Enabling Browser Access to a SPNEGO-enabled Web UI
Install Kerberos on your local machine (search for instructions on how to install a Kerberos client on your local environment).
Configure the
krb5.conf
file on your local machine. For testing on a HDP cluster, copy the/etc/krb5.conf
file from one of the cluster hosts to your local machine at/etc/krb5.conf
.Create your own keytabs and run
kinit
. For testing on a HDP cluster, copy the "ambari_qa" keytab file from/etc/security/keytabs/smokeuser.headless.keytab
on one of the cluster hosts to your local machine, then run the following command:kinit -kt smokeuser.headless.keytab ambari-qa@EXAMPLE.COM
Use the following steps to enable your web browser with Kerberos SPNEGO.
For Chrome on Mac:
Run the following command from the same shell in which you ran the previous
kinit
command to launch Chrome:/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --auth-server-whitelist="*.hwx.site"
Replace
.hwx.site
with your own domain name.If you get the following error, try closing and relaunching all Chrome browser windows.
[14617:36099:0810/152439.802775:ERROR:browser_gpu_channel_host_factory.cc(103)] Failed to launch GPU process.
For FireFox:
Navigate to the about:config URL (type
about:config
in the address box, then press the Enter key).Scroll down to
network.negotiate-auth.trusted-uris
and change its value to your cluster domain name (For example,.hwx.site
).Change the value of
network.negotiate-auth.delegation-uris
to your cluster domain name (For example,.hwx.site
).