentation with Specific word '...

Re: Horton documentation specifically stating 'TLS...

Hortonworks documentation with Specific word 'TLS'

Horton documentation specifically stating 'TLS'

Cryto algorithms used for HDFS encryption, SSL com...

Re: Ranger KMS support Pre-generated revocation ce...

Re: Encryption keys in Ranger KMS using Pass Phras...

Re: Keys Backup other than PostgreS DB backup

How is PostgreS DB authentication secured on a Had...

TLS authentication on all admin interfaces

Revocation checking support on SSL/TLS

Authentication credentials in local KDC