Support Questions

Got Sentry service successfully added for Hue, Hive and Impala services. I am however now seeing a connection error when I try to load Sentry Tables:

 

timed out (code THRIFTSOCKET): None

 

The Hue error.log:

 

kerberos_    ERROR    handle_other(): Mutual authentication unavailable on 200 response

 

Sentry's log on node it is installed on:

 

ERROR sentry.org.apache.thrift.server.TThreadPoolServer: Error occurred during processing of message.
java.lang.RuntimeException: sentry.org.apache.thrift.transport.TTransportException
    at sentry.org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
    at sentry.org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:227)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)
Caused by: sentry.org.apache.thrift.transport.TTransportException
    at sentry.org.apache.thrift.transport.TIOStreamTransport.read(TIOStreamTransport.java:132)
    at sentry.org.apache.thrift.transport.TTransport.readAll(TTransport.java:84)
    at sentry.org.apache.thrift.transport.TSaslTransport.receiveSaslMessage(TSaslTransport.java:182)
    at sentry.org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:125)
    at sentry.org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253)
    at sentry.org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:1)
    at sentry.org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
    ... 4 more

 

In Cloudera Manager Hue safety valve I have:

 

[libsentry]
# Hostname or IP of server.
hostname=cdh-foyer.platform.infochimps
# Port the sentry service is running on.
port=8038
# Sentry configuration directory, where sentry-site.xml is located.
sentry_conf_dir=/etc/sentry/conf

 

sentry-site.xml has default settings for "sentry.service.security.mode". It seems I should need to specify Kerberos here instead of "none", not sure if that is a requirement here is this config.

 

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <property>
        <name>sentry.service.security.mode</name>
        <value>none</value>
    </property>
    <property>
        <name>sentry.service.admin.group</name>
        <value>admin1</value>
    </property>
    <property>
        <name>sentry.service.allow.connect</name>
        <value>impala,hive,solr</value>
    </property>
    <property>
        <name>sentry.store.jdbc.url</name>
        <value>jdbc:derby:;databaseName=sentry_store_db;create=true</value>
    </property>
    <property>
        <name>sentry.store.jdbc.driver</name>
        <value>org.apache.derby.jdbc.EmbeddedDriver</value>
    </property>
</configuration>

Great!

And for information, look at the Hue configuration section and look at
Sentry, you should just need to check it and it will configure Hue
automatically (no need to use any safety valve or put the Sentry service on
the same host as Hue)

Romain