Support Questions

ty.n · ‎02-16-2015

I am trying to evaluate Sentry in the CDH5.3 virtual machine provided by Cloudera. Unfortunately I am having a lot of problems getting it to even work and I throught I'd check that my assumption that I can even get it to work is correct.

In this ( http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cm_sg_sentry_service.ht... ) documentation the prereqisites say:

CDH 5.1.x (or later) managed by Cloudera Manager 5.1.x (or later). See the Cloudera Manager Administration Guide and Cloudera Installation and Upgrade for instructions.
HiveServer2 and the Hive Metastore running with strong authentication. For HiveServer2, strong authentication is either Kerberos or LDAP. For the Hive Metastore, only Kerberos is considered strong authentication (to override, see Securing the Hive Metastore).
Impala 1.4.0 (or later) running with strong authentication. With Impala, either Kerberos or LDAP can be configured to achieve strong authentication.
Implement Kerberos authentication on your cluster. For instructions, see Enabling Kerberos Authentication Using the Wizard

I don't have kerberos or LDAP (since I'm in the virtual machine) so I override the HiveServer2/Hive Metastore requirement for strong authentication.

The last prerequisite says I need to implement Kerberos authentication. Is this only if I want Impala to work; or will it stop Sentry from working entirely.

Thanks

Ty

dice · ‎02-16-2015

The original script Eric Sammer wrote up used to be working when CM didn't have the wizard which enables Kerberos. I made some changes with his.

Please use mine instead and specify the password as cloudera in the wizard.

See also the step 7 in my github page.

https://github.com/daisukebe/krb-bootstrap

daisukebe has changed the behavior for configuring Kerberos with Cloudera Manager 5.1 (and above). Then this script just generates a principal as cloudera-scm/admin for CM with a password as 'cloudera'.

View solution in original post

dice · ‎02-16-2015

Sentry is a service for strong authorization over Hadoop cluster, so that the cluster needs to be strongly authenticated using Kerberos or LDAP before you integrate Sentry.

ty.n · ‎02-16-2015

Just to be 100% sure are you saying that it is not possible to implement Sentry with the virtual machine alone since it does not have any kerberos functionality inbuilt?

dice · ‎02-16-2015

Kerberos (KDC) is not included with the VM, but you can easily configure KDC server by yourself in the VM.

I usually run krb-bootstrap for this kinds of test purpose: https://github.com/daisukebe/krb-bootstrap.

ty.n · ‎02-16-2015

Thanks I'll give it a try.

dice · ‎02-16-2015

You're welcome!

ty.n · ‎02-16-2015

I'm afraid it's not smooth sailing on this one. I found the github project here: https://github.com/esammer/krb-bootstrap

It all seems to work ok. I seem to get Kerberos and a realm (CLOUDERA) and a principal (cloudera-scm/admin). After some searching I managed to set the password for cloudera-scm/admin usinf the command line tool kadmin.local

Unfortunately when I get to step 5 (import KDC Account Manager Credentials) of the Coudera Manager kerberos setup wizard I get the following message. I'm afraid I'm stuck again and could use some help if anyone knows how to get past this problem.

/usr/share/cmf/bin/import_credentials.sh failed with exit code 1 and output of <<
+ export PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin
+ PATH=/usr/kerberos/bin:/usr/kerberos/sbin:/usr/lib/mit/sbin:/usr/sbin:/sbin:/usr/sbin:/bin:/usr/bin
+ KEYTAB_OUT=/var/run/REDACTED-scm-server/cmf242896655772090475.keytab
+ USER=REDACTED-scm/admin@CLOUDERA
+ PASSWD=REDACTED
+ KVNO=1
+ SLEEP=0
+ RHEL_FILE=/etc/redhat-release
+ '[' -f /etc/redhat-release ']'
+ set +e
+ grep Tikanga /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'CentOS release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ '[' 0 -eq 0 ']'
+ grep 'Scientific Linux release 5' /etc/redhat-release
+ '[' 1 -eq 0 ']'
+ set -e
+ '[' -z /etc/krb5.conf ']'
+ echo 'Using custom config path '\''/etc/krb5.conf'\'', contents below:'
+ cat /etc/krb5.conf
+ IFS=' '
+ read -a ENC_ARR
+ for ENC in '"${ENC_ARR[@]}"'
+ echo 'addent -password -p REDACTED-scm/admin@CLOUDERA -k 1 -e des-hmac-sha1'
+ '[' 0 -eq 1 ']'
+ echo REDACTED
+ echo 'wkt /var/run/REDACTED-scm-server/cmf242896655772090475.keytab'
+ ktutil
+ chmod 600 /var/run/REDACTED-scm-server/cmf242896655772090475.keytab
+ kinit -k -t /var/run/REDACTED-scm-server/cmf242896655772090475.keytab REDACTED-scm/admin@CLOUDERA
kinit: Key table entry not found while getting initial credentials

>>

ty.n · ‎02-16-2015

ok, I posted too soon. I seem to have solved it.

I addedd all the key algorithms that kadmin.local listed when I did a get_principal on the cloudera-scm/admin principal.

Restarting the cluster now...

dice · ‎02-16-2015

The original script Eric Sammer wrote up used to be working when CM didn't have the wizard which enables Kerberos. I made some changes with his.

Please use mine instead and specify the password as cloudera in the wizard.

Cloudera Community

Support Questions

Can CDH5.3 Sentry work without Kerberos?