Hi Jingfei - Once you kerberize your cluster, you will generally need to be able to authenticate to KDC that is either shared with cluster or some sort of cross domain trust is established between the two KDC’s. You might considering using Apache Knox to authenticate an external client to Knox via LDAP or some other mechanism and Knox will take care of the strong authentication required to access secured Hadoop resources.
You may access a file in HDFS this way with curl using HTTP basic auth against LDAP for example: curl -ivku username:password -X GET https://host:port/gateway/sandbox/webhdfs/v1/tmp/filename?op=OPEN Direct access to webhdfs will be difficult from your desktop. Hope that helps, —larry On Nov 23, 2015, at 8:44 PM, Jingfei Hu <[email protected]<mailto:[email protected]>> wrote: Anyone? From: Jingfei Hu [mailto:[email protected]] Sent: Monday, November 23, 2015 6:26 PM To: [email protected]<mailto:[email protected]> Cc: [email protected]<mailto:[email protected]> Subject: Am I understanding right? Hi team, I have some trouble to access a HDFS enabled with Kerberos using webhdfs protocol. The Hadoop deployment is using HDP sandbox in Windows Azure, (just one node). I tried several things. 1. Enable the Kerberos according to the wizard a. I can access the hdfs file using webhdfs in that node with correct Kerberos user name and password. (I am using curl –negotiate …) b. But I can’t access the hdfs file outside of the hdfs cluster, say a windows 10 client in our corp network. 2. Enabled the Kerberos and connect it with a LDAP a. I can access the hdfs file using webhdfs in that node with correct Kerberos user name and password. (I am using curl –negotiate …) b. I can access the hdfs file using webhdfs in a machine within the domain which is connected with the KDC using the KDC user name and password c. I can access the hdfs file using webhdfs in a machine within the domain which is connected with the KDC using the domain account and password So my question is will 1.b work in any circumstances? Or it’s not working by design? Thanks, Jingfei
