Support Questions

sunilosunil · ‎08-16-2017

Environment CDH 5.12, OPEN LDAP

We've enabled LDAP auth on Impala and it's working fine except in HUE. When I try to launch HUE/Impala Editor it fails with this error in GUI.

We have configured safety valve in HUE with this.

[desktop]
ldap_username=ldaptest
ldap_password=ldaptest

I'm logging into HUE as user cloudera ( FYI ; we don't have LDAP enabled on HUE ; cloudera is just a user managed within HUE )

User 'ldaptest' is not authorized to delegate to 'cloudera'.

Bad status for request TOpenSessionReq(username='hue', password=None, client_protocol=6, configuration={'idle_s

ession_timeout': '3600', 'impala.doas.user': u'cloudera'}): TOpenSessionResp(status=TStatus(errorCode=None, errorMessage="User 'ldaptest' is not authorized to delegate to 'cloudera'.\n", sqlState='HY000', infoMessages=None, statusCode=3), sessionHandle=TSessionHandle(sessionId=THandleIdentifier(secret='\x06\xd1\xc8\xe5\xd2\xc1Ck\xbd\xc7\xc5\xdb\xc5\x12\xdb\x8b', guid='*QiZ\xb0\xc7H\x0f\x8c5\xec\x14\xdf*7H')), configuration=None, serverProtocolVersion=5)

How can I enable user ldaptest to be able to delegate to cloudera ?

sunilosunil · ‎08-17-2017

Actualy I figured out. I had to configure Impala to allow user ldaptest to impersonate as user cloudera ( hue login).

I appended this to the cloudera manager property Proxy User Configuration ( authorized_proxy_user_config )

hue=*;ldaptest=cloudera

So user hue can impersonate anyone and user 'ldaptest' can impersonate as 'cloudera'.

View solution in original post

Fawze · ‎08-17-2017

@sunilosunil Are you using cloudera manager:

Authentication Backend desktop.auth.backend.LdapBackend
LDAP URL ldap://your_ldap_url
LDAP Search Base
LDAP Bind User
LDAP Bind Password
LDAP User Filter
LDAP Username Attribute
LDAP Group Filter
LDAP Group Name Attribute
LDAP Group Membership Attribute
Active Directory Domain

You need your system admin to create you a user in the LDAP and provide you with this parameters.

Then you can just restart Hue service

sunilosunil · ‎08-17-2017

Actualy I figured out. I had to configure Impala to allow user ldaptest to impersonate as user cloudera ( hue login).

I appended this to the cloudera manager property Proxy User Configuration ( authorized_proxy_user_config )

hue=*;ldaptest=cloudera

So user hue can impersonate anyone and user 'ldaptest' can impersonate as 'cloudera'.

Telematics · ‎09-07-2017

Where exactly was this entry made?I am facing the same issue even after making the entry Proxy User Configuration authorized_proxy_user_config under Impala service wide.

bgooley · ‎09-07-2017

@Telematics,

In Cloudera Manager, edit Proxy User Configuration

What did you enter in the field?

It should look like this, for example:

joe=alice,bob;hue=*;admin=*

See the Description of Proxy User Configuration in Cloudera Manager (click the question mark next to the property)

-Ben

Cloudera Community

Support Questions

HUE with IMPALA with LDAP, SENTRY enabled

Impala writes on Iceberg

Hue - Sentry tables - Tables dissapear when enable...

Connecting Nifi to LDAP with Docker

Impala LDAP authentication issues

Apache Ranger LDAP / LDAPS configuration

How to Connect to Impala Using the Power BI Deskto...

Enable LDAP Authentication on Hive caused HUE to n...

LDAP enable for Activity Explorer Dashboard

HUE LDAP authentication TLS issue

Ranger Ldap Integration