Configuring SPNEGO on MapR

Describes how to configure SPNEGO on web server nodes.

MapR uses the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) to secure several Web UIs in the cluster, as well as the REST calls to the MapR Control System (MCS). The following procedure configures SPNEGO support for the web server nodes on your cluster.
  1. On each node in the cluster that will receive inbound SPNEGO traffic, generate a Kerberos principal with the user name HTTP, of the form HTTP/<webserver name>. Use the fully qualified domain name as the name in the principal. Although you could also use a short name or the IP address for the principal name, using the fully qualified domain name keeps the name consistent with principal names that configure.sh generates and includes in the mapr.login.conf file. Whatever you use as the principal name is what users will have to match exactly in a browser to access the web pages that are protected. Note that several services and components in a MapR cluster handle SPNEGO traffic, including the MCS, JobTracker, TaskTracker, and HBase, among others.You can name the keytab file mapr.keytab if that file does not already exist. If the mapr.keytab file already exists, generate the new principal to a different file name and merge it to the mapr.keytab file using the ktutil tool:
    
    ktutil
        : addprinc -randkey HTTP/<webserver name>
        : ktadd -k /opt/mapr/conf/mapr.keytab HTTP/<webserver name> 
  2. Verify that the /opt/mapr/conf/mapr.login.conf file lists the correct principal in the MAPR_WEBSERVER_KERBEROS section.

    To enable SPNEGO for MapR Control System (MCS) REST calls, on all nodes with the webserver role, add the following line to the /opt/mapr/conf/web.conf file:

    mapr.rest.auth.methods=kerberos,basic

    Restart the MCS for the change to take effect.

Testing SPNEGO With curl

This example tests that the MCS is using GSS for REST calls made with curl.
Use the following command to verify that your version of curl supports SPNEGO - under the “Features" header, the output of the command should show either GSS-Negotiate or SPNEGO- under the “Features” header, the output of the command should show either GSS-Negotiate or SPNEGO:
# curl --versioncurl 7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23
      librtmp/2.3Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s
      rtmp rtsp smtp smtps telnet tftpFeatures: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB
      SSL libz TLS-SRP
Verify that you have a valid Kerberos ticket-granting-ticket with the kinit -p <user> command, then test curl with the following command:
curl --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt https://<web server node>:8443/rest/<API call> -k -v

This command returns HTTP/1.1 200 OK when curl is working correctly with SPNEGO.

Configuring Browsers for SPNEGO

The following processes configure browsers for SPNEGO connections.

Firefox

The process below configures your Firefox browser for SPNEGO connections. Note that these instructions are specific for Firefox version 40.0.3x - the details may differ slightly if you are using a different version:
  1. Open the Firefox configuration page by navigating to the address about:config.
  2. In the Search text field, enter network.negotiate-auth.trusted-uris to bring up that property.
  3. Right-click on network.negotiate-auth.trusted-uris and select Modify to edit the property and enter the hostnames of the web server nodes in your cluster as a comma-separated list.
  4. Click OK.

Chromium on Ubuntu

To configure the Chromium browser on Ubuntu for SPNEGO, edit the /etc/chromium-browser/default file and add the following property:
CHROMIUM_FLAGS="--user-data-dir --auth-server-whitelist=<web server host
    names>"

The --user-data-dir flag enables the root user to launch the browser. The --auth-server-whitelist flag specifies the web servers that support SPNEGO authentication.