HDP启用Kerberos认证后NameNode UI, RESOURCEMANAGER ,Spark2 history server ui提示要登录, 如果Windows 和KDC是集成同一个Windows AD,那么可以通过AD账号登录打开页面,否则将提示:401: Authorization required。
这种情况可以配置页面匿名访问解决:
--namenode ui
在HDFS -> Advanced core-site
set hadoop.http.authentication.simple.anonymous.allowed to true
在HDFS -> Custom core-site
set hadoop.http.authentication.type to simple
set hadoop.proxyuser.HTTP.groups to *
set hadoop.proxyuser.knox.groups to *
set hadoop.proxyuser.knox.hosts to *
set hadoop.proxyuser.yarn.hosts to *
--spark history ui, 在export 前面加#注释掉
在Spark2 -> Advanced spark2-env -> content
{% if security_enabled %}
#export SPARK_HISTORY_OPTS='-Dspark.ui.filters=org.apache.hadoop.security.authentication.server.AuthenticationFilter -Dspark.org.apache.hadoop.security.authentication.server.AuthenticationFilter.params="type=kerberos,kerberos.principal={{spnego_principal}},kerberos.keytab={{spnego_keytab}}"'
{% endif %}
--ResourceManager UI
在yarn -> Advanced ranger-yarn-security
set Add YARN Authorization to false
在yarn -> Custom yarn-site
set yarn.resourcemanager.proxy-user-privileges.enabled to false
Leave a Reply