Support Questions
Find answers, ask questions, and share your expertise

Configuring Sentry via Hue Service Advanced Configuration Snippet (Safety Valve) for sentry-site.xml

Contributor

I am looking to add Sentry service to Hue. How to I add below config using Cloudera Manager Safety Valve to enable Sentry?

 

[libsentry]
  # Hostname or IP of server.
  hostname=localhost
 
  # Port the sentry service is running on.
  port=8038
 
  # Sentry configuration directory, where sentry-site.xml is located.
  sentry_conf_dir=/etc/sentry/conf

 

Add'l details:

Kerberos (I know it is a pre-req) - YES

Cloudera version - CDH 5.3

 

13 REPLIES 13

Contributor

Followed all steps outlined here http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/sg_sentry_service_confi... (confuguring Sentry with Cloudera Manager) and Sentry is still not running.

Contributor

Got Sentry service successfully added for Hue, Hive and Impala services. I am however now seeing a connection error when I try to load Sentry Tables:

 

timed out (code THRIFTSOCKET): None

 

The Hue error.log:

 

kerberos_    ERROR    handle_other(): Mutual authentication unavailable on 200 response

 

Sentry's log on node it is installed on:

 

ERROR sentry.org.apache.thrift.server.TThreadPoolServer: Error occurred during processing of message.
java.lang.RuntimeException: sentry.org.apache.thrift.transport.TTransportException
    at sentry.org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
    at sentry.org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:227)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)
Caused by: sentry.org.apache.thrift.transport.TTransportException
    at sentry.org.apache.thrift.transport.TIOStreamTransport.read(TIOStreamTransport.java:132)
    at sentry.org.apache.thrift.transport.TTransport.readAll(TTransport.java:84)
    at sentry.org.apache.thrift.transport.TSaslTransport.receiveSaslMessage(TSaslTransport.java:182)
    at sentry.org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:125)
    at sentry.org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253)
    at sentry.org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:1)
    at sentry.org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
    ... 4 more

 

In Cloudera Manager Hue safety valve I have:

 

[libsentry]
# Hostname or IP of server.
hostname=cdh-foyer.platform.infochimps
# Port the sentry service is running on.
port=8038
# Sentry configuration directory, where sentry-site.xml is located.
sentry_conf_dir=/etc/sentry/conf

 

sentry-site.xml has default settings for "sentry.service.security.mode". It seems I should need to specify Kerberos here instead of "none", not sure if that is a requirement here is this config.

 

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <property>
        <name>sentry.service.security.mode</name>
        <value>none</value>
    </property>
    <property>
        <name>sentry.service.admin.group</name>
        <value>admin1</value>
    </property>
    <property>
        <name>sentry.service.allow.connect</name>
        <value>impala,hive,solr</value>
    </property>
    <property>
        <name>sentry.store.jdbc.url</name>
        <value>jdbc:derby:;databaseName=sentry_store_db;create=true</value>
    </property>
    <property>
        <name>sentry.store.jdbc.driver</name>
        <value>org.apache.derby.jdbc.EmbeddedDriver</value>
    </property>
</configuration>

Contributor

Got everything to work! Thanks all for useful tips. Uninstalled and did another clean install - this time ensured that Sentry server is installed on same node where Hue, Hive and Impala services are also installed. My FreeIPA user does not have sufficient privileges to create roles but I will fix that 🙂

View solution in original post

Great!

And for information, look at the Hue configuration section and look at
Sentry, you should just need to check it and it will configure Hue
automatically (no need to use any safety valve or put the Sentry service on
the same host as Hue)

Romain