https://community.cloudera.com/t5/Archives-of-Support-Questions/sentry-doesnt-work-based-on-AD/m-p/56421#M63602 <P>&nbsp;hi, i actually met an issue when configure sentry with hive.</P><P>&nbsp;</P><P>basically if i&nbsp;configure hue security with&nbsp;desktop.auth.backend.AllowFirstUserDjangoBackend, and use a local user to query hive, it would be succesful to query the right database.</P><P>&nbsp;</P><P>but if i configure hue with AD server, and use an AD user to logon hue, it would not load any database that the user was supposed to have&nbsp;privileges on.</P><P>the AD user looks have more gourps:&nbsp;</P><P>&nbsp;</P><P>[root@ ~]# id jjiang<BR />uid=16777217(jjiang) gid=16777216(domain users) groups=16777216(domain users),502(db_admin),16777225,16777217(apacsysadmin),16777218(apac),16777226,16777239(apac_connectivity),16777227,16777219(itsystems),16777220(apac_it),16777228,16777247(apac_marketing_services),16777229,16777221(nantong office),16777230,16777222(ap_all_okta_users),16777223(okta_o365_users),16777224(ap-fp-general-users),16777231(ap_slack_itops)</P><P>&nbsp;</P><P>is it a problem with so many groups? the actual group i granted permission is&nbsp;<SPAN>db_admin.&nbsp;</SPAN></P> Fri, 16 Sep 2022 11:49:20 GMT jjiang 2022-09-16T11:49:20Z https://community.cloudera.com/t5/Archives-of-Support-Questions/sentry-doesnt-work-based-on-AD/m-p/56421#M63602 <P>&nbsp;hi, i actually met an issue when configure sentry with hive.</P><P>&nbsp;</P><P>basically if i&nbsp;configure hue security with&nbsp;desktop.auth.backend.AllowFirstUserDjangoBackend, and use a local user to query hive, it would be succesful to query the right database.</P><P>&nbsp;</P><P>but if i configure hue with AD server, and use an AD user to logon hue, it would not load any database that the user was supposed to have&nbsp;privileges on.</P><P>the AD user looks have more gourps:&nbsp;</P><P>&nbsp;</P><P>[root@ ~]# id jjiang<BR />uid=16777217(jjiang) gid=16777216(domain users) groups=16777216(domain users),502(db_admin),16777225,16777217(apacsysadmin),16777218(apac),16777226,16777239(apac_connectivity),16777227,16777219(itsystems),16777220(apac_it),16777228,16777247(apac_marketing_services),16777229,16777221(nantong office),16777230,16777222(ap_all_okta_users),16777223(okta_o365_users),16777224(ap-fp-general-users),16777231(ap_slack_itops)</P><P>&nbsp;</P><P>is it a problem with so many groups? the actual group i granted permission is&nbsp;<SPAN>db_admin.&nbsp;</SPAN></P> Fri, 16 Sep 2022 11:49:20 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/sentry-doesnt-work-based-on-AD/m-p/56421#M63602 jjiang 2022-09-16T11:49:20Z https://community.cloudera.com/t5/Archives-of-Support-Questions/sentry-doesnt-work-based-on-AD/m-p/56444#M63603 <P>i just noticed the error from sentry log:</P><P>&nbsp;</P><P><BR />2017-06-23 12:57:19,513 WARN org.apache.hadoop.security.ShellBasedUnixGroupsMapping: unable to return groups for user jjiang<BR />PartialGroupNameException can't execute the shell command to get the list of group id for user 'jjiang'<BR />at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.resolvePartialGroupNames(ShellBasedUnixGroupsMapping.java:228)<BR />at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:133)<BR />at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:72)<BR />at org.apache.hadoop.security.Groups$GroupCacheLoader.fetchGroupList(Groups.java:356)<BR />at org.apache.hadoop.security.Groups$GroupCacheLoader.load(Groups.java:299)<BR />at org.apache.hadoop.security.Groups$GroupCacheLoader.load(Groups.java:257)<BR />at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3568)<BR />at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2350)<BR />at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2313)<BR />at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2228)<BR />at com.google.common.cache.LocalCache.get(LocalCache.java:3965)<BR />at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3969)<BR />at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4829)<BR />at org.apache.hadoop.security.Groups.getGroups(Groups.java:215)<BR />at org.apache.sentry.provider.common.HadoopGroupMappingService.getGroups(HadoopGroupMappingService.java:60)<BR />at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.getGroupsFromUserName(SentryPolicyStoreProcessor.java:717)<BR />at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.getRequestorGroups(SentryPolicyStoreProcessor.java:684)<BR />at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.list_sentry_roles_by_group(SentryPolicyStoreProcessor.java:552)<BR />at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$list_sentry_roles_by_group.getResult(SentryPolicyService.java:1017)<BR />at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$list_sentry_roles_by_group.getResult(SentryPolicyService.java:1002)<BR />at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)<BR />at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)<BR />at org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:35)<BR />at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)<BR />at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)<BR />at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)<BR />at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)<BR />at java.lang.Thread.run(Thread.java:745)<BR />Caused by: PartialGroupNameException Number of group names and ids do not match.&nbsp;</P><P>&nbsp;</P><P>could anyone help ?</P> Sun, 25 Jun 2017 06:12:11 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/sentry-doesnt-work-based-on-AD/m-p/56444#M63603 jjiang 2017-06-25T06:12:11Z https://community.cloudera.com/t5/Archives-of-Support-Questions/sentry-doesnt-work-based-on-AD/m-p/56543#M63604 <P>this is sloved with building up with a new AD. the problem was some goup id cant be resolved.</P> Tue, 27 Jun 2017 08:33:06 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/sentry-doesnt-work-based-on-AD/m-p/56543#M63604 jjiang 2017-06-27T08:33:06Z https://community.cloudera.com/t5/Archives-of-Support-Questions/sentry-doesnt-work-based-on-AD/m-p/63002#M63605 <P>Hi there.</P><P>&nbsp;</P><P>I have the same problem but I didn't understand the solution. What did you do? Sorry but I'm a little desperate here... <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Fri, 22 Dec 2017 12:32:41 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/sentry-doesnt-work-based-on-AD/m-p/63002#M63605 JoaoBarreto 2017-12-22T12:32:41Z https://community.cloudera.com/t5/Archives-of-Support-Questions/sentry-doesnt-work-based-on-AD/m-p/63040#M63606 <P>i built up a brand new AD environment instead of using the old one. the actual problem was it cant be resolved with group id for users.</P> Mon, 25 Dec 2017 08:22:39 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/sentry-doesnt-work-based-on-AD/m-p/63040#M63606 jjiang 2017-12-25T08:22:39Z https://community.cloudera.com/t5/Archives-of-Support-Questions/sentry-doesnt-work-based-on-AD/m-p/63080#M63607 I can't actually do that, cause the AD comes from a major company... and it's managed by them. <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span><BR /><BR />Thanks for the reply! Wed, 27 Dec 2017 09:33:20 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/sentry-doesnt-work-based-on-AD/m-p/63080#M63607 JoaoBarreto 2017-12-27T09:33:20Z