Known Issues with Storm for Kerberos
Reference of known issues with Storm for Kerberos.
Issue: Ambari does not show the security configuration on the Storm configuration tab, so you cannot add users to nimbus.admins.
Workaround: To give permissions to other users, use
Issue: In AD+MIT setup, when trying to access Nimbus on a Kerberized cluster a HTTP 413 full HEAD error is received. (STORM-633)
ui.header.buffer.bytes : “65536” under “Custom
storm-site" on the Ambari Storm configuration tab.
Issue: Log viewer. We recommend against creating HTTP principal keytabs for supervisors. This can cause the SPNEGO protocol to fail.
- Add the HTTP principal for Storm supervisor nodes too. For example:
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey HTTP/<supervisor-hostname>
<supervisor-hostname>is your hostname and domain for Kerberos; for example:
- Add this principal for all hosts that run supervisor machines.
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/spnego.service.keytab HTTP/supervisor1.host1.com@HOST1.COM"
- Add the newly created HTTP principals to the
- Make sure that the spnego.service.keytab file has “storm” user privileges for read operations.
- Distribute this keytab to all supervisor hosts.
- On the supervisor node, edit
/etc/storm/conf/storm.yaml. Change the
ui.filter.parametersas follows, replacing
<supervisor-hostname>with the hostname of your supervisor process:
- On each supervisor machine change the Kerberos.principal hostname to that supervisor’s hostname.
- Restart the log viewer.
- Add supervisor hosts to
network.negotiate-auth.trusted-uris(similar to the steps needed to access the Storm UI).