Support Questions
Find answers, ask questions, and share your expertise
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

AuthorizationException: Can´t gant roles to a user in HUE

AuthorizationException: Can´t gant roles to a user in HUE




I'm installing a new Cloudera 6.2 Cluster and I used to use The sentry policy file for creating roles, groups and users. Now I'm trying to migrate that to the sentry service configuration. But I'm stuck in this issue, and I think I missed a step.


This is what I did:

  1. Enable the sentry service in Hive and Impala.
  2. Enable Sentry Synchronization in HDFS.
  3. Create an admin user (in my case I used the impala user).
  4. Create a test group (group_testdb_admin) in the "Manage user" section in HUE.
  5. Create a test role (testdb_admin_role) in the security section. (server=server1  db=testdb  action=ALL)
  6. Assing the role to the group.
  7. Create a testuser1 and assigned the group that I just created to the user.


I can confirm that Sentry is Synchronized with HDFS:


sudo -u hdfs hdfs dfs -getfacl /user/hive/warehouse/testdb.db


Also, the roles and groups are created


SHOW ROLE GRANT GROUP group_testdb_admin;


But here is my problem. When I login as testuser1 and try to access the testdb database I get an AuthorizationException


show tables in testdb;
AuthorizationException: User 'usertest1' does not have privileges to access: testdb.*.*




- I'm not using a Kerberized Cluster.

- I didn't create the user in the local FS.


So, what step I'm missing?.










Re: AuthorizationException: Can´t gant roles to a user in HUE

Hi Silva,

For sentry to work properly, you will need to have your cluster kerberized, you need to have authentication before authorization.

Also, you will need users both in local FS as well as in HDFS, as sentry will use the user on the host to do group mapping and match with the role.

Don't have an account?
Coming from Hortonworks? Activate your account here