名詞解決
SPNEGO(SPNEGO: Simple and Protected GSS-API Negotiation)是微軟提供的一種使用GSS-API認證機制的安全協議,用於使Webserver共享Windows Credentials,它擴展了Kerberos(一種網絡認證協議)。
原因
當使用Kerberos進行認證時,通過Ambari-server訪問某一個集羣應用的HTTP協議API的時候,需要把Ambari WEB端已經通過GSS-API認證的Kerberos principal的Token,共享給集羣應用的HTTP協議的API;如果Ambari未配置開啓、配置SPNEGO安全協議,Ambari請求集羣HTTP協議API獲取數據時,將認證失敗,無法獲取數據。Ambari-server提示“SPNego authentication failed, can not get hadoop.auth cookie”錯誤信息
解決方法
1. 停止Ambari-server進程
[root@server bin]$ systemctl stop ambari-server
2. 開啓並配置安全協議
[root@server bin]$ ambari-server setup-security
Using python /usr/bin/python
Security setup options...
===========================================================================
Choose one of the following options:
[1] Enable HTTPS for Ambari server.
[2] Encrypt passwords stored in ambari.properties file.
[3] Setup Ambari kerberos JAAS configuration.
[4] Setup truststore.
[5] Import certificate to truststore.
===========================================================================
Enter choice, (1-5): 3
Setting up Ambari kerberos JAAS configuration to access secured Hadoop daemons...
Enter ambari server's kerberos principal name ([email protected]): [email protected]
Enter keytab path for ambari server's kerberos principal: /etc/security/keytabs/ambari.server.keytab
Ambari Server 'setup-security' completed successfully.
3. 重啓Ambari-server進程使之生效
[root@server bin]$ systemctl start ambari-server