Support Questions

Okay, that worked, I was able to add values I needed. Prior I was mistakenly trying to add config to Hue Service Advanced Configuration Snippet (Safety Valve) for sentry-site.xml instead of Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini

I am still, however, getting transport error (my theory was that enabling Sentry should have solved that):
Could not connect to localhost:8038 (code THRIFTTRANSPORT): TTransportException('Could not connect to localhost:8038',)

I am going to troubleshoot HiveServer2 to make sure everything is running as expected there, as the error could point at some misconfigurations. I do think though that Cloudera Manager would have picked up if an issue with HiveServer2 was detected...

# beeline
Beeline version 0.13.1-cdh5.3.0 by Apache Hive
beeline> !connect jdbc:hive2://localhost:10000 org.apache.hive.jdbc.HiveDriver
scan complete in 2ms
Connecting to jdbc:hive2://localhost:10000
Enter password for jdbc:hive2://localhost:10000:
Error: Could not open connection to jdbc:hive2://localhost:10000: Peer indicated failure: Unsupported mechanism type PLAIN (state=08S01,code=0)
0: jdbc:hive2://localhost:10000 (closed)>

With the cluster being Kerberized, looks to me like some config still needs to be added here to enable kerberos vs plain as shown above in an error message.

With a kerberized cluster, your connect string needs to include the HS2 server principal, so:

jdbc:hive2://cdh53-1.qa.test.com:10000/default;principal=hive/cdh53-1.qa.test.com@TEST.COM

replace "cdh53-1.qa.test.com" with your fully qualified host and domain name.  Replace TEST.COM with the correct REALM.  Any time kerberos is in place, you must use the hostname and fully qualified domain name instead of localhost or hostname as kerberos checks depend on the FQDN.  Same is true of the Sentry server in your safety valve configuration, use the FQDN instead of localhost.

Added hostname to safety valve and restarted Hue service. Sentry service is definitely not running:

# ps auxfww | grep sentry

and

# netstat -anp | grep 8038

...return nothing, which explains my error in Hue.

However, I was able to test HiveServer2 with beeline shell using above recommendation for the string.

# beeline
Beeline version 0.13.1-cdh5.3.0 by Apache Hive
beeline> !connect jdbc:hive2://MY_FQDN_HOSTNAME:10000/default;principal=hive/MY_FQDN_HOSTNAME@MY_DOMAIN
scan complete in 2ms
Connecting to jdbc:hive2://MY_FQDN_HOSTNAME:10000/default;principal=hive/MY_FQDN_HOSTNAME@MY_DOMAIN
Enter username for jdbc:hive2://MY_FQDN_HOSTNAME:10000/default;principal=hive/MY_FQDN_HOSTNAME@MY_DOMAIN:
Enter password for jdbc:hive2://cjdbc:hive2://MY_FQDN_HOSTNAME:10000/default;principal=hive/MY_FQDN_HOSTNAME@MY_DOMAIN:
Connected to: Apache Hive (version 0.13.1-cdh5.3.0)
Driver: Hive JDBC (version 0.13.1-cdh5.3.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://MY_FQDN_HOSTNAME:10> show databases;
+----------------+--+
| database_name  |
+----------------+--+
| default        |
| test           |
+----------------+--+
2 rows selected (0.178 seconds)

I am going over all steps outlined here http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/sg_sentry_service_confi...

1. Permissions

$ sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse
$ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehous

2. Disabled impersonation for HiveServer2 in the Cloudera Manager Admin Console

3. Set the Minimum User ID for Job Submission property to zero

4. Ensured the Allowed System Users property includes the hive user

5. Unchecked the Enable Sentry Authorization using Policy Files configuration property for both Hive and Impala under the Service-Wide > Policy File Based Sentry

In the Service-Wide category for Hue/Hive/Impala, I will need to set the Sentry Service property to Sentry, but the option is not listed still. Going over all pre-req's again.