Kerberized HCP Cluster managed by Ambari ... View more

We have a kerberised hdp cluster ( 2.6.5 ) deployed in AWS. AWS network architecture is in such a way that all the hdp component nodes are under private subnet and the access to them is only via ssh from bastion node which is in public subnet. We have enabled all the web components ( Storm UI, Metron UI, Metron Management UI etc ) available outside via AWS ELB load balancer to the outside world. Our kerberos server and kdc admin is available outside via ssh tunneling via bastion node, This is for the external accessing client to authenticate eg : Spengo. When we access our storm UI via browser with proper step taken for to pass spengo authentication, We are getting 403 error even with proper keytab and principal. Error getting in /var/log/storm/ui.out in storm UI hosted node Found KeyTab /etc/security/keytabs/spnego.service.keytab for HTTP/sdssystemmaster2@EXAMPLE.COM Looking for keys for: HTTP/sdssystemmaster2@EXAMPLE.COM Found unsupported keytype (3) for HTTP/sdssystemmaster2@EXAMPLE.COM MemoryCache: add 1536315369/301662/8ABC886166F6808EA668D561462EDD37/metron@EXAMPLE.COM to metron@HOST. Steps followed : 1- Installed kerberos client 2- Copied krb5.conf file from kerberose node to local file krb5.ini and configured [libdefaults] renew_lifetime = 7d forwardable = true default_realm = EXAMPLE.COM ticket_lifetime = 24h dns_lookup_realm = false dns_lookup_kdc = false default_ccache_name = /tmp/krb5cc_%{uid} #default_tgs_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5 #default_tkt_enctypes = aes des3-cbc-sha1 rc4 des-cbc-md5 [logging] default = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log kdc = FILE:/var/log/krb5kdc.log [realms] EXAMPLE.COM = { admin_server = localhost kdc = localhost } 3- Copied keytab file of principal - HTTP/sdssystemmaster2@EXAMPLE.COM spnego.service.keytab 3- kinit executed () and ticket seems to be generated fine (screenshot added) 4- Configured firefox about:config network.negotiate-auth.trusted-uris : loadbalancer-url network.negotiate-auth.delegation-uris : loadbalancer-url network.negotiate-auth.gsslib : C:\Program Files\MIT\Kerberos\bin\gssapi64.dll network.negotiate-auth.using-native-gsslib : false 5- Loaded the storm UI Storm UI spengo Kerberos configuration ui.filter : org.apache.hadoop.security.authentication.server.AuthenticationFilter ui.filter.params : {'type': 'kerberos', 'kerberos.principal': '{{storm_ui_jaas_principal}}', 'kerberos.keytab':'{{storm_ui_keytab_path}}' , 'kerberos.name.rules': 'DEFAULT'} storm_ui_keytab : /etc/security/keytabs/spnego.service.keytab storm_ui_principal_name : HTTP/_HOST@EXAMPLE.COM ... View more