Configuring SPNEGO on Data Fabric
About this task
Configuring SPNEGO for the Web Server Nodes on Secure Clusters
About this task
Procedure
-
Generate a Kerberos principal with the user name HTTP, of the form
HTTP/<webserver name>
, on each node in the secure cluster that will receive inbound SPNEGO traffic.Use the FQDN as the name in the principal. Although you could also use a short name or the IP address for the principal name, using the FQDN keeps the name consistent with principal names thatconfigure.sh
generates and includes in themapr.login.conf
file.Whatever you use as the principal name is what users must match exactly in a browser to access the webpagess that are protected.
NOTESeveral services and components in a HPE Ezmeral Data Fabric cluster handle SPNEGO traffic, including the Control System. Name themapr.keytab
keytab file if the file does not already exist. If themapr.keytab
file already exists, generate the new principal to a different file name and merge it to themapr.keytab
file using thektutil
tool. For example:kadmin : addprinc -randkey HTTP/<webserver name> : ktadd -k /opt/mapr/conf/mapr.keytab HTTP/<webserver name>
-
Verify that the
/opt/mapr/conf/mapr.login.conf
file lists the correct principal in theMAPR_WEBSERVER_KERBEROS
section.To enable SPNEGO for the Control System UI or for the Control System REST, all nodes with the webserver role, add the following line to the
/opt/mapr/apiserver/conf/properties.cfg
file. For example:mapr.rest.auth.methods=kerberos,basic
IMPORTANTThemapr.rest.auth.methods=kerberos,basic
option shown above is valid only on a secure cluster. If a cluster is not secure, only basic authentication (WWW-Authenticate: Basic
) is available to clients. - Restart the Control System for the changes to take effect.
Testing SPNEGO With curl
About this task
curl
. Use the following command to verify that your version of
curl
supports SPNEGO. Under the Features header, output of the
command should show either GSS-Negotiate or SPNEGO. For
example:# curl --versioncurl 7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0
OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3Protocols:
dict file ftp ftps gopher http https imap imaps ldap pop3 pop3s rtmp rtsp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
Verify
that you have a valid Kerberos ticket-granting-ticket (TGT) with the
kinit -p
<user>
command. Then, test curl
with the following
command:curl --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt
https://<web server node>:8443/rest/<API call> -k -v
This command
returns HTTP/1.1 200 OK if curl
is working correctly with
SPNEGO.
Configuring Browsers for SPNEGO
About this task
Firefox
The process below configures your Firefox browser
for SPNEGO connections.
NOTE
These instructions are specific for Firefox version
40.0.3xj. The details may differ slightly if you are using a different Firefox
version.- Open the Firefox configuration page by navigating to the
about:config
address. - In the Search text field, enter
network.negotiate-auth.trusted-uris
to bring up that property. - Right-click on
network.negotiate-auth.trusted-uris
, select Modify to edit the property, and then enter the hostnames of the web server nodes in the cluster as a comma-separated list. - Click OK.
Chromium on Ubuntu
To configure the Chromium browser on Ubuntu
for SPNEGO, edit the
/etc/chromium-browser/default
file, and add the
following
property:CHROMIUM_FLAGS="--user-data-dir --auth-server-whitelist=<web server host names>"
The --user-data-dir
flag enables the root user to launch the browser. The
--auth-server-whitelist
flag specifies the web servers that support
SPNEGO authentication.