Mailing-List: contact user-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
MIME-Version: 1.0
Date: Fri, 29 Apr 2016 08:34:53 -0700
Message-ID: 
 <CA+qug_JwBpPhoxFic-p43LWQsoF4o2Mh-GKU2=zsZzstWSnxiQ@mail.gmail.com>
Subject: 403 when trying to access secure hadoop http UI /logs/ - any
 workaround? or explanation?
From: Jeffrey Rodriguez <jeffreyr97@gmail.com>
To: user@hadoop.apache.org
Content-Type: multipart/alternative; boundary=001a11453cf85f5a660531a16234

--001a11453cf85f5a660531a16234
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi Folks,
      I am getting a 403 accessing Kerberized cluster (Hadoop Kerberized).

kinit ..... valid Kerberos user...

curl -L  --negotiate -u :  http://locathost:50070/logs/

..
> GET /logs/ HTTP/1.1
> Authorization: Negotiate
YIICVwYJKoZIhvcSAQICAQBuggJGMIICQqADAgEFoQMCAQ6iBwMFAAAAAACjggFjYYIBXzCCAVu=
gAwIBBaEJGwdJQk0uQ09NoicwJaADAgEDoR4wHBsESFRUUBsUYmRhdm00ODQuc3ZsLmlibS5jb2=
2jggEeMIIBGqADAgERoQMCAQaiggEMBIIBCGTmcjb1WNFRYaTCzAxgCC9ZMaKdHHyt+7qHV/Q4m=
RFyuhhouo0hFccjNH7TTC1eUXTf31+zo5Zfg3dNPV/NJ1WH53YdMYWHuHDAkWvd7amBPQB/j5q2=
pOqn+3X8DEW8hcPYo1vRrzLWht8BKmorxCNuRIDETw0Qn7Q9cETLPgPHbEqTCjeEKNqux/26CaJ=
8/Ixu6qBbj1DtsJzJZJCKbIVoYbj6hGajv4ACIXTXeIIUa9dqDXeI9R97OZXSVlq/M3foyltPQf=
jRL3DEWiDdavpmr/3LJbJ6rr3UYeZKona8Wz4SlGWKJwkqSTdBTdpHatVZVRXkTfkeuAi03HNVv=
ZwsJ1v1hPpCaqSBxTCBwqADAgERooG6BIG3jNhBU4niOi+a32hsF5qCAVDne7815PrvvGhweF14=
u+1nJ2Nk+54eQWUNNIF87AomF0vEoUFjzKtKJ6pAcTer9L9ab782acAhEH0H+O3kW88qc45LGhR=
tquimF2Xrguq1RrjPIlS1sAoTLtj/b0ctvcFQBH1Vuuryyn5AKyWBvW0IFVzBcJQcLlVjlFoaeA=
9RpF39BktO3RutCONA4/B/RzbeucEvIhyODss7XBs83o49KemsQT7x
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/
3.16.2.3 Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost:50070
> Accept: */*
>
< HTTP/1.1 403 User ambari-qa is unauthorized to access this page.
< Content-Type: text/html; charset=3Diso-8859-1
< Set-Cookie: hadoop.auth=3D"u=3Dambari-qa&p=3Dambari-qa-testme@IBM.COM&t=
=3Dkerberos&e=3D1461979860144&s=3DoXW3iQyX0/SAWxup9pngeyNSGO4=3D";
Path=3D/; Domain=3Dsvl.ibm.com; Expires=3DSat, 30-Apr-2016 01:31:00 GMT; Ht=
tpOnly


id ambari-qa

id ambari-qa
uid=3D1006(ambari-qa) gid=3D502(hadoop) groups=3D502(hadoop),100(users)


All super user/proxy set to *

Any reason why /logs/ are not accessible? Can that be set in configuration?

BTW is I run the request as hdfs user it succeeds so hdfs service user has
authorization.

