0

The authorized failure is happened when accessing yarn resource manager web UI by chrome browser with kerberos spnego (yarn.resourcemanager.webapp.address:8088/cluster).

The failure is shown like:

     "HTTP ERROR 403 Problem accessing /cluster. Reason: GSSException: Failure unspecified at GSS-API level (Mechanism level: Request is a replay (34))"

PS. It is successfully to access others (namenode, jobhistory etc) web UI, but yarn resource manager by chrome browser with kerberos spnego

Hadoop is 2.5.2

May someone help me to check this problem.

luk2302
  • 55,258
  • 23
  • 97
  • 137
terensu
  • 1
  • 1
  • 1

2 Answers2

0

The problem can be resolved by setting :

"yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled=false"

in yarn-site.xml of Hadoop-2.5.2

The YARNAuthenticationFilter can be ignored by "false" value from the webapp default request filter chain: chain=NoCacheFilter->NoCacheFilter->safety->YARNAuthenticationFilter->authentication->guice->default

TO the one as: chain=NoCacheFilter->NoCacheFilter->safety->authentication->guice->default

terensu
  • 1
  • 1
  • 1
0

Usually you get this when working with a kerberized cluster installation when you have not instructed your browser to use Kerberos authentication connecting to some domains - this is needed for some Hadoop webapps.

For Chrome on OSX for example just type into your console:

defaults write com.google.Chrome AuthServerWhitelist "*.domain.realm"

defaults write com.google.Chrome AuthNegotiateDelegateWhitelist  "*.domain.realm"

where domain.realm is the [domain_realm] entry from your Kerberos configuration file /etc/krb5.conf.

reim
  • 492
  • 5
  • 8