Reply
Explorer
Posts: 21
Registered: ‎09-25-2016
Accepted Solution

HUE with IMPALA with LDAP, SENTRY enabled

Environment CDH 5.12, OPEN LDAP

We've enabled LDAP auth on Impala and it's working fine except in HUE. When I try to launch HUE/Impala Editor it fails with this error in GUI.

 

We have configured safety valve in HUE with this.

 

[desktop]
ldap_username=ldaptest
ldap_password=ldaptest

 

I'm logging into HUE as user cloudera ( FYI ; we don't have LDAP enabled on HUE ; cloudera is just a user managed within HUE )

 

User 'ldaptest' is not authorized to delegate to 'cloudera'.
 
 
Bad status for request TOpenSessionReq(username='hue', password=None, client_protocol=6, configuration={'idle_s
ession_timeout': '3600', 'impala.doas.user': u'cloudera'}): TOpenSessionResp(status=TStatus(errorCode=None, errorMessage="User 'ldaptest' is not authorized to delegate to 'cloudera'.\n", sqlState='HY000', infoMessages=None, statusCode=3), sessionHandle=TSessionHandle(sessionId=THandleIdentifier(secret='\x06\xd1\xc8\xe5\xd2\xc1Ck\xbd\xc7\xc5\xdb\xc5\x12\xdb\x8b', guid='*QiZ\xb0\xc7H\x0f\x8c5\xec\x14\xdf*7H')), configuration=None, serverProtocolVersion=5)
 
How can I enable user ldaptest to be able to delegate to cloudera ?
Expert Contributor
Posts: 253
Registered: ‎01-25-2017

Re: HUE with IMPALA with LDAP, SENTRY enabled

@sunilosunil Are you using cloudera manager:

 

Authentication Backend desktop.auth.backend.LdapBackend
LDAP URL ldap://your_ldap_url
LDAP Search Base
LDAP Bind User
LDAP Bind Password
LDAP User Filter
LDAP Username Attribute
LDAP Group Filter
LDAP Group Name Attribute
LDAP Group Membership Attribute
Active Directory Domain

 

You need your system admin to create you a user in the LDAP and provide you with this parameters.

 

Then you can just restart Hue service

Explorer
Posts: 21
Registered: ‎09-25-2016

Re: HUE with IMPALA with LDAP, SENTRY enabled

Actualy I figured out. I had to configure Impala to allow user ldaptest to impersonate as user cloudera ( hue login).

 

I appended this to the cloudera manager property Proxy User Configuration ( authorized_proxy_user_config )

hue=*;ldaptest=cloudera

 

So user hue can impersonate anyone and user 'ldaptest' can impersonate as 'cloudera'.

New Contributor
Posts: 1
Registered: ‎09-07-2017

Re: HUE with IMPALA with LDAP, SENTRY enabled

Where exactly was this entry made?I am facing the same issue even after making the entry Proxy User Configuration authorized_proxy_user_config under Impala service wide.

Posts: 398
Topics: 1
Kudos: 92
Solutions: 51
Registered: ‎04-22-2014

Re: HUE with IMPALA with LDAP, SENTRY enabled

@Telematics,

 

 

In Cloudera Manager, edit Proxy User Configuration 

What did you enter in the field?

It should look like this, for example:

joe=alice,bob;hue=*;admin=*

 

See the Description of Proxy User Configuration in Cloudera Manager (click the question mark next to the property)

 

-Ben

Announcements