Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Cloudera Security issue with Sentry

Labels:
avatar
author-rank fabiot
New Contributor

Created on ‎05-29-2017 02:50 PM - edited ‎09-16-2022 04:40 AM

Hi,

Me and my coworkers are trying to implement security with Sentry in a Cloudera Cluster (CDH 5.10.0), without success.
It's our first hadoop project, a PoC for a customer. Our main security requirement is grant/revoke select access to schemas/tables for HUE users.
Firstly, we setup a KDC server for Kerberos in order to centralize authentication then we followed the "Enable Kerberos" wizard in Cloudera Manager. Everything works fine.
After that, we added the Sentry Service then we followed the documentation to configure all services (in our case, HDFS, Hive, Hue).
All these services are up and running, but the HUE admin user doesn't have permission to manage permissions in Security App.

After a lot of changes in configuration and after reading the entire security section in Cloudera Documentation, we didn't reach our goal.

We don't understand how to manage users/permissions in hadoop ecossytem.
How hue users, cloudera manager users, apps/system users (hue, hive, hdfs), kerberos principals, HDFS permissions and Sentry are related in order to work properly?

 

3,207 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
mbigelow author-rank
Champion

Created ‎05-30-2017 03:01 PM

Well, that topic is pretty broad. Let me try to help get you going.

Hadoop and all the tools that run on it will use Kerberos authentication now that it is configured.
User and group mappings will still be handled at the OS level though. So if you do not have LDAP and have it integrated at the OS level you will need to create local users and groups in the OS on all nodes.
Second, both CM and HUE have their own auth backend configuration and authorization. You can integrate both with LDAP, if you have it, or SAML/SSO. If not, you will need to create the users in those systems as well. The HUE users need to match the first portion, the username, of the principal in the KDC.

Now for the specific item you mentioned the HUE admin not having access to the Security app. HUE has its own groups and permissions. So you will need to add that user to have access to the Security app. You will need a HUE superuser account to do this (this is probably the HUE admin you mentioned).

View solution in original post

3,289 Views
1
3 REPLIES 3

avatar
mbigelow author-rank
Champion

Created ‎05-30-2017 03:01 PM

Well, that topic is pretty broad. Let me try to help get you going.

Hadoop and all the tools that run on it will use Kerberos authentication now that it is configured.
User and group mappings will still be handled at the OS level though. So if you do not have LDAP and have it integrated at the OS level you will need to create local users and groups in the OS on all nodes.
Second, both CM and HUE have their own auth backend configuration and authorization. You can integrate both with LDAP, if you have it, or SAML/SSO. If not, you will need to create the users in those systems as well. The HUE users need to match the first portion, the username, of the principal in the KDC.

Now for the specific item you mentioned the HUE admin not having access to the Security app. HUE has its own groups and permissions. So you will need to add that user to have access to the Security app. You will need a HUE superuser account to do this (this is probably the HUE admin you mentioned).
3,290 Views
1

avatar
author-rank fabiot
New Contributor

Created ‎06-01-2017 11:31 AM

Thanks for your explanation @mbigelow. We'll setup and integrate an LDAP server in our environment. 

3,153 Views
0 Kudos

avatar
author-rank PavelZeger
Explorer

Created ‎01-24-2019 06:43 AM

Can you please explain if it is necessary, when integrating LDAP, still create users and groups on OS level or it needs for service users only such hive, impala, hdfs and etc? Whta is the role of SSSD or Centrify in this case? As I understand we can create various groups in LDAP and not in OS.

2,022 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements