Known Issues with Storm for Kerberos
Reference of known issues with Storm for Kerberos.
Issue: Ambari does not show the security configuration on the Storm configuration tab, so you cannot add users to nimbus.admins.
Workaround: To give permissions to other users, use
topology.users or topology.groups.
Issue: In AD+MIT setup, when trying to access Nimbus on a Kerberized cluster a HTTP 413 full HEAD error is received. (STORM-633)
Workaround: Add ui.header.buffer.bytes : “65536” under “Custom
storm-site" on the Ambari Storm configuration tab.
Issue: Log viewer. We recommend against creating HTTP principal keytabs for supervisors. This can cause the SPNEGO protocol to fail.
Workaround:
- Add the HTTP principal for Storm supervisor nodes too. For example:
sudo /usr/sbin/kadmin.local -q 'addprinc -randkey HTTP/<supervisor-hostname>where
<supervisor-hostname>is your hostname and domain for Kerberos; for example:supervisor1.host1.com@HOST1.COM - Add this principal for all hosts that run supervisor machines.
For example:
sudo /usr/sbin/kadmin.local -q "ktadd -k /etc/security/keytabs/spnego.service.keytab HTTP/supervisor1.host1.com@HOST1.COM" - Add the newly created HTTP principals to the
spnego.service.keytabfile. - Make sure that the spnego.service.keytab file has “storm” user privileges for read operations.
- Distribute this keytab to all supervisor hosts.
- On the supervisor node, edit
/etc/storm/conf/storm.yaml. Change theui.filter.parametersas follows, replacing<supervisor-hostname>with the hostname of your supervisor process:"type": "kerberos""kerberos.principal": "HTTP/<supervisor-hostname>""kerberos.keytab": "/vagrant/keytabs/http.keytab" - On each supervisor machine change the Kerberos.principal hostname to that supervisor’s hostname.
- Restart the log viewer.
- Add supervisor hosts to
network.negotiate-auth.trusted-uris(similar to the steps needed to access the Storm UI).