Configuring Storm for Kerberos Over Ambari
Also available as:

Chapter 5. Accessing the Storm UI (Active Directory Trust Configuration)

If your cluster is configured with Active Directory Trust, use the Active Directory ticket to communicate with MIT KDC for secure negotiation. Here are the additional configuration steps:

  1. Make sure UI Kerberos authentication-to-local rules are configured properly. Once a principal from Active Directory is used for negotiation with MIT KDC, you need a rule to translate it to the local account on the Storm UI node. Many times those can be copied from core-site.xml.

    For example:

       "type": "kerberos" 
       "kerberos.principal": "HTTP/"
       "kerberos.keytab": "/vagrant/keytabs/http.keytab" 
       "": "RULE:[2:$1@$0]([jt]t@.*EXAMPLE.COM)s/.*/$MAPRED_USER/ RULE:[2:$1@$0]([nd]n@.*EXAMPLE.COM)s/.*/$HDFS_USER/DEFAULT"

    Note: Rules are listed as strings, and are not separated by commas.

  2. Create mappings for MIT domain KDC and associated resources used for the domain, in this case Storm UI.

    On a Windows workstation, you would run the following commands from the command line:

    ksetup /AddKDC $DOMAIN $KDC

    ksetup /AddHostToRealmMap $hadoop_resource $Domain

    Note: this step adds registry entries in HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\HostToRealm.


To troubleshoot configuration issues, try accessing the Storm UI within the cluster using the curl command.

For example:

curl -i --negotiate -u:anyUser -b ~/cookiejar.txt -c ~/cookiejar.txt http://storm-ui-hostname:8080/api/v1/cluster/summary

This will help you determine whether the Kerberos UI configuration is working.

To isolate the issue, use Storm service keytabs and user principals.

Two other important things to check are:

  • Make sure that the trust is working properly.

  • Make sure that the encryption types match on both KDCs.