Return-Path: X-Original-To: apmail-hadoop-common-user-archive@www.apache.org Delivered-To: apmail-hadoop-common-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DBDF0193E0 for ; Fri, 29 Apr 2016 15:50:43 +0000 (UTC) Received: (qmail 97314 invoked by uid 500); 29 Apr 2016 15:50:39 -0000 Delivered-To: apmail-hadoop-common-user-archive@hadoop.apache.org Received: (qmail 97204 invoked by uid 500); 29 Apr 2016 15:50:39 -0000 Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list user@hadoop.apache.org Received: (qmail 97193 invoked by uid 99); 29 Apr 2016 15:50:39 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 29 Apr 2016 15:50:39 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 96B96C07CC for ; Fri, 29 Apr 2016 15:50:38 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.689 X-Spam-Level: *** X-Spam-Status: No, score=3.689 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, KAM_BADIPHTTP=2, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, REPTO_QUOTE_YAHOO=0.49, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, WEIRD_PORT=0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com Received: from mx2-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id YnaufevhonwU for ; Fri, 29 Apr 2016 15:50:36 +0000 (UTC) Received: from nm16-vm6.bullet.mail.gq1.yahoo.com (nm16-vm6.bullet.mail.gq1.yahoo.com [98.137.177.254]) by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with ESMTPS id 65DD65F23A for ; Fri, 29 Apr 2016 15:50:35 +0000 (UTC) Received: from [216.39.60.180] by nm16.bullet.mail.gq1.yahoo.com with NNFMP; 29 Apr 2016 15:50:28 -0000 Received: from [98.137.12.219] by tm16.bullet.mail.gq1.yahoo.com with NNFMP; 29 Apr 2016 15:50:28 -0000 Received: from [127.0.0.1] by omp1027.mail.gq1.yahoo.com with NNFMP; 29 Apr 2016 15:50:28 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 528019.58424.bm@omp1027.mail.gq1.yahoo.com Received: by 98.137.12.51; Fri, 29 Apr 2016 15:50:28 +0000 Date: Fri, 29 Apr 2016 15:50:25 +0000 (UTC) From: Musty Rehmani Reply-To: "musty_rehmani@yahoo.com" To: Jeffrey Rodriguez , "user@hadoop.apache.org" Message-ID: <245639170.5024108.1461945025842.JavaMail.yahoo@mail.yahoo.com> In-Reply-To: References: Subject: Re: 403 when trying to access secure hadoop http UI /logs/ - any workaround? or explanation? MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_5024106_504145737.1461945025839" ------=_Part_5024106_504145737.1461945025839 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Do you have principal and keytab created for Ambari QA user. =C2=A0You may = want to mimic kerberos configuration from hduser and give it a try.=C2=A0 Sent from Yahoo Mail on Android=20 =20 On Fri, Apr 29, 2016 at 11:34 AM, Jeffrey Rodriguez= wrote: Hi Folks, =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 I am getting a 403 accessing Kerberized clus= ter (Hadoop Kerberized).=20 kinit ..... valid Kerberos user... curl -L=C2=A0 --negotiate -u :=C2=A0 http://locathost:50070/logs/ .. > GET /logs/ HTTP/1.1 > Authorization: Negotiate YIICVwYJKoZIhvcSAQICAQBuggJGMIICQqADAgEFoQMCAQ6i= BwMFAAAAAACjggFjYYIBXzCCAVugAwIBBaEJGwdJQk0uQ09NoicwJaADAgEDoR4wHBsESFRUUBs= UYmRhdm00ODQuc3ZsLmlibS5jb22jggEeMIIBGqADAgERoQMCAQaiggEMBIIBCGTmcjb1WNFRYa= TCzAxgCC9ZMaKdHHyt+7qHV/Q4mRFyuhhouo0hFccjNH7TTC1eUXTf31+zo5Zfg3dNPV/NJ1WH5= 3YdMYWHuHDAkWvd7amBPQB/j5q2pOqn+3X8DEW8hcPYo1vRrzLWht8BKmorxCNuRIDETw0Qn7Q9= cETLPgPHbEqTCjeEKNqux/26CaJ8/Ixu6qBbj1DtsJzJZJCKbIVoYbj6hGajv4ACIXTXeIIUa9d= qDXeI9R97OZXSVlq/M3foyltPQfjRL3DEWiDdavpmr/3LJbJ6rr3UYeZKona8Wz4SlGWKJwkqST= dBTdpHatVZVRXkTfkeuAi03HNVvZwsJ1v1hPpCaqSBxTCBwqADAgERooG6BIG3jNhBU4niOi+a3= 2hsF5qCAVDne7815PrvvGhweF14u+1nJ2Nk+54eQWUNNIF87AomF0vEoUFjzKtKJ6pAcTer9L9a= b782acAhEH0H+O3kW88qc45LGhRtquimF2Xrguq1RrjPIlS1sAoTLtj/b0ctvcFQBH1Vuuryyn5= AKyWBvW0IFVzBcJQcLlVjlFoaeA9RpF39BktO3RutCONA4/B/RzbeucEvIhyODss7XBs83o49Ke= msQT7x > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.16= .2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: localhost:50070 > Accept: */* >=20 < HTTP/1.1 403 User ambari-qa is unauthorized to access this page. < Content-Type: text/html; charset=3Diso-8859-1 < Set-Cookie: hadoop.auth=3D"u=3Dambari-qa&p=3Dambari-qa-testme@IBM.COM&t= =3Dkerberos&e=3D1461979860144&s=3DoXW3iQyX0/SAWxup9pngeyNSGO4=3D"; Path=3D/= ; Domain=3Dsvl.ibm.com; Expires=3DSat, 30-Apr-2016 01:31:00 GMT; HttpOnly id ambari-qa=20 id ambari-qa uid=3D1006(ambari-qa) gid=3D502(hadoop) groups=3D502(hadoop),100(users) All super user/proxy set to * Any reason why /logs/ are not accessible? Can that be set in configuration? BTW is I run the request as hdfs user it succeeds so hdfs service user has = authorization. This is confusing some users since they expect access for hadoop UI /logs/ =20 ------=_Part_5024106_504145737.1461945025839 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Do you have principal and keytab created for Ambari QA user.  You may = want to mimic kerberos configuration from hduser and give it a try. 


