Hi Rajesh - A couple things...
1. Can you provide your hera.xml topology file - please scrub it of any sensitive info like hostnames, secrets/passwords, etc? 2. Have you been able to access the same with HTTP Basic Auth against LDAP rather than trying to use the hadoop auth module? 3. There is an issue for the hadoop auth module use with Knox that does not allow the redirect to datanodes to work due to Knox requiring SPNEGO authentication on the redirect as well - so this may not provide you with the access that you expect. Things like LISTSTATUS will work because there is no redirect to datanodes. #2 above is what I would really like to drill into a bit more. I want to make sure that it is clear that in this type of scenario, Knox authenticated to the secured cluster via kerberos/SPNEGO even though the end user does not. This allows for LDAP based authentication, or whatever provider you like, to authenticate the end user and Hadoop is configured to trust Knox to interact on behalf of the end users. As long as Knox authenticates via kerberos, the hadoop cluster knows that it can trust the username provided by Knox as the end user. This is generally the approach used in secure cluster access through Knox. I would be interested in understanding your usecase better where kerberos is required for the end user - if this is indeed what is desired. Thanks, --larry On Mon, Dec 14, 2015 at 1:58 AM, Rajesh Chandramohan <[email protected] > wrote: > > > > Hi , > > We were trying with knox gateway to access hadoop cluster which is > secured(kerborized). But Using Kerberos authentication we couldn’t access > the cluster. Same kerberos key we could access the data using httpFs. Can > anybody Help-us for right configuration for Knox with kerberos. > > ==== > -sh-4.1$ /usr/bin/curl -ik --negotiate -u : -X GET ' > https://hera-phx-zk-3.vip.ebay.com:8443/gateway/hera/webhdfs/v1/?op=LISTSTATUS > ' > HTTP/1.1 401 Authentication required > WWW-Authenticate: Negotiate > Set-Cookie: hadoop.auth=; Path=/export/home/b_knox/knox/conf; Domain= > ebay.com; Expires=Thu, 01-Jan-1970 00:00:00 GMT; Secure; HttpOnly > Content-Type: text/html;charset=ISO-8859-1 > Cache-Control: must-revalidate,no-cache,no-store > Content-Length: 1417 > Server: Jetty(8.1.14.v20131031) > > HTTP/1.1 500 Server Error > Set-Cookie: > hadoop.auth=u=b_knox&[email protected]&t=kerberos&e=1449829226535&s=yuiBjLQqkWagz2ISmzQGmRqrXjE=; > Path=/export/home/b_knox/knox/conf; Domain=ebay.com; Expires=Fri, > 11-Dec-2015 10:20:26 GMT; Secure; HttpOnly > Content-Type: text/html;charset=ISO-8859-1 > Cache-Control: must-revalidate,no-cache,no-store > Content-Length: 1395 > Server: Jetty(8.1.14.v20131031) > > <html> > <head> > <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/> > <title>Error 500 Server Error</title> > </head> > <body><h2>HTTP ERROR 500</h2> > <p>Problem accessing /gateway/hera/webhdfs/v1/. Reason: > <pre> Server Error</pre></p><hr /><i><small>Powered by > Jetty://</small></i><br/> > <br/> > > ----- httpFs----Worked with same kerberos---- > -sh-4.1$ curl -i -vvv --negotiate -u : " > http://hera-phx-nn-2.vip.ebay.com:14000/webhdfs/v1/hbase/?op=liststatus"; > > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/ > 3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2 > > Host: hera-phx-nn-2.vip.ebay.com:14000 > > Accept: */* > > > < HTTP/1.1 200 OK > HTTP/1.1 200 OK > < Server: Apache-Coyote/1.1 > Server: Apache-Coyote/1.1 > < Set-Cookie: > hadoop.auth=u=b_knox&[email protected]&t=composite&e=1449863459356&s=df8H1d7PwSqHVC7T62+yXNYq7i4=; > Path=/; Expires=Fri, 11-Dec-2015 19:50:59 GMT; HttpOnly > Set-Cookie: > hadoop.auth=u=b_knox&[email protected]&t=composite&e=1449863459356&s=df8H1d7PwSqHVC7T62+yXNYq7i4=; > Path=/; Expires=Fri, 11-Dec-2015 19:50:59 GMT; HttpOnly > < Content-Type: application/json > Content-Type: application/json > < Transfer-Encoding: chunked > Transfer-Encoding: chunked > < Date: Fri, 11 Dec 2015 09:51:03 GMT > Date: Fri, 11 Dec 2015 09:51:03 GMT > > < > > \Rajesh > > >
