Hey guys, Thanks for your feedback. Indeed you were correct the issue was that the guest user was not created on each node in the cluster. After doing so I was able to get webhdfs working through the gateway.
Before I continue discussing my issues with my custom service using knox and kerberos I would like to ask a more general question as I believe I may have gone about kerberos the wrong way. I know this is the knox user thread but I’m sure you guys are in general good with securing hadoop so I’ll ask, if I should redirect the question to another group please let me know. Some brief background: My web application interacts with HBase (using client and rest) and Oozie (using client) quite frequently and thus will need to be authenticated to kerberos to perform those actions. Since its a service that is always running I need a TGT pretty much indefinitely. How is this usually handled? Programmatically? Cron-job issuing kinit using keytab? Or is this done via proxy, using doAs java calls from the Hadoop Security classes? My initial approach overlooked this issue, a TGT is generated at install time of the service, but after a given period of time it expires and the service starts throwing errors when it tries to access other services in the cluster. I appreciated any best practices or common approaches anyone could share. Regards, Christopher Jackson [email protected] <mailto:[email protected]> > On Dec 28, 2015, at 11:48 AM, Kevin Minder <[email protected]> > wrote: > > In addition to Larry’s comments, this error: > {"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed > to obtain user group information: > org.apache.hadoop.security.authorize.AuthorizationException: User: knox is > not allowed to impersonate guest"}} > Is usually caused by missing proxy user config: > http://knox.apache.org/books/knox-0-6-0/user-guide.html#Grant+Proxy+privileges+for+Knox+user+in+`core-site.xml`+on+Hadoop+master+nodes > > <http://knox.apache.org/books/knox-0-6-0/user-guide.html#Grant+Proxy+privileges+for+Knox+user+in+%60core-site.xml%60+on+Hadoop+master+nodes> > > From: Christopher Jackson <[email protected] > <mailto:[email protected]>> > Reply-To: "[email protected] <mailto:[email protected]>" > <[email protected] <mailto:[email protected]>> > Date: Thursday, December 24, 2015 at 1:24 PM > To: "[email protected] <mailto:[email protected]>" > <[email protected] <mailto:[email protected]>> > Subject: Custom Ambari Service using Knox and Kerberos. > > {"RemoteException":{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed > to obtain user group information: > org.apache.hadoop.security.authorize.AuthorizationException: User: knox is > not allowed to impersonate guest"}} >
