Accessing Hadoop web interfaces as dr.who

If you enable Kerberos security on your Hadoop services but do not set up HTTP authentication for its web interfaces, you will see one or more of the following messages:
  • Logged in as: dr.who
  • Permission denied: user=dr.who
  • Access denied: User dr.who does not have permission to view job
  • No groups available for user dr.who
Dr.who is an anonymous user that is used to access a secure web service.

This can happen if you rely on the Ambari Secure Wizard (ASW) to set up your Kerberos security, as this is one of the parts of the configuration that the ASW does not touch. You need to set this up manually. Here is a good guide on doing that: http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.0.6.0/ds_Hadoop/hadoop-project-dist/hadoop-common/HttpAuthentication.html

It will set it up so that the user will be accessing the web interfaces as the logged in Kerberos principal.

The significant fields are the type (kerberos), principal (HTTP), keytab path (HTTP), initializers, and secret file. The secret file's contents can be anything for testing purposes, as long as that file is readable by all the Hadoop services.

Here is a good resource for testing and troubleshooting authenticated HTTP access: http://hadoop.apache.org/docs/r0.23.9/hadoop-auth/Examples.html.

No comments:

Post a Comment