curl -i -u : --negotiate 'http://user got the following error::50111/templeton/v1/ddl/database'
{"error":"User: HTTP/@ is not allowed to impersonate "}
After doing some research, it turned out to be caused by the auth_to_local rules user defined in the cluster, see below config in the core-site.xml for HDFS:
RULE:[1:$1@$0](.*@\QREALM.COM\E$)s/@\QREALM.COM\E$///L RULE:[2:$1@$0](.*@\QREALM.COM\E$)s/@\QREALM.COM\E$///L DEFAULTIn the first two rules, it is actually translating the principal to lowercase (defined by /L at the end). This will translate the principal “HTTP/
<property> <name>hadoop.proxyuser.HTTP.hosts</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.HTTP.groups</name> <value>*</value> </property>To fix the issue, I did the following:
- go to Cloudera Manager > HDFS > Configuration
- search for “Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml”
-
enter the following XML into the textarea:
<property> <name>hadoop.proxyuser.http.hosts</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.http.groups</name> <value>*</value> </property>
please note the lower case “http” - save and restart related services (indicated by the restart icon in Cloudera Manager)
