If your cluster is configured with Active Directory Trust, use the Active Directory ticket to communicate with MIT KDC for secure negotiation. Here are the additional configuration steps:
Make sure UI Kerberos authentication-to-local rules are configured properly. Once a principal from Active Directory is used for negotiation with MIT KDC, you need a rule to translate it to the local account on the Storm UI node. Many times those can be copied from
core-site.xml
.For example:
ui.filter.params: "type": "kerberos" "kerberos.principal": "HTTP/nimbus.host1.com" "kerberos.keytab": "/vagrant/keytabs/http.keytab" "kerberos.name.rules": "RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/$MAPRED_USER/ RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/$HDFS_USER/DEFAULT"
Note: Rules are listed as strings, and are not separated by commas.
Create mappings for MIT domain KDC and associated resources used for the domain, in this case Storm UI.
On a Windows workstation, you would run the following commands from the command line:
ksetup /AddKDC $DOMAIN $KDC
ksetup /AddHostToRealmMap $hadoop_resource $Domain
Note: this step adds registry entries in
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\HostToRealm
.
Troubleshooting
To troubleshoot configuration issues, try accessing the Storm UI within the cluster using
the curl
command.
For example:
curl -i --negotiate -u:anyUser -b ~/cookiejar.txt -c ~/cookiejar.txt
http://storm-ui-hostname:8080/api/v1/cluster/summary
This will help you determine whether the Kerberos UI configuration is working.
To isolate the issue, use Storm service keytabs and user principals.
Two other important things to check are:
Make sure that the trust is working properly.
Make sure that the encryption types match on both KDCs.