Support Questions
Find answers, ask questions, and share your expertise

Configuring Sentry via Hue Service Advanced Configuration Snippet (Safety Valve) for sentry-site.xml

Contributor

I am looking to add Sentry service to Hue. How to I add below config using Cloudera Manager Safety Valve to enable Sentry?

 

[libsentry]
  # Hostname or IP of server.
  hostname=localhost
 
  # Port the sentry service is running on.
  port=8038
 
  # Sentry configuration directory, where sentry-site.xml is located.
  sentry_conf_dir=/etc/sentry/conf

 

Add'l details:

Kerberos (I know it is a pre-req) - YES

Cloudera version - CDH 5.3

 

2 ACCEPTED SOLUTIONS

Accepted Solutions

For Sentry, you need to check if a Sentry service exists, and Hue is
configured to point to it, this is something else than Hue

View solution in original post

Contributor

Got everything to work! Thanks all for useful tips. Uninstalled and did another clean install - this time ensured that Sentry server is installed on same node where Hue, Hive and Impala services are also installed. My FreeIPA user does not have sufficient privileges to create roles but I will fix that 🙂

View solution in original post

13 REPLIES 13

*Note:* To override a value in Cloudera Manager, you need to enter verbatim
each mini section from below into the Hue Safety Valve
:
Hue Service → Configuration → Service-Wide → Advanced → Hue Service
Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini

http://gethue.com/how-to-configure-hue-in-your-hadoop-cluster/

Romain

Contributor

Okay, that worked, I was able to add values I needed. Prior I was mistakenly trying to add config to Hue Service Advanced Configuration Snippet (Safety Valve) for sentry-site.xml instead of Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini

 

I am still, however, getting transport error (my theory was that enabling Sentry should have solved that):
Could not connect to localhost:8038 (code THRIFTTRANSPORT): TTransportException('Could not connect to localhost:8038',)

Contributor

I am going to troubleshoot HiveServer2 to make sure everything is running as expected there, as the error could point at some misconfigurations. I do think though that Cloudera Manager would have picked up if an issue with HiveServer2 was detected...

Contributor

# beeline
Beeline version 0.13.1-cdh5.3.0 by Apache Hive
beeline> !connect jdbc:hive2://localhost:10000 org.apache.hive.jdbc.HiveDriver
scan complete in 2ms
Connecting to jdbc:hive2://localhost:10000
Enter password for jdbc:hive2://localhost:10000:
Error: Could not open connection to jdbc:hive2://localhost:10000: Peer indicated failure: Unsupported mechanism type PLAIN (state=08S01,code=0)
0: jdbc:hive2://localhost:10000 (closed)>

 

With the cluster being Kerberized, looks to me like some config still needs to be added here to enable kerberos vs plain as shown above in an error message.

localhost:8038 means that Sentry server is not running on the Hue machine.

The other error might be because you don't use the good connection string.
Please check the Cloudera Doc security guide about that

Romain

Expert Contributor

With a kerberized cluster, your connect string needs to include the HS2 server principal, so:

 

jdbc:hive2://cdh53-1.qa.test.com:10000/default;principal=hive/cdh53-1.qa.test.com@TEST.COM

 

replace "cdh53-1.qa.test.com" with your fully qualified host and domain name.  Replace TEST.COM with the correct REALM.  Any time kerberos is in place, you must use the hostname and fully qualified domain name instead of localhost or hostname as kerberos checks depend on the FQDN.  Same is true of the Sentry server in your safety valve configuration, use the FQDN instead of localhost.

Contributor

Added hostname to safety valve and restarted Hue service. Sentry service is definitely not running:

# ps auxfww | grep sentry

and

# netstat -anp | grep 8038


...return nothing, which explains my error in Hue.

 

However, I was able to test HiveServer2 with beeline shell using above recommendation for the string.

 

# beeline
Beeline version 0.13.1-cdh5.3.0 by Apache Hive
beeline> !connect jdbc:hive2://MY_FQDN_HOSTNAME:10000/default;principal=hive/MY_FQDN_HOSTNAME@MY_DOMAIN
scan complete in 2ms
Connecting to jdbc:hive2://MY_FQDN_HOSTNAME:10000/default;principal=hive/MY_FQDN_HOSTNAME@MY_DOMAIN
Enter username for jdbc:hive2://MY_FQDN_HOSTNAME:10000/default;principal=hive/MY_FQDN_HOSTNAME@MY_DOMAIN:
Enter password for jdbc:hive2://cjdbc:hive2://MY_FQDN_HOSTNAME:10000/default;principal=hive/MY_FQDN_HOSTNAME@MY_DOMAIN:
Connected to: Apache Hive (version 0.13.1-cdh5.3.0)
Driver: Hive JDBC (version 0.13.1-cdh5.3.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://MY_FQDN_HOSTNAME:10> show databases;
+----------------+--+
| database_name  |
+----------------+--+
| default        |
| test           |
+----------------+--+
2 rows selected (0.178 seconds)

For Sentry, you need to check if a Sentry service exists, and Hue is
configured to point to it, this is something else than Hue

View solution in original post

Contributor

I am going over all steps outlined here http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/sg_sentry_service_confi...

 

1. Permissions

$ sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse
$ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehous

 

2. Disabled impersonation for HiveServer2 in the Cloudera Manager Admin Console

3. Set the Minimum User ID for Job Submission property to zero

4. Ensured the Allowed System Users property includes the hive user

5. Unchecked the Enable Sentry Authorization using Policy Files configuration property for both Hive and Impala under the Service-Wide > Policy File Based Sentry

 

In the Service-Wide category for Hue/Hive/Impala, I will need to set the Sentry Service property to Sentry, but the option is not listed still. Going over all pre-req's again.