Enabling Browser Access to a SPNEGO-enabled Web UI
Install Kerberos on your local machine (search for instructions on how to install a Kerberos client on your local environment).
Configure the
krb5.conffile on your local machine. For testing on a HDP cluster, copy the/etc/krb5.conffile from one of the cluster hosts to your local machine at/etc/krb5.conf.Create your own keytabs and run
kinit. For testing on a HDP cluster, copy the "ambari_qa" keytab file from/etc/security/keytabs/smokeuser.headless.keytabon one of the cluster hosts to your local machine, then run the following command:kinit -kt smokeuser.headless.keytab ambari-qa@EXAMPLE.COM
Use the following steps to enable your web browser with Kerberos SPNEGO.
For Chrome on Mac:
Run the following command from the same shell in which you ran the previous
kinitcommand to launch Chrome:/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --auth-server-whitelist="*.hwx.site"
Replace
.hwx.sitewith your own domain name.If you get the following error, try closing and relaunching all Chrome browser windows.
[14617:36099:0810/152439.802775:ERROR:browser_gpu_channel_host_factory.cc(103)] Failed to launch GPU process.
For FireFox:
Navigate to the about:config URL (type
about:configin the address box, then press the Enter key).Scroll down to
network.negotiate-auth.trusted-urisand change its value to your cluster domain name (For example,.hwx.site).Change the value of
network.negotiate-auth.delegation-uristo your cluster domain name (For example,.hwx.site).