This is confusing some users since they expect access for hadoop UI /logs/

--001a11453cf85f5a660531a16234
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi Folks,<br></div>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 I a=
m getting a 403 accessing Kerberized cluster (Hadoop Kerberized). <br><br><=
div><div>kinit ..... valid Kerberos user...<br><br>curl -L=C2=A0 --negotiat=
e -u :=C2=A0 <a href=3D"http://locathost:50070/logs/">http://locathost:5007=
0/logs/</a><br><br>..<br>&gt; GET /logs/ HTTP/1.1<br>&gt; Authorization: Ne=
gotiate YIICVwYJKoZIhvcSAQICAQBuggJGMIICQqADAgEFoQMCAQ6iBwMFAAAAAACjggFjYYI=
BXzCCAVugAwIBBaEJGwdJQk0uQ09NoicwJaADAgEDoR4wHBsESFRUUBsUYmRhdm00ODQuc3ZsLm=
libS5jb22jggEeMIIBGqADAgERoQMCAQaiggEMBIIBCGTmcjb1WNFRYaTCzAxgCC9ZMaKdHHyt+=
7qHV/Q4mRFyuhhouo0hFccjNH7TTC1eUXTf31+zo5Zfg3dNPV/NJ1WH53YdMYWHuHDAkWvd7amB=
PQB/j5q2pOqn+3X8DEW8hcPYo1vRrzLWht8BKmorxCNuRIDETw0Qn7Q9cETLPgPHbEqTCjeEKNq=
ux/26CaJ8/Ixu6qBbj1DtsJzJZJCKbIVoYbj6hGajv4ACIXTXeIIUa9dqDXeI9R97OZXSVlq/M3=
foyltPQfjRL3DEWiDdavpmr/3LJbJ6rr3UYeZKona8Wz4SlGWKJwkqSTdBTdpHatVZVRXkTfkeu=
Ai03HNVvZwsJ1v1hPpCaqSBxTCBwqADAgERooG6BIG3jNhBU4niOi+a32hsF5qCAVDne7815Prv=
vGhweF14u+1nJ2Nk+54eQWUNNIF87AomF0vEoUFjzKtKJ6pAcTer9L9ab782acAhEH0H+O3kW88=
qc45LGhRtquimF2Xrguq1RrjPIlS1sAoTLtj/b0ctvcFQBH1Vuuryyn5AKyWBvW0IFVzBcJQcLl=
VjlFoaeA9RpF39BktO3RutCONA4/B/RzbeucEvIhyODss7XBs83o49KemsQT7x<br>&gt; User=
-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/<a href=3D=
"http://3.16.2.3">3.16.2.3</a> Basic ECC zlib/1.2.3 libidn/1.18 libssh2/1.4=
.2<br>&gt; Host: localhost:50070<br>&gt; Accept: */*<br>&gt; <br>&lt; HTTP/=
1.1 403 User ambari-qa is unauthorized to access this page.<br>&lt; Content=
-Type: text/html; charset=3Diso-8859-1<br>&lt; Set-Cookie: hadoop.auth=3D&q=
uot;u=3Dambari-qa&amp;p=3D<a href=3D"mailto:ambari-qa-testme@IBM.COM">ambar=
i-qa-testme@IBM.COM</a>&amp;t=3Dkerberos&amp;e=3D1461979860144&amp;s=3DoXW3=
iQyX0/SAWxup9pngeyNSGO4=3D&quot;; Path=3D/; Domain=3D<a href=3D"http://svl.=
ibm.com">svl.ibm.com</a>; Expires=3DSat, 30-Apr-2016 01:31:00 GMT; HttpOnly=
<br><br><br><br></div><div>id ambari-qa <br><br></div><div>id ambari-qa<br>=
uid=3D1006(ambari-qa) gid=3D502(hadoop) groups=3D502(hadoop),100(users)<br>=
<br><br></div><div>All super user/proxy set to *<br><br></div><div>Any reas=
on why /logs/ are not accessible? Can that be set in configuration?<br><br>=
</div><div>BTW is I run the request as hdfs user it succeeds so hdfs servic=
e user has authorization.<br><br></div><div>This is confusing some users si=
nce they expect access for hadoop UI /logs/<br></div></div></div>

--001a11453cf85f5a660531a16234--