HttpFS Authentication
This section describes how to configure HttpFS CDH 6 with Kerberos security on a Hadoop cluster.
To enable HttpFS to work with Kerberos security on your Hadoop cluster, make sure you perform the installation and configuration steps in Enabling Kerberos Authentication for CDH.
If the NameNode, Secondary NameNode, DataNode, JobTracker, TaskTrackers, ResourceManager, NodeManagers, HttpFS, or Oozie services are configured to use Kerberos HTTP SPNEGO authentication, and two or more of these services are running on the same host, then all of the running services must use the same HTTP principal and keytab file used for their HTTP endpoints.
Using curl to access an URL Protected by Kerberos HTTP SPNEGO
Your version of curl must support GSS and be capable of running curl -V.
To configure curl to access an URL protected by Kerberos HTTP SPNEGO:
- Run curl -V:
$ curl -V curl 7.19.7 (universal-apple-darwin10.0) libcurl/7.19.7 OpenSSL/0.9.8l zlib/1.2.3 Protocols: tftp ftp telnet dict ldap http file https ftps Features: GSS-Negotiate IPv6 Largefile NTLM SSL libz
- Login to the KDC using kinit.
$ kinit Please enter the password for tucu@LOCALHOST:
- Use curl to fetch the protected URL:
$ curl --cacert /path/to/truststore.pem --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt https://localhost:14000/webhdfs/v1/?op=liststatus
where:- The --cacert option is required if you are using TLS/SSL certificates that curl does not recognize by default.
- The --negotiate option enables SPNEGO in curl.
- The -u : option is required but the username is ignored (the principal that has been specified for kinit is used).
- The -b and -c options are used to store and send HTTP cookies.
- Cloudera does not recommend using the -k or --insecure option as it turns off curl's ability to verify the certificate.
<< Using Hive to Run Queries on a Secure HBase Server | ©2016 Cloudera, Inc. All rights reserved | Hue Authentication >> |
Terms and Conditions Privacy Policy |