Reply
New Contributor
Posts: 3
Registered: ‎09-08-2017

Hue users lost access to sentry enabled hive databases/tables after Kerberizing Hue

Hello,

 

I am practicing on quickstart VM. I kerberized it, then enabled sentry for hive, impala and hue as mentioned in this link(https://www.cloudera.com/documentation/enterprise/5-3-x/topics/sg_sentry_service_config.html). 

 

After this I kerberized Hue as mentioned in this link (https://www.cloudera.com/documentation/enterprise/5-6-x/topics/cdh_sg_hue_kerberos_config.html). Before kerberizing Hue, the hue users could access hive database/tables as prescribed by sentry roles. however after kerberizing hue, I am getting following error when try to login hue by any user:

Could not start SASL: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/var/run/hue/hue_krb5_ccache' not found)

also Kerberos Ticket Renewer is down and gives the following error while trying to restart:

 

Can't open /var/run/cloudera-scm-agent/process/286-hue-KT_RENEWER/config.zip: Permission denied.
Can't open /var/run/cloudera-scm-agent/process/286-hue-KT_RENEWER/proc.json: Permission denied.
+ replace_conf_dir_env_vars KRB5_KTNAME
/usr/lib64/cmf/service/hue/hue.sh: line 123: replace_conf_dir_env_vars: command not found
+ make_scripts_executable
+ find /var/run/cloudera-scm-agent/process/286-hue-KT_RENEWER -regex '.*\.\(py\|sh\)$' -exec chmod u+x '{}' ';'
+ '[' kt_renewer == beeswax_server ']'
+ set_classpath_in_var HADOOP_EXTRA_CLASSPATH_STRING
+ '[' -z HADOOP_EXTRA_CLASSPATH_STRING ']'
+ [[ -n /usr/share/cmf ]]
++ find /usr/share/cmf/lib/plugins -maxdepth 1 -name '*.jar'
++ tr '\n' :
+ ADD_TO_CP=/usr/share/cmf/lib/plugins/event-publish-5.12.0-shaded.jar:/usr/share/cmf/lib/plugins/tt-instrumentation-5.12.0.jar:
+ [[ -n '' ]]
+ eval 'OLD_VALUE=$HADOOP_EXTRA_CLASSPATH_STRING'
++ OLD_VALUE=
+ NEW_VALUE=/usr/share/cmf/lib/plugins/event-publish-5.12.0-shaded.jar:/usr/share/cmf/lib/plugins/tt-instrumentation-5.12.0.jar:
+ export HADOOP_EXTRA_CLASSPATH_STRING=/usr/share/cmf/lib/plugins/event-publish-5.12.0-shaded.jar:/usr/share/cmf/lib/plugins/tt-instrumentation-5.12.0.jar
+ HADOOP_EXTRA_CLASSPATH_STRING=/usr/share/cmf/lib/plugins/event-publish-5.12.0-shaded.jar:/usr/share/cmf/lib/plugins/tt-instrumentation-5.12.0.jar
+ HUE=/usr/lib/hue/build/env/bin/hue
+ [[ kt_renewer == runcpserver ]]
+ [[ kt_renewer == kt_renewer ]]
+ '[' -d /usr/kerberos/bin ']'
++ which kinit
+ KINIT_PATH=/usr/bin/kinit
+ KINIT_PATH=/usr/bin/kinit
+ perl -pi -e 's#{{KINIT_PATH}}#/usr/bin/kinit#g' /var/run/cloudera-scm-agent/process/286-hue-KT_RENEWER/hue.ini /var/run/cloudera-scm-agent/process/286-hue-KT_RENEWER/hue_safety_valve.ini
+ '[' dumpdata = kt_renewer ']'
+ '[' syncdb = kt_renewer ']'
+ '[' ldaptest = kt_renewer ']'
+ exec /usr/lib/hue/build/env/bin/hue kt_renewer

Can someone help me how to solve this issue? Searched a lot but seems I am the only one who has come across to this issue.

 

thanks,

Mohit

 

Posts: 437
Topics: 1
Kudos: 102
Solutions: 54
Registered: ‎04-22-2014

Re: Hue users lost access to sentry enabled hive databases/tables after Kerberizing Hue

Hi @mohitvarshney

 

 

I am sorry to say you appear to have found a documentation bug the hard way.  The documentation you found was intended to be how to enable the Kerberos authentication (SPNEGO) for clients connecting to Hue.  Instead, it showed you how to configure Kerberos authentication from Hue to other components if you are not using Cloudera Manager.

 

Since you are using Cloudera Manager, you do not need to perform those steps to have Hue communicate with other services via kerberos.

 

What I recommend is reverting the changes from "Configuring Kerberos Authentication for Hue", restart Hue, then test.  Cloudera Manager should have managed all the necessary kerberos configuration for you.

 

I'll work with the documentation team to get this documentation corrected.

 

NOTE:  make sure you are using the 5.12 documentation since that is the version of Cloudera Manager and CDH you are using:

https://www.cloudera.com/documentation/enterprise/latest.html

 

-Ben

 

Highlighted
New Contributor
Posts: 3
Registered: ‎09-08-2017

Re: Hue users lost access to sentry enabled hive databases/tables after Kerberizing Hue

Hi @bgooley,

 

Thanks for the help here. I followed your suggestions and all the errors/warnings are gone. However now the scenario is as follows:

 

-A hue user 'A' of 'sales' group, who also has account in linux in 'sales' group has access to hive databases as enabled in sentry.

-A new hue user 'B' in 'sales' group does not have access to the same databases which 'A' has. However this user gets all the access of 'sales' group as soon as I create his account in linux.

 

After creating his account, I did not even add principal for him and without generating kerberos ticket he got the access in hue. How come kerberos is working for this 'B' user. This suggest that kerberos did not work for this new hue user. Please suggest.

 

thanks,

Mohit

New Contributor
Posts: 3
Registered: ‎09-08-2017

Re: Hue users lost access to sentry enabled hive databases/tables after Kerberizing Hue

Hi @bgooley

 

Can you help me in the above problem? Basically I want to resrict hue users to access hive tables without generating kerberos token. As of now all the hue users are able to access them even if their kerberos token has expired. However if I access the same database through command line of that user, its working fine and asks for kerberos token if not already generated but hue is bypassing kerberos.

 

thanks,

Mohit 

Announcements