Enable Browser Access to a SPNEGO-enabled Web UI
How to enable browser access to a SPNEGO-enabled web UI.
- Install Kerberos on your local machine (search for instructions on how to install a Kerberos client on your local environment).
-
Configure the
krb5.conf
file on your local machine. For testing on a HDP cluster, copy the/etc/krb5.conf
file from one of the cluster hosts to your local machine at/etc/krb5.conf
. Create your own keytabs and runkinit
. For testing on a HDP cluster, copy the "ambari_qa" keytab file from/etc/security/keytabs/smokeuser.headless.keytab
on one of the cluster hosts to your local machine, then run the following command:kinit -kt smokeuser.headless.keytab ambari-qa@EXAMPLE.COM
-
Enable your web browser with Kerberos SPNEGO:
-
For Chrome on Mac:
- Run the following command from the same shell in which you ran
the previous
kinit
command to launch Chrome:/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --auth-server-whitelist="*.hwx.site"
Replace
.hwx.site
with your own domain name. - If you get the following error, try closing and relaunching all Chrome
browser
windows.
[14617:36099:0810/152439.802775:ERROR:browser_gpu_channel_host_factory.cc(103)] Failed to launch GPU process.
- Run the following command from the same shell in which you ran
the previous
-
For Firefox:
- Navigate to the about:config URL (type
about:config
in the address box, then press the Enter key). - Scroll down to
network.negotiate-auth.trusted-uris
and change its value to your cluster domain name (For example,.hwx.site
). - Change the value of
network.negotiate-auth.delegation-uris
to your cluster domain name (For example,.hwx.site
).
- Navigate to the about:config URL (type
-
For Chrome on Mac: