You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ambari.apache.org by Davy Stoffel <da...@data-essential.com> on 2018/06/07 10:41:40 UTC
Ambari 2.6.2.0 / HDP 2.6 - Fileview/HiveView authorization required
after kerberization of cluster
Hi all,
I'm trying to secure our HDP cluster with kerberos but i cannot acces
fileview/hiveview anymore after that.
Step done :
I dit a fresh install of ambari and deploy the HDP cluster.
I join all the hosts (including ambari) to our IPA real'm.
Enable expiremental IPA feature
Change the krb5.conf to use file system to store kerberos cache
Started the Kerberos wizard and go to the end.
No error reported during the wizzard and all components has been
successfully restarted.
Now if use the view, i always the the error :
Failed to transition to *undefined* (details)
<http://ambari.office.data-essential.com:8080/views/FILES/1.0.0/test/#/messages/1>
:
*Server status:* 500
org.apache.hadoop.security.AccessControlException: Authentication required
at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.validateResponse(WebHdfsFileSystem.java:460)
After digging, some user are telling to :
Create a new view and change the WebHDFS Authorization to use kerberos and
the principal of the ambari server. (the documentation say this is no
longer needed but i still tried it as it was not working at first)
auth=KERBEROS;proxyuser=<ambari-server-user-principal>@REALM or without
@REALM
They also ask to check the core-site settings and make sure the principal
proxy user is well defined. The kerberization process did as expected, both
options are there :
1. hadoop.proxyuser.<ambari-server-user-principal>.groups=*
1. hadoop.proxyuser.<ambari-server-user-princiapl>.hosts=*
Another said also to set both option for the user running the ambari
process, i also tried.
I cannot find any other suggestions, any advice on how can i troubleshoot
this issue ?
Thank you,
Davy
Re: Ambari 2.6.2.0 / HDP 2.6 - Fileview/HiveView authorization
required after kerberization of cluster
Posted by Davy Stoffel <da...@data-essential.com>.
Re,
FYI, I installed an older version of HDP, 2.5 (same ambari version), did
the same steps, everything is working as expected.
Someone knows if 2.6.X had some related issue ? I took a look on jira's
issues but didn't found something relevants.
Thanks,
Davy
On Thu, Jun 7, 2018 at 12:41 PM, Davy Stoffel <
davy.stoffel@data-essential.com> wrote:
> Hi all,
>
> I'm trying to secure our HDP cluster with kerberos but i cannot acces
> fileview/hiveview anymore after that.
>
> Step done :
>
> I dit a fresh install of ambari and deploy the HDP cluster.
> I join all the hosts (including ambari) to our IPA real'm.
> Enable expiremental IPA feature
> Change the krb5.conf to use file system to store kerberos cache
> Started the Kerberos wizard and go to the end.
> No error reported during the wizzard and all components has been
> successfully restarted.
>
> Now if use the view, i always the the error :
>
> Failed to transition to *undefined* (details)
> <http://ambari.office.data-essential.com:8080/views/FILES/1.0.0/test/#/messages/1>
> :
> *Server status:* 500
>
> org.apache.hadoop.security.AccessControlException: Authentication required
> at org.apache.hadoop.hdfs.web.WebHdfsFileSystem.validateResponse(WebHdfsFileSystem.java:460)
>
>
> After digging, some user are telling to :
> Create a new view and change the WebHDFS Authorization to use kerberos and
> the principal of the ambari server. (the documentation say this is no
> longer needed but i still tried it as it was not working at first)
>
> auth=KERBEROS;proxyuser=<ambari-server-user-principal>@REALM or without
> @REALM
>
>
> They also ask to check the core-site settings and make sure the principal
> proxy user is well defined. The kerberization process did as expected, both
> options are there :
>
>
> 1. hadoop.proxyuser.<ambari-server-user-principal>.groups=*
>
>
> 1. hadoop.proxyuser.<ambari-server-user-princiapl>.hosts=*
>
>
> Another said also to set both option for the user running the ambari
> process, i also tried.
>
>
> I cannot find any other suggestions, any advice on how can i troubleshoot
> this issue ?
>
> Thank you,
> Davy
>
>