Security
Also available as:
PDF
loading table of contents...

Enabling Browser Access to a SPNEGO-enabled Web UI

  1. Install Kerberos on your local machine (search for instructions on how to install a Kerberos client on your local environment).

  2. Configure the krb5.conf file on your local machine. For testing on a HDP cluster, copy the /etc/krb5.conf file from one of the cluster hosts to your local machine at /etc/krb5.conf.

  3. Create your own keytabs and run kinit. For testing on a HDP cluster, copy the "ambari_qa" keytab file from /etc/security/keytabs/smokeuser.headless.keytab on one of the cluster hosts to your local machine, then run the following command:

    kinit -kt smokeuser.headless.keytab ambari-qa@EXAMPLE.COM
  4. Use the following steps to enable your web browser with Kerberos SPNEGO.

    For Chrome on Mac:

    Run the following command from the same shell in which you ran the previous kinit command to launch Chrome:

    /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --auth-server-whitelist="*.hwx.site" 
    • Replace .hwx.site with your own domain name.

    • If you get the following error, try closing and relaunching all Chrome browser windows.

      [14617:36099:0810/152439.802775:ERROR:browser_gpu_channel_host_factory.cc(103)] Failed to launch GPU process.

    For FireFox:

    1. Navigate to the about:config URL (type about:config in the address box, then press the Enter key).

    2. Scroll down to network.negotiate-auth.trusted-uris and change its value to your cluster domain name (For example, .hwx.site).

    3. Change the value of network.negotiate-auth.delegation-uris to your cluster domain name (For example, .hwx.site).