Reply
Explorer
Posts: 19
Registered: ‎07-19-2016

Where to find passwords for autogenerated principals in kerberized cluster

[ Edited ]

Hi,

 

I've enabled Kerberos on my CDH cluster using the existing Active Directory.

I've also reated a new superuser as a substitue for the previouls hdfs user.

 

The problem is that now since Cloudera automatically generated AD users for all services, now I don't know their passwords.  

 

I need to know the passwords, because now I want to connect to impala-shell with one of those users (hive, actually) in order to use it to grant Sentru permissions to other users. The superuser I created previously cannot grant permissios.

 

Maybe I'm missing something, but which user should I use to grant permissions in Sentry to other users? Or how can I find the password or the keytab of the hive user, which I used to grant Sentry permissions to others before the cluster was kerberized? 

 

 

 

Posts: 140
Topics: 7
Kudos: 15
Solutions: 14
Registered: ‎07-16-2015

Re: Where to find passwords for autogenerated principals in kerberized cluster

At first, you need to use a "sentry" superadmin.

 

By default, hive, impala and hue are considered a superadmin I think. But you can modify the configuration of Sentry for adding a customised user to the superadmin.

The property to modify : sentry.service.admin.group

Explorer
Posts: 19
Registered: ‎07-19-2016

Re: Where to find passwords for autogenerated principals in kerberized cluster

I have put superuser in sentry.service.admin.group along as the defaults. Still I get permissions denied.

Screen Shot 2017-03-24 at 14.01.20.png

 

For example first I do "kinit superuser" and then:

[user@hadoop-node ~]$ beeline -u "jdbc:hive2://hadoop-node.organization.net:10000/default;principal=hive/hadoop-node.organization.net@organization.NET"
scan complete in 2ms
Connecting to jdbc:hive2://hadoop-node.organization.net:10000/default;principal=hive/hadoop-node.organization.net@organization.NET
Connected to: Apache Hive (version 1.1.0-cdh5.10.0)
Driver: Hive JDBC (version 1.1.0-cdh5.10.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
Beeline version 1.1.0-cdh5.10.0 by Apache Hive
0: jdbc:hive2://hadoop-node.organization.> GRANT ALL ON SERVER server1 TO ROLE admin;
INFO  : Compiling command(queryId=hive_20170324135252_2b7ca8ce-76fe-4beb-ab8d-771df032e629): GRANT ALL ON SERVER server1 TO ROLE admin
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20170324135252_2b7ca8ce-76fe-4beb-ab8d-771df032e629); Time taken: 0.099 seconds
INFO  : Executing command(queryId=hive_20170324135252_2b7ca8ce-76fe-4beb-ab8d-771df032e629): GRANT ALL ON SERVER server TO ROLE admin
INFO  : Starting task [Stage-0:DDL] in serial mode
ERROR : Error processing Sentry command: superuser has no grant!.Please grant admin privilege to superuser.
ERROR : FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. SentryAccessDeniedException: superuser has no grant!
INFO  : Completed executing command(queryId=hive_20170324135252_2b7ca8ce-76fe-4beb-ab8d-771df032e629); Time taken: 0.031 seconds
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. SentryAccessDeniedException: superuser has no grant! (state=08S01,code=1)
0: jdbc:hive2://hadoop-node.organization.>

 

or same with impala:

[user@hadoop-node ~]$ impala-shell -i impala.organization.net -l  -u superuser  --auth_creds_ok_in_clear
Starting Impala Shell using LDAP-based authentication
LDAP password for superuser:
Connected to impala.organization.net:21000
Server version: impalad version 2.7.0-cdh5.10.0 RELEASE (build 785a073cd07e2540d521ecebb8b38161ccbd2aa2)
***********************************************************************************
Welcome to the Impala shell.
(Impala Shell v2.7.0-cdh5.10.0 (785a073) built on Fri Jan 20 12:03:56 PST 2017)

When pretty-printing is disabled, you can use the '--output_delimiter' flag to set
the delimiter for fields in the same row. The default is ','.
***********************************************************************************
\nLDAP authentication is enabled, but the connection to Impala is not secured by TLS.
ALL PASSWORDS WILL BE SENT IN THE CLEAR TO IMPALA.

[impala.organization.net:21000] > GRANT ALL ON SERVER server1 TO ROLE admin;
Query: grant ALL ON SERVER server1 TO ROLE admin
Query submitted at: 2017-03-24 13:59:04 (Coordinator: http://hadoop-datanode02.organization.net:25000)
ERROR:
AuthorizationException: User 'superuser' does not have privileges to execute: GRANT_PRIVILEGE

[impala.organization.net:21000] >

Which user can I use to grant permissions in Sentry after enabling Kerberos?

 

Explorer
Posts: 19
Registered: ‎07-19-2016

Re: Where to find passwords for autogenerated principals in kerberized cluster

[ Edited ]

I've managed to login in beeline with the Hive user though the following way:

 

1. I changed password of the hive/hadoop-master01.domain.com@DOMAIN.COM in the Active Directory. (now I know the pass)

2. Then I authenticated to kerberos with kinit hive/hadoop-master01.domain.com@DOMAIN.COM (and obtained ticket valid through some time)

3. After that I went to Cloudera Manager stopped the Hive service and then regenerated the credentials for the Hive user (since I changed the pass manually, Cloudera didn't knew it anymore, so now it regenerated the hive user in AD which means it knows the password again, but I don't. However this is fine as I already got a kerberos keytab for this user)

4. Finally I login to beeline like this:

 beeline -u "jdbc:hive2://hadoop-master01.domain.com:10000/default;principal=hive/hadoop-master01.domain.net@DOMAIN.NET;auth-kerberos"

and I am allowed to do this even if I don't know the password for it, since I have a valid kerberos ticket for the hive user, which I obtained earlier when I knew the password, and before the user was regenerated by Cloudera Manager. 

 

However I still have a problem: I can now grant roles to groups in Sentry when I login with the hive user, however when I then login with a user, which is in a group that was granted permissions, the user doesn't actually have the granted permissions. I grant permissions to AD groups and then login with a user which is in this AD group, but the user doesn't have the permissions that was granted to the group.

 

Announcements