Enabling Kerberos authentication
You need to enable Kerberos authentication in Cloudera Manager as well as directly for your browser to securely reach the Streaming SQL Console, and to use Knox authentication.
When Kerberos authentication is set up for SSB, and an unauthorized user wants to reach the
Streaming SQL Console, the following error message appears:
- Go to your cluster in Cloudera Manager.
- Click SQL Stream Builder from the list of services.
- Go to the Configuration tab.
- Select .
- Type kerberos in the search field.
- Select the Enable Kerberos authentication setting.
- Open a terminal window.
- Configure your browser for Kerberos authentication:
- Mozilla Firefox
- Load the
about:config
page to open the low level Firefox configuration. - Search for
network.negotiate-auth.trusted-uris
preference. - Open the
network.negotiate-auth.trusted-uris
preference. - Enter the hostnames of the SQL Stream Console are protected by Kerberos HTTP SPNEGO.
- Click Ok.
- Load the
- Internet Explorer
- Configure the Local Intranet Domain
- Click on the Settings icon in Internet Explorer.
- Go to Internet options > Security.
- Select Local Intranet zone.
- Click on Sites.
- Review that the following options are checked:
- Include all local (intranet) sites not listed in other zones
- Include all sites that bypass the proxy server are checked
- Click Advanced.
- Enter the hostnames and domains of the SQL Stream Console that are protected by Kerberos HTTP SPNEGO.
- Click Ok.
- Configure the Intranet Authentication
- Click on the Settings icon in Internet Explorer.
- Go to Internet options > Security.
- Select Local Intranet zone.
- Click on Custom level.
The Security Settings - Local Intranet Zone dialog box opens.
- Scroll down to the User Authentication options.
- Select Automatic logon only in Intranet Zone.
- Click Ok.
- Verify the Proxy Settings
- Make sure that you enabled a proxy server.
- Click on the Settings icon in Internet Explorer.
- Go to Internet options > Connections.
- Select LAN settings.
- Confirm that the proxy server Address and Port number are correct.
- Click Advanced.
The Proxy Settings dialog box opens.
- Add the Streaming SQL Console domains that are protected by Kerberos to the Exceptions field.
- Click Ok.
- Configure the Local Intranet Domain
- Google Chrome
- Windows
- Open Control Panel > Internet Options > Security.
- Perform the steps from the Internet Explorer configuration.
- MacOS
- Open a terminal window.
- Copy and paste the following
command:
defaults write com.google.Chrome AuthServerAllowlist "*<host_domain>,*<host_domain1>,*<host_domain2>" sudo scp <your_hostname>:/etc/krb5.conf /etc/krb5.conf
You will be prompted to provide your password.
kinit <username>
- Windows
- Mozilla Firefox