You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@tez.apache.org by Gagan Brahmi <ga...@gmail.com> on 2015/08/20 22:00:27 UTC
Tez UI Kerberos
Does anyone has an idea how to enable Tez UI in a kerberos enabled
environment?
I am hosting tez UI on apache and the ATS is secured. I am getting errors
where Tez UI is not able to retrieve the data from Timeline server.
Couldn't find any documentation which can provide help with this one.
Regards,
Gagan Brahmi
Re: Tez UI Kerberos
Posted by Hitesh Shah <hi...@apache.org>.
You could take a separate machine/VM and install ambari-server-2.1.0 on it? But yes, agreed - the Tez UI view does not work with Ambari-1.7.0.
— Hitesh
On Aug 20, 2015, at 3:38 PM, Gagan Brahmi <ga...@gmail.com> wrote:
> That would work in a Ambari 2.X environment I believe, but an environment which is managed via Ambari 1.7 it becomes tricky I guess.
>
> My cluster is a managed by Ambari 1.7.
>
> On Thu, Aug 20, 2015 at 2:55 PM, Hitesh Shah <hi...@apache.org> wrote:
> The other approach to this is to have an intermediate proxy that is authenticated and can make calls to the ATS server. The Tez UI makes 2 kind of calls to the backend services ( one set to YARN ResourceManager and the other to Timeline server ) so both of these calls would need to be proxied through a server/process that is kerberos authenticated.
>
> A simple option for this would be try using Ambari in standalone mode. In this mode, the ambari-server acts as an authenticated proxy for the UI. This involves installing the Ambari Server, setting it up to work in a secure mode and instantiating the Tez View within it. All your users can then use the Tez UI within Ambari without needing any kerberos auth. Ambari-server would be started with kerberos auth and you need to configure that user as a hadoop proxy user. To be clear, this does *not* require you to set up your Hadoop cluster using Ambari.
>
> http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_ambari_views_guide/content/ch_running_ambari_standalone.html
> http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_ambari_views_guide/content/ch_configuring_views_for_kerberos.html
> http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_ambari_views_guide/content/ch_using_tez_view.html
>
> thanks
> — Hitesh
>
>
>
> On Aug 20, 2015, at 2:41 PM, Gagan Brahmi <ga...@gmail.com> wrote:
>
> > Thanks Hitesh, but I don't want the UI to be accessed through Kerberos.
> >
> > Client to Tez UI communication should be without kerberos and Tez UI to ATS will be over Kerberos.
> >
> > Anyone accomplished this before?
> >
> >
> > On Thu, Aug 20, 2015 at 1:57 PM, Hitesh Shah <hi...@apache.org> wrote:
> > You will first need to do a kinit and then start a new firefox session with the following config “network.negotiate-auth.trusted-uris“ set up as needed.
> >
> > Ref on setting up firefox:
> > http://people.redhat.com/mikeb/negotiate/
> > http://docs.oracle.com/cd/E41633_01/pt853pbh1/eng/pt/tsec/task_EnablingKerberosAuthenticationinFirefox-836673.html
> >
> > — Hitesh
> >
> > On Aug 20, 2015, at 1:00 PM, Gagan Brahmi <ga...@gmail.com> wrote:
> >
> > > Does anyone has an idea how to enable Tez UI in a kerberos enabled environment?
> > >
> > > I am hosting tez UI on apache and the ATS is secured. I am getting errors where Tez UI is not able to retrieve the data from Timeline server.
> > >
> > > Couldn't find any documentation which can provide help with this one.
> > >
> > >
> > > Regards,
> > > Gagan Brahmi
> >
> >
>
>
Re: Tez UI Kerberos
Posted by Gagan Brahmi <ga...@gmail.com>.
That would work in a Ambari 2.X environment I believe, but an environment
which is managed via Ambari 1.7 it becomes tricky I guess.
My cluster is a managed by Ambari 1.7.
On Thu, Aug 20, 2015 at 2:55 PM, Hitesh Shah <hi...@apache.org> wrote:
> The other approach to this is to have an intermediate proxy that is
> authenticated and can make calls to the ATS server. The Tez UI makes 2
> kind of calls to the backend services ( one set to YARN ResourceManager and
> the other to Timeline server ) so both of these calls would need to be
> proxied through a server/process that is kerberos authenticated.
>
> A simple option for this would be try using Ambari in standalone mode. In
> this mode, the ambari-server acts as an authenticated proxy for the UI.
> This involves installing the Ambari Server, setting it up to work in a
> secure mode and instantiating the Tez View within it. All your users can
> then use the Tez UI within Ambari without needing any kerberos auth.
> Ambari-server would be started with kerberos auth and you need to configure
> that user as a hadoop proxy user. To be clear, this does *not* require you
> to set up your Hadoop cluster using Ambari.
>
>
> http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_ambari_views_guide/content/ch_running_ambari_standalone.html
>
> http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_ambari_views_guide/content/ch_configuring_views_for_kerberos.html
>
> http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_ambari_views_guide/content/ch_using_tez_view.html
>
> thanks
> — Hitesh
>
>
>
> On Aug 20, 2015, at 2:41 PM, Gagan Brahmi <ga...@gmail.com> wrote:
>
> > Thanks Hitesh, but I don't want the UI to be accessed through Kerberos.
> >
> > Client to Tez UI communication should be without kerberos and Tez UI to
> ATS will be over Kerberos.
> >
> > Anyone accomplished this before?
> >
> >
> > On Thu, Aug 20, 2015 at 1:57 PM, Hitesh Shah <hi...@apache.org> wrote:
> > You will first need to do a kinit and then start a new firefox session
> with the following config “network.negotiate-auth.trusted-uris“ set up as
> needed.
