Last week I was dealing with an issue that when connecting to WebHCat using the following command:

curl -i -u : --negotiate 'http://<webhcat-domina>:50111/templeton/v1/ddl/database'

user got the following error:

{"error":"User: HTTP/<domain-name>@<REALM> is not allowed to impersonate <username>"}

After doing some research, it turned out to be caused by the auth_to_local rules user defined in the cluster, see below config in the core-site.xml for HDFS:

RULE:[1:$1@$0](.*@\QREALM.COM\E$)s/@\QREALM.COM\E$///L
RULE:[2:$1@$0](.*@\QREALM.COM\E$)s/@\QREALM.COM\E$///L
DEFAULT

In the first two rules, it is actually translating the principal to lowercase (defined by /L at the end). This will translate the principal “HTTP/@” into “http” instead of “HTTP”, and only the following proxyuser are defined in the same XML:

<property>
  <name>hadoop.proxyuser.HTTP.hosts</name>
  <value>*</value>
</property>
<property>
  <name>hadoop.proxyuser.HTTP.groups</name>
  <value>*</value>
</property>

To fix the issue, I did the following:

  1. go to Cloudera Manager > HDFS > Configuration
  2. search for “Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml”
  3. enter the following XML into the textarea:

    <property>
      <name>hadoop.proxyuser.http.hosts</name>
      <value>*</value>
    </property>
    <property>
      <name>hadoop.proxyuser.http.groups</name>
      <value>*</value>
    </property>
    

    please note the lower case “http”

  4. save and restart related services (indicated by the restart icon in Cloudera Manager)

After this change, issue will be resolved.

Leave a Reply

Your email address will not be published. Required fields are marked *