Configure SPNEGO to Secure Web UIs in the Cluster
About this task
Procedure
-
On each node in the cluster that will receive inbound SPNEGO traffic, generate
a Kerberos principal with the user name HTTP, of the form
HTTP/<webserver name>
. Use the fully qualified domain name as the name in the principal. Although you could also use a short name or the IP address for the principal name, using the fully qualified domain name keeps the name consistent with principal names thatconfigure.sh
generates and includes in themapr.login.conf
file.Whatever you use as the principal name is what users will have to match exactly in a browser to access the web pages that are protected. Note that several services and components in a MapR cluster handle SPNEGO traffic, including the MCS, JobTracker, TaskTracker, and HBase, among others.
You can name the keytab file
mapr.keytab
if that file does not already exist.If the
mapr.keytab
file already exists, generate the new principal to a different file name and merge it to themapr.keytab
file using thektutil
tool:ktutil : addprinc -randkey HTTP/<webserver name> : ktadd -k /opt/mapr/conf/mapr.keytab HTTP/<webserver name>
-
Verify that the
/opt/mapr/conf/mapr.login.conf
file lists the correct principal in theMAPR_WEBSERVER_KERBEROS
section.WARNING: To enable SPNEGO for MapR Control System (MCS) REST calls, on all nodes with thewebserver
role, add the following line to the/opt/mapr/conf/web.conf
file:
Restart MCS to make the change take effect.mapr.rest.auth.methods=kerberos,basic
Testing SPNEGO with curl
This example tests that the MCS is using GSS for REST calls made with
curl
.
curl
supports SPNEGO - under the “Features" header, the output of the command should show
either GSS-Negotiate or SPNEGO - under the “Features” header, the output of the
command should show either GSS-Negotiate or SPNEGO:
# curl --version
curl 7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
kinit
-p <user>
command, then test curl
with the
following command:
curl --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt https://<web server node>:8443/rest/<API call> -k -v
This command returns HTTP/1.1 200 OK
when curl
is
working correctly with SPNEGO.