Configuring WebUI in Kerberos Enabled Clusters
Configure web browsers for accessing the Ambari WebUIs in Kerberos enabled Big Data Service clusters.
Note
To access a Kerberos enabled UI, the computer that runs the browser must be in a trusted Kerberos realm.
Prerequisites
- Confirm that the Ambari WebUI is available.
- Confirm that it's possible to access the cluster hosts from your environment.
- Be sure the principal that will be used on the Windows client is created on the cluster. This is necessary to access the cluster WebUIs from the Windows client. If the principal doesn't exist yet:
-
Create the principal:
# kadmin.local kadmin.local: addprinc <TESTUSER> - Create the keytab for the principal on the same host where the principal was created:
# kadmin.local kadmin.local: xst -k <TESTUSER>.keytab <TESTUSER>@<REALM> - Verify the keytab was created correctly:
# kinit -kt <TESTUSER>.keytab <TESTUSER>@<REALM # klist - Copy the keytab to a Windows working directory of your preference.Note
On ODH clusters, we recommend you create keytabs. However, for testing purposes, you can use the keytab located in/etc/security/keytabs/smokeuser.headless.keytab.
-
- Open the required ports for Kerberos in the OCI Console using your Subnet Security rules. See Adding Ingress Rules, and set Kerberos: port 88 - protocol UDP and TCP.
Note
On a Mac system, if your network blocks UDP, prefix the
On a Mac system, if your network blocks UDP, prefix the
kdc value with tcp/ in the krb5.conf file to force the client to use TCP.[kdc = tcp/<REALM>.<DOMAIN>:88]