Created on 12-21-2017 06:28 AM - edited 09-16-2022 05:39 AM
Hi.
My company is running a CDH Cluster, with Hue setup with AD. Sentry and Hive. Below all this we also have Kerberos.
The main problem right now is that when Hive tries to search for the groups of a user I get this error.
2017-12-21 14:12:57,687 WARN org.apache.hadoop.security.LdapGroupsMapping: [HiveServer2-Handler-Pool: Thread-108]: Failed to get groups for user ex76196 (retry=0) by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]
2017-12-21 14:12:57,706 WARN org.apache.hadoop.security.LdapGroupsMapping: [HiveServer2-Handler-Pool: Thread-108]: Failed to get groups for user ex76196 (retry=1) by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]
2017-12-21 14:12:57,724 WARN org.apache.hadoop.security.LdapGroupsMapping: [HiveServer2-Handler-Pool: Thread-108]: Failed to get groups for user ex76196 (retry=2) by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839]
2017-12-21 14:12:57,724 WARN org.apache.sentry.provider.common.HadoopGroupMappingService: [HiveServer2-Handler-Pool: Thread-108]: Unable to obtain groups for ex76196
java.io.IOException: No groups found for user ex76196
at org.apache.hadoop.security.Groups.noGroupsForUser(Groups.java:190)
at org.apache.hadoop.security.Groups.access$400(Groups.java:69)
at org.apache.hadoop.security.Groups$GroupCacheLoader.load(Groups.java:307)
at org.apache.hadoop.security.Groups$GroupCacheLoader.load(Groups.java:257)
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3568)
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2350)
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2313)
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2228)
at com.google.common.cache.LocalCache.get(LocalCache.java:3965)
at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3969)
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4829)
at org.apache.hadoop.security.Groups.getGroups(Groups.java:215)
at org.apache.sentry.provider.common.HadoopGroupMappingService.getGroups(HadoopGroupMappingService.java:60)
at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.getGroups(HiveAuthzBinding.java:372)
at org.apache.sentry.binding.hive.HiveAuthzBindingHook.postAnalyze(HiveAuthzBindingHook.java:395)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:449)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:312)
at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1201)
at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1188)
at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:143)
at org.apache.hive.service.cli.operation.SQLOperation.runInternal(SQLOperation.java:215)
at org.apache.hive.service.cli.operation.Operation.run(Operation.java:326)
at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementInternal(HiveSessionImpl.java:425)
at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementAsync(HiveSessionImpl.java:402)
at org.apache.hive.service.cli.CLIService.executeStatementAsync(CLIService.java:258)
at org.apache.hive.service.cli.thrift.ThriftCLIService.ExecuteStatement(ThriftCLIService.java:500)
at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1313)
at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1298)
at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor.process(HadoopThriftAuthBridge.java:746)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
When I try to setup Hive with AD/LDAP it says that only Kerberos or AD/LDAP can be on. Anyone have any idea how to solve this?
The objective is basically give the AD groups permissions to the Hive tables.
Kind of lost right now... any ideas would be very appreciated.
Thanks.
Created 01-04-2018 09:36 PM
Created 01-05-2018 01:47 AM
Created 01-07-2018 01:09 PM
Please confirm that you are seeing exactly the same LDAP problem. "No groups found for user..." errors can have many causes. We would need to see logs leading up to and including the error in order to understand if we are seeing exactly the same cuase.
Ben
Created 12-03-2018 04:59 PM
Any resolution to this issue?
I am currently encountering the same issue. My setup is CDH5.15 with Oracle Directory Server.
All the groups and users described below were created in LDAP. All the groups and users show up in Hue as expected. But each operation in either Hive or Impala (through HUE) ends up in a "no groups for ...." error in the sentry log.
https://www.cloudera.com/documentation/enterprise/5-15-x/topics/cm_sg_cm_users_principals.html
Created 12-04-2018 12:11 AM
I don't fully remember but, I think back then we had to use SSSD (Via LDAP. We have another customer via Keytab) to fetch the groups with hadoop.security.group.mapping = org.apache.hadoop.security.ShellBasedUnixGroupsMapping
That way we are able to fetch the groups of each user on the backend.
Created 01-07-2018 01:08 PM
Based on the stack trace and errors, you have HDFS configured for LDAP Group Mapping which means hadoop applications will resolve group membership via LDAP. The LDAP configuration is in your HDFS configuration.
This group lookup is outside of kerberos completely.
We see that the LDAP connection fails with "error code 49".
This means that the Bind DN and Bind DN Password provided in the Cloudera Manager HDFS configuration for LDAP Group Mapping do not match what is in the LDAP server you have configured for those group lookups.
Since the client cannot lookup groups, the group is not found and the operation fails with the error.
To correct, confirm with your LDAP administrator that the user and password you have configured are correct.
it is possible that the Active Directory user account you were using had its password changed if this configuration worked at some time in the past.
Created 01-23-2019 12:39 AM
I encountered the same error but despite the fact I set group mapping to LDAP in HDFS group mapping with appropriate bind user ,in the log of Sentry I'm getting a warning with ShellBasedUnixGroupsMapping and not LdapGroupsMapping. Need a help with ASAP.