Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

AuthorizationException: Can´t gant roles to a user in HUE

Highlighted

AuthorizationException: Can´t gant roles to a user in HUE

Contributor

Hello,

 

I'm installing a new Cloudera 6.2 Cluster and I used to use The sentry policy file for creating roles, groups and users. Now I'm trying to migrate that to the sentry service configuration. But I'm stuck in this issue, and I think I missed a step.

 

This is what I did:

  1. Enable the sentry service in Hive and Impala.
  2. Enable Sentry Synchronization in HDFS.
  3. Create an admin user (in my case I used the impala user).
  4. Create a test group (group_testdb_admin) in the "Manage user" section in HUE.
  5. Create a test role (testdb_admin_role) in the security section. (server=server1  db=testdb  action=ALL)
  6. Assing the role to the group.
  7. Create a testuser1 and assigned the group that I just created to the user.

 

I can confirm that Sentry is Synchronized with HDFS:

 

sudo -u hdfs hdfs dfs -getfacl /user/hive/warehouse/testdb.db
group:group_testdb_admin:rwx

 

Also, the roles and groups are created

 

SHOW ROLE GRANT GROUP group_testdb_admin;
testdb_admin_role

 

But here is my problem. When I login as testuser1 and try to access the testdb database I get an AuthorizationException

 

show tables in testdb;
AuthorizationException: User 'usertest1' does not have privileges to access: testdb.*.*

 

 

Considerations:

- I'm not using a Kerberized Cluster.

- I didn't create the user in the local FS.

 

So, what step I'm missing?.

 

Regards,

 

Silva

 

 

 

 

1 REPLY 1

Re: AuthorizationException: Can´t gant roles to a user in HUE

Guru
Hi Silva,

For sentry to work properly, you will need to have your cluster kerberized, you need to have authentication before authorization.

Also, you will need users both in local FS as well as in HDFS, as sentry will use the user on the host to do group mapping and match with the role.

Cheers
Eric