On Fri, Apr 29, 2016 at 11:34 AM, Jeffrey Rodriguez
&= lt;jeffreyr97@gmail.com> wrote:
Hi Folks,
      I am getti= ng a 403 accessing Kerberized cluster (Hadoop Kerberized).

kinit ..... valid Kerberos user...

curl -L  --negotiate -u :&= nbsp; http://locathost:50070/logs/

..
> GET /logs/ HTTP/1= .1
> Authorization: Negotiate YIICVwYJKoZIhvcSAQICAQBuggJGMIICQqADAgE= FoQMCAQ6iBwMFAAAAAACjggFjYYIBXzCCAVugAwIBBaEJGwdJQk0uQ09NoicwJaADAgEDoR4wHB= sESFRUUBsUYmRhdm00ODQuc3ZsLmlibS5jb22jggEeMIIBGqADAgERoQMCAQaiggEMBIIBCGTmc= jb1WNFRYaTCzAxgCC9ZMaKdHHyt+7qHV/Q4mRFyuhhouo0hFccjNH7TTC1eUXTf31+zo5Zfg3dN= PV/NJ1WH53YdMYWHuHDAkWvd7amBPQB/j5q2pOqn+3X8DEW8hcPYo1vRrzLWht8BKmorxCNuRID= ETw0Qn7Q9cETLPgPHbEqTCjeEKNqux/26CaJ8/Ixu6qBbj1DtsJzJZJCKbIVoYbj6hGajv4ACIX= TXeIIUa9dqDXeI9R97OZXSVlq/M3foyltPQfjRL3DEWiDdavpmr/3LJbJ6rr3UYeZKona8Wz4Sl= GWKJwkqSTdBTdpHatVZVRXkTfkeuAi03HNVvZwsJ1v1hPpCaqSBxTCBwqADAgERooG6BIG3jNhB= U4niOi+a32hsF5qCAVDne7815PrvvGhweF14u+1nJ2Nk+54eQWUNNIF87AomF0vEoUFjzKtKJ6p= AcTer9L9ab782acAhEH0H+O3kW88qc45LGhRtquimF2Xrguq1RrjPIlS1sAoTLtj/b0ctvcFQBH= 1Vuuryyn5AKyWBvW0IFVzBcJQcLlVjlFoaeA9RpF39BktO3RutCONA4/B/RzbeucEvIhyODss7X= Bs83o49KemsQT7x
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) l= ibcurl/7.19.7 NSS/3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> H= ost: localhost:50070
> Accept: */*
>
< HTTP/1.1 403 User= ambari-qa is unauthorized to access this page.
< Content-Type: text/= html; charset=3Diso-8859-1
< Set-Cookie: hadoop.auth=3D"u=3Dambari-qa= &p=3Dambari-qa-testme@IBM.COM&= ;t=3Dkerberos&e=3D1461979860144&s=3DoXW3iQyX0/SAWxup9pngeyNSGO4=3D"= ; Path=3D/; Domain=3Dsvl.ibm.com; Expires=3DSat, 30-Apr-2016 01:31:00 GMT; HttpO= nly



id ambari-qa

id ambari-qa<= br>uid=3D1006(ambari-qa) gid=3D502(hadoop) groups=3D502(hadoop),100(users)<= br>

All super user/proxy set to *

Any r= eason why /logs/ are not accessible? Can that be set in configuration?
<= br>
BTW is I run the request as hdfs user it succeeds so hdfs ser= vice user has authorization.

This is confusing some users= since they expect access for hadoop UI /logs/
= ------=_Part_5024106_504145737.1461945025839--