Support Questions
Find answers, ask questions, and share your expertise

AuthorizationException: Can´t gant roles to a user in HUE




I'm installing a new Cloudera 6.2 Cluster and I used to use The sentry policy file for creating roles, groups and users. Now I'm trying to migrate that to the sentry service configuration. But I'm stuck in this issue, and I think I missed a step.


This is what I did:

  1. Enable the sentry service in Hive and Impala.
  2. Enable Sentry Synchronization in HDFS.
  3. Create an admin user (in my case I used the impala user).
  4. Create a test group (group_testdb_admin) in the "Manage user" section in HUE.
  5. Create a test role (testdb_admin_role) in the security section. (server=server1  db=testdb  action=ALL)
  6. Assing the role to the group.
  7. Create a testuser1 and assigned the group that I just created to the user.


I can confirm that Sentry is Synchronized with HDFS:


sudo -u hdfs hdfs dfs -getfacl /user/hive/warehouse/testdb.db


Also, the roles and groups are created


SHOW ROLE GRANT GROUP group_testdb_admin;


But here is my problem. When I login as testuser1 and try to access the testdb database I get an AuthorizationException


show tables in testdb;
AuthorizationException: User 'usertest1' does not have privileges to access: testdb.*.*




- I'm not using a Kerberized Cluster.

- I didn't create the user in the local FS.


So, what step I'm missing?.










Hi Silva,

For sentry to work properly, you will need to have your cluster kerberized, you need to have authentication before authorization.

Also, you will need users both in local FS as well as in HDFS, as sentry will use the user on the host to do group mapping and match with the role.

; ;