> >
> > Ref on setting up firefox:
> > http://people.redhat.com/mikeb/negotiate/
> >
> http://docs.oracle.com/cd/E41633_01/pt853pbh1/eng/pt/tsec/task_EnablingKerberosAuthenticationinFirefox-836673.html
> >
> > — Hitesh
> >
> > On Aug 20, 2015, at 1:00 PM, Gagan Brahmi <ga...@gmail.com> wrote:
> >
> > > Does anyone has an idea how to enable Tez UI in a kerberos enabled
> environment?
> > >
> > > I am hosting tez UI on apache and the ATS is secured. I am getting
> errors where Tez UI is not able to retrieve the data from Timeline server.
> > >
> > > Couldn't find any documentation which can provide help with this one.
> > >
> > >
> > > Regards,
> > > Gagan Brahmi
> >
> >
>
>
Re: Tez UI Kerberos
Posted by Hitesh Shah <hi...@apache.org>.
The other approach to this is to have an intermediate proxy that is authenticated and can make calls to the ATS server. The Tez UI makes 2 kind of calls to the backend services ( one set to YARN ResourceManager and the other to Timeline server ) so both of these calls would need to be proxied through a server/process that is kerberos authenticated.
A simple option for this would be try using Ambari in standalone mode. In this mode, the ambari-server acts as an authenticated proxy for the UI. This involves installing the Ambari Server, setting it up to work in a secure mode and instantiating the Tez View within it. All your users can then use the Tez UI within Ambari without needing any kerberos auth. Ambari-server would be started with kerberos auth and you need to configure that user as a hadoop proxy user. To be clear, this does *not* require you to set up your Hadoop cluster using Ambari.
http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_ambari_views_guide/content/ch_running_ambari_standalone.html
http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_ambari_views_guide/content/ch_configuring_views_for_kerberos.html
http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_ambari_views_guide/content/ch_using_tez_view.html
thanks
— Hitesh
On Aug 20, 2015, at 2:41 PM, Gagan Brahmi <ga...@gmail.com> wrote:
> Thanks Hitesh, but I don't want the UI to be accessed through Kerberos.
>
> Client to Tez UI communication should be without kerberos and Tez UI to ATS will be over Kerberos.
>
> Anyone accomplished this before?
>
>
> On Thu, Aug 20, 2015 at 1:57 PM, Hitesh Shah <hi...@apache.org> wrote:
> You will first need to do a kinit and then start a new firefox session with the following config “network.negotiate-auth.trusted-uris“ set up as needed.
>
> Ref on setting up firefox:
> http://people.redhat.com/mikeb/negotiate/
> http://docs.oracle.com/cd/E41633_01/pt853pbh1/eng/pt/tsec/task_EnablingKerberosAuthenticationinFirefox-836673.html
>
> — Hitesh
>
> On Aug 20, 2015, at 1:00 PM, Gagan Brahmi <ga...@gmail.com> wrote:
>
> > Does anyone has an idea how to enable Tez UI in a kerberos enabled environment?
> >
> > I am hosting tez UI on apache and the ATS is secured. I am getting errors where Tez UI is not able to retrieve the data from Timeline server.
> >
> > Couldn't find any documentation which can provide help with this one.
> >
> >
> > Regards,
> > Gagan Brahmi
>
>
Re: Tez UI Kerberos
Posted by Gagan Brahmi <ga...@gmail.com>.
Thanks Hitesh, but I don't want the UI to be accessed through Kerberos.
Client to Tez UI communication should be without kerberos and Tez UI to ATS
will be over Kerberos.
Anyone accomplished this before?
On Thu, Aug 20, 2015 at 1:57 PM, Hitesh Shah <hi...@apache.org> wrote:
> You will first need to do a kinit and then start a new firefox session
> with the following config “network.negotiate-auth.trusted-uris“ set up as
> needed.
>
> Ref on setting up firefox:
> http://people.redhat.com/mikeb/negotiate/
>
> http://docs.oracle.com/cd/E41633_01/pt853pbh1/eng/pt/tsec/task_EnablingKerberosAuthenticationinFirefox-836673.html
>
> — Hitesh
>
> On Aug 20, 2015, at 1:00 PM, Gagan Brahmi <ga...@gmail.com> wrote:
>
> > Does anyone has an idea how to enable Tez UI in a kerberos enabled
> environment?
> >
> > I am hosting tez UI on apache and the ATS is secured. I am getting
> errors where Tez UI is not able to retrieve the data from Timeline server.
> >
> > Couldn't find any documentation which can provide help with this one.
> >
> >
> > Regards,
> > Gagan Brahmi
>
>
Re: Tez UI Kerberos
Posted by Hitesh Shah <hi...@apache.org>.
You will first need to do a kinit and then start a new firefox session with the following config “network.negotiate-auth.trusted-uris“ set up as needed.
Ref on setting up firefox:
http://people.redhat.com/mikeb/negotiate/
http://docs.oracle.com/cd/E41633_01/pt853pbh1/eng/pt/tsec/task_EnablingKerberosAuthenticationinFirefox-836673.html
— Hitesh
On Aug 20, 2015, at 1:00 PM, Gagan Brahmi <ga...@gmail.com> wrote:
> Does anyone has an idea how to enable Tez UI in a kerberos enabled environment?
>
> I am hosting tez UI on apache and the ATS is secured. I am getting errors where Tez UI is not able to retrieve the data from Timeline server.
>
> Couldn't find any documentation which can provide help with this one.
>
>
> Regards,
> Gagan Brahmi