Kerberized Hadoop clusters use SPNEGO for browser authentication. To sign into UIs such as NameNode, ResourceManager, Oozie or HiveServer2, your browser must support SPNEGO, your client must have a valid Kerberos ticket and DNS and realm mappings must match. This guide explains how to enable SPNEGO for modern Firefox, Chrome and Edge. Most Hadoop Web UIs rely on SPNEGO (Simple and Protected GSSAPI Negotiation) to authenticate users through Kerberos. When a browser accesses a Kerberos-protected endpoint such as: http://namenode-host:9870 http://rm-host:8088 http://oozie-host:11000/oozie the server expects the browser to negotiate Kerberos credentials automatically. If the browser is not configured correctly, the user will see repeated login prompts or 401: Unauthorized . Prerequisites You must have a valid Kerberos ticket: kinit your_user@YOUR.REALM DNS and reverse DNS for the Hadoop services must be correct The SPN for the UI must match: HTTP/hostname@...
Fractional Chief Architect for Big Data Systems & Distributed Data Processing