MapR uses the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) to secure several Web UIs in the cluster, as well as the REST calls to the MapR Control System (MCS). The following procedure configures SPNEGO support for the web server nodes on your cluster.
On each node in the cluster that will receive inbound SPNEGO traffic, generate a Kerberos principal with the user name HTTP, of the form
Use the fully qualified domain name as the name in the principal. Although you could also use a short name or the IP address for the principal name, using the fully qualified domain name keeps the name consistent with principal names that
configure.shgenerates and includes in the
mapr.login.conffile. Whatever you use as the principal name is what users will have to match exactly in a browser to access the web pages that are protected.
Note that several services and components in a MapR cluster handle SPNEGO traffic, including the MCS, JobTracker, TaskTracker, and HBase, among others.
You can name the keytab file
mapr.keytabif that file does not already exist. If the
mapr.keytabfile already exists, generate the new principal to a different file name and merge it to the
mapr.keytabfile using the
- Verify that the
/opt/mapr/conf/file lists the correct principal in the
To enable SPNEGO for MapR Control System (MCS) REST calls, on all nodes with the
webserver role, add the following line to the
Restart MCS to make the change take effect.
Testing SPNEGO With curl
This example tests that the MCS is using GSS for REST calls made with
Use the following command to verify that your version of
curl supports SPNEGO - under the “Features" header, the output of the command should show either GSS-Negotiate or SPNEGO - under the “Features” header, the output of the command should show either GSS-Negotiate or SPNEGO:
# curl --version
curl 7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/126.96.36.199 libidn/1.23 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
Verify that you have a valid Kerberos ticket-granting-ticket with the
kinit -p <user> command, then test
curl with the following command:
curl --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt -k -v
This command returns HTTP/1.1 200 OK when
curl is working correctly with SPNEGO.
Configuring Browsers for SPNEGO
The process below configures your Firefox browser for SPNEGO connections. Note that these instructions are specific for Firefox version 40.0.3x - the details may differ slightly if you are using a different version:
- Open the Firefox configuration page by navigating to the address
- In the Search text field, enter
network.negotiate-auth.trusted-uristo bring up that property.
- Right-click on
network.negotiate-auth.trusted-urisand select Modify to edit the property and enter the hostnames of the web server nodes in your cluster as a comma-separated list.
- Click OK.
Chromium on Ubuntu
To configure the Chromium browser on Ubuntu for SPNEGO, edit the
/etc/chromium-browser/default file and add the following property:
CHROMIUM_FLAGS="--user-data-dir --auth-server-whitelist=<web server host names>"
--user-data-dir flag enables the root user to launch the browser. The
--auth-server-whitelist flag specifies the web servers that support SPNEGO authentication.