Support Questions
Find answers, ask questions, and share your expertise
Announcements
Check out our newest addition to the community, the Cloudera Innovation Accelerator group hub.

AuthorizationException: Can´t gant roles to a user in HUE

Contributor

Hello,

 

I'm installing a new Cloudera 6.2 Cluster and I used to use The sentry policy file for creating roles, groups and users. Now I'm trying to migrate that to the sentry service configuration. But I'm stuck in this issue, and I think I missed a step.

 

This is what I did:

  1. Enable the sentry service in Hive and Impala.
  2. Enable Sentry Synchronization in HDFS.
  3. Create an admin user (in my case I used the impala user).
  4. Create a test group (group_testdb_admin) in the "Manage user" section in HUE.
  5. Create a test role (testdb_admin_role) in the security section. (server=server1  db=testdb  action=ALL)
  6. Assing the role to the group.
  7. Create a testuser1 and assigned the group that I just created to the user.

 

I can confirm that Sentry is Synchronized with HDFS:

 

sudo -u hdfs hdfs dfs -getfacl /user/hive/warehouse/testdb.db
group:group_testdb_admin:rwx

 

Also, the roles and groups are created

 

SHOW ROLE GRANT GROUP group_testdb_admin;
testdb_admin_role

 

But here is my problem. When I login as testuser1 and try to access the testdb database I get an AuthorizationException

 

show tables in testdb;
AuthorizationException: User 'usertest1' does not have privileges to access: testdb.*.*

 

 

Considerations:

- I'm not using a Kerberized Cluster.

- I didn't create the user in the local FS.

 

So, what step I'm missing?.

 

Regards,

 

Silva

 

 

 

 

1 REPLY 1

Guru
Hi Silva,

For sentry to work properly, you will need to have your cluster kerberized, you need to have authentication before authorization.

Also, you will need users both in local FS as well as in HDFS, as sentry will use the user on the host to do group mapping and match with the role.

Cheers
Eric