Reply
New Contributor
Posts: 5
Registered: ‎11-22-2018

with Impala ODBC Server returned error for request OpenSession user is not authorized to delegate

i try to connect to a Cloudera 5.13 kerberizada from a bi tool (microstrategy) with an odbc Impala 2.5.41.1029, using delegated user, and recieve this error Impala ODBC server returned error for request OpenSession.Status Code : ERROR_STATUS.Error message User xxx is not authorized to delegate to yyy.

¿does anyone know why?

Cloudera Employee
Posts: 52
Registered: ‎11-17-2017

Re: with Impala ODBC Server returned error for request OpenSession user is not authorized to delegat

This looks like IMPALA-6973, Impala is checking 'auth_to_local' for the user authentication but not for the delegated user. As per the JIRA the workaround is to use uppercase when specifying the <user allowed to delegate> for Impala.

 

What do you think?

New Contributor
Posts: 5
Registered: ‎11-22-2018

Re: with Impala ODBC Server returned error for request OpenSession user is not authorized to delegat

it is not the problem since in both configurations (AD and Impal) the user xxx is in lowercase. another clue?

Cloudera Employee
Posts: 52
Registered: ‎11-17-2017

Re: with Impala ODBC Server returned error for request OpenSession user is not authorized to delegat

Was Impala delegation configured for MicroStrategy?

New Contributor
Posts: 5
Registered: ‎11-22-2018

Re: with Impala ODBC Server returned error for request OpenSession user is not authorized to delegat

Yes , the configuration was made according to the microstrategy documentation, there is something different that you know about that??

Cloudera Employee
Posts: 624
Registered: ‎03-23-2015

Re: with Impala ODBC Server returned error for request OpenSession user is not authorized to delegat

Can you please go to Impala Daemon's Web UI and under /varz page, find below config and share the value of it?

authorized_proxy_user_config

The use xxx need to be on the list.

In my lab, the value is "hue=*", meaning user "hue" can delegate as all users.
Highlighted
New Contributor
Posts: 5
Registered: ‎11-22-2018

Re: with Impala ODBC Server returned error for request OpenSession user is not authorized to delegat

This is the current value in the Impala Daemon's Web UI /varz page

 

authorized_proxy_user_config(string) 'hue=*;_qliksense=*;_microstrategy@CORPORATIVO.CL.CORP=*

 

there is more than one user configured.

 

 

 

 

New Contributor
Posts: 5
Registered: ‎11-22-2018

Re: with Impala ODBC Server returned error for request OpenSession user is not authorized to delegat

Hi EricL,

 

In the documentation of Configuring Impala Delegation for Hue and BI Tools 

found this comment : 

  • delegated_user and delegated_group must exist in the OS. So in you'r lab in wich OS they are created??

 

Thank's for you'r help

Cloudera Employee
Posts: 624
Registered: ‎03-23-2015

Re: with Impala ODBC Server returned error for request OpenSession user is not authorized to delegat

They should be proper Linux users, not kerberos principals. You might want to delete "@CORPORATIVO.CL.CORP" and try again?

I am using EL7.