The other approach to this is to have an intermediate proxy that is authenticated and can make calls to the ATS server. The Tez UI makes 2 kind of calls to the backend services ( one set to YARN ResourceManager and the other to Timeline server ) so both of these calls would need to be proxied through a server/process that is kerberos authenticated.
A simple option for this would be try using Ambari in standalone mode. In this mode, the ambari-server acts as an authenticated proxy for the UI. This involves installing the Ambari Server, setting it up to work in a secure mode and instantiating the Tez View within it. All your users can then use the Tez UI within Ambari without needing any kerberos auth. Ambari-server would be started with kerberos auth and you need to configure that user as a hadoop proxy user. To be clear, this does *not* require you to set up your Hadoop cluster using Ambari. http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_ambari_views_guide/content/ch_running_ambari_standalone.html http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_ambari_views_guide/content/ch_configuring_views_for_kerberos.html http://docs.hortonworks.com/HDPDocuments/Ambari-2.1.0.0/bk_ambari_views_guide/content/ch_using_tez_view.html thanks — Hitesh On Aug 20, 2015, at 2:41 PM, Gagan Brahmi <[email protected]> wrote: > Thanks Hitesh, but I don't want the UI to be accessed through Kerberos. > > Client to Tez UI communication should be without kerberos and Tez UI to ATS > will be over Kerberos. > > Anyone accomplished this before? > > > On Thu, Aug 20, 2015 at 1:57 PM, Hitesh Shah <[email protected]> wrote: > You will first need to do a kinit and then start a new firefox session with > the following config “network.negotiate-auth.trusted-uris“ set up as needed. > > Ref on setting up firefox: > http://people.redhat.com/mikeb/negotiate/ > http://docs.oracle.com/cd/E41633_01/pt853pbh1/eng/pt/tsec/task_EnablingKerberosAuthenticationinFirefox-836673.html > > — Hitesh > > On Aug 20, 2015, at 1:00 PM, Gagan Brahmi <[email protected]> wrote: > > > Does anyone has an idea how to enable Tez UI in a kerberos enabled > > environment? > > > > I am hosting tez UI on apache and the ATS is secured. I am getting errors > > where Tez UI is not able to retrieve the data from Timeline server. > > > > Couldn't find any documentation which can provide help with this one. > > > > > > Regards, > > Gagan Brahmi > >
