Issue: Ambari does not show the security configuration on the Storm configuration tab, so you cannot add users to nimbus.admins.
Workaround: To give permissions to other users, use
topology.users
or topology.groups
.
Issue: In AD+MIT setup, when trying to access Nimbus on a Kerberized cluster a HTTP 413 full HEAD error is received. (STORM-633)
Workaround: Add ui.header.buffer.bytes :
“65536”
under “Custom storm-site" on the Ambari Storm configuration tab.
Issue: Log viewer. We recommend against creating HTTP principal keytabs for supervisors. This can cause the SPNEGO protocol to fail.
Workaround:
Add the HTTP principal for Storm supervisor nodes too. For example:
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey HTTP/<supervisor-hostname>
where
<supervisor-hostname>
is your hostname and domain for Kerberos; for example:supervisor1.host1.com@HOST1.COM
Add this principal for all hosts that run supervisor machines.
For example:
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/spnego.service.keytab HTTP/supervisor1.host1.com@HOST1.COM"
Add the newly created HTTP principals to the
spnego.service.keytab
file.Make sure that the spnego.service.keytab file has “storm” user privileges for read operations.
Distribute this keytab to all supervisor hosts.
On the supervisor node, edit
/etc/storm/conf/storm.yaml
. Change theui.filter.parameters
as follows, replacing<supervisor-hostname>
with the hostname of your supervisor process:"type": "kerberos"
"kerberos.principal": "HTTP/<supervisor-hostname>"
"kerberos.keytab": "/vagrant/keytabs/http.keytab"
On each supervisor machine change the Kerberos.principal hostname to that supervisor’s hostname.
Restart the log viewer.
Add supervisor hosts to
network.negotiate-auth.trusted-uris
(similar to the steps needed to access the Storm UI).