Configuring Storm for Kerberos Over Ambari
Also available as:

Chapter 7. Known Issues

Issue: Ambari does not show the security configuration on the Storm configuration tab, so you cannot add users to nimbus.admins.

Workaround: To give permissions to other users, use topology.users or topology.groups.

Issue: In AD+MIT setup, when trying to access Nimbus on a Kerberized cluster a HTTP 413 full HEAD error is received. (STORM-633)

Workaround: Add ui.header.buffer.bytes : “65536” under “Custom storm-site" on the Ambari Storm configuration tab.

Issue: Log viewer. We recommend against creating HTTP principal keytabs for supervisors. This can cause the SPNEGO protocol to fail.


  1. Add the HTTP principal for Storm supervisor nodes too. For example:

    sudo /usr/sbin/kadmin.local -q 'addprinc -randkey HTTP/<supervisor-hostname>


    <supervisor-hostname> is your hostname and domain for Kerberos; for example:

  2. Add this principal for all hosts that run supervisor machines.

    For example:

    sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/spnego.service.keytab HTTP/"

  3. Add the newly created HTTP principals to the spnego.service.keytab file.

  4. Make sure that the spnego.service.keytab file has “storm” user privileges for read operations.

  5. Distribute this keytab to all supervisor hosts.

  6. On the supervisor node, edit /etc/storm/conf/storm.yaml. Change the ui.filter.parameters as follows, replacing <supervisor-hostname> with the hostname of your supervisor process:

    "type": "kerberos"

    "kerberos.principal": "HTTP/<supervisor-hostname>"

    "kerberos.keytab": "/vagrant/keytabs/http.keytab"

  7. On each supervisor machine change the Kerberos.principal hostname to that supervisor’s hostname.

  8. Restart the log viewer.

  9. Add supervisor hosts to network.negotiate-auth.trusted-uris (similar to the steps needed to access the Storm UI).