名词解决
SPNEGO(SPNEGO: Simple and Protected GSS-API Negotiation)是微软提供的一种使用GSS-API认证机制的安全协议,用于使Webserver共享Windows Credentials,它扩展了Kerberos(一种网络认证协议)。
原因
当使用Kerberos进行认证时,通过Ambari-server访问某一个集群应用的HTTP协议API的时候,需要把Ambari WEB端已经通过GSS-API认证的Kerberos principal的Token,共享给集群应用的HTTP协议的API;如果Ambari未配置开启、配置SPNEGO安全协议,Ambari请求集群HTTP协议API获取数据时,将认证失败,无法获取数据。Ambari-server提示“SPNego authentication failed, can not get hadoop.auth cookie”错误信息
解决方法
1. 停止Ambari-server进程
[root@server bin]$ systemctl stop ambari-server
2. 开启并配置安全协议
[root@server bin]$ ambari-server setup-security
Using python /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 3
Setting up Ambari kerberos JAAS configuration to access secured Hadoop daemons...
Enter ambari server's kerberos principal name (ambari@EXAMPLE.COM): ambari-server-test@TEST.COM
Enter keytab path for ambari server's kerberos principal: /etc/security/keytabs/ambari.server.keytab
Ambari Server 'setup-security' completed successfully.
3. 重启Ambari-server进程使之生效
[root@server bin]$ systemctl start ambari-server