Support Questions
Find answers, ask questions, and share your expertise
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Hue users lost access to sentry enabled hive databases/tables after Kerberizing Hue

Hue users lost access to sentry enabled hive databases/tables after Kerberizing Hue



I am practicing on quickstart VM. I kerberized it, then enabled sentry for hive, impala and hue as mentioned in this link( 


After this I kerberized Hue as mentioned in this link ( Before kerberizing Hue, the hue users could access hive database/tables as prescribed by sentry roles. however after kerberizing hue, I am getting following error when try to login hue by any user:

Could not start SASL: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Credentials cache file '/var/run/hue/hue_krb5_ccache' not found)

also Kerberos Ticket Renewer is down and gives the following error while trying to restart:


Can't open /var/run/cloudera-scm-agent/process/286-hue-KT_RENEWER/ Permission denied.
Can't open /var/run/cloudera-scm-agent/process/286-hue-KT_RENEWER/proc.json: Permission denied.
+ replace_conf_dir_env_vars KRB5_KTNAME
/usr/lib64/cmf/service/hue/ line 123: replace_conf_dir_env_vars: command not found
+ make_scripts_executable
+ find /var/run/cloudera-scm-agent/process/286-hue-KT_RENEWER -regex '.*\.\(py\|sh\)$' -exec chmod u+x '{}' ';'
+ '[' kt_renewer == beeswax_server ']'
+ set_classpath_in_var HADOOP_EXTRA_CLASSPATH_STRING
+ [[ -n /usr/share/cmf ]]
++ find /usr/share/cmf/lib/plugins -maxdepth 1 -name '*.jar'
++ tr '\n' :
+ ADD_TO_CP=/usr/share/cmf/lib/plugins/event-publish-5.12.0-shaded.jar:/usr/share/cmf/lib/plugins/tt-instrumentation-5.12.0.jar:
+ [[ -n '' ]]
+ NEW_VALUE=/usr/share/cmf/lib/plugins/event-publish-5.12.0-shaded.jar:/usr/share/cmf/lib/plugins/tt-instrumentation-5.12.0.jar:
+ export HADOOP_EXTRA_CLASSPATH_STRING=/usr/share/cmf/lib/plugins/event-publish-5.12.0-shaded.jar:/usr/share/cmf/lib/plugins/tt-instrumentation-5.12.0.jar
+ HADOOP_EXTRA_CLASSPATH_STRING=/usr/share/cmf/lib/plugins/event-publish-5.12.0-shaded.jar:/usr/share/cmf/lib/plugins/tt-instrumentation-5.12.0.jar
+ HUE=/usr/lib/hue/build/env/bin/hue
+ [[ kt_renewer == runcpserver ]]
+ [[ kt_renewer == kt_renewer ]]
+ '[' -d /usr/kerberos/bin ']'
++ which kinit
+ KINIT_PATH=/usr/bin/kinit
+ KINIT_PATH=/usr/bin/kinit
+ perl -pi -e 's#{{KINIT_PATH}}#/usr/bin/kinit#g' /var/run/cloudera-scm-agent/process/286-hue-KT_RENEWER/hue.ini /var/run/cloudera-scm-agent/process/286-hue-KT_RENEWER/hue_safety_valve.ini
+ '[' dumpdata = kt_renewer ']'
+ '[' syncdb = kt_renewer ']'
+ '[' ldaptest = kt_renewer ']'
+ exec /usr/lib/hue/build/env/bin/hue kt_renewer

Can someone help me how to solve this issue? Searched a lot but seems I am the only one who has come across to this issue.






Re: Hue users lost access to sentry enabled hive databases/tables after Kerberizing Hue

Super Guru

Hi @mohitvarshney



I am sorry to say you appear to have found a documentation bug the hard way.  The documentation you found was intended to be how to enable the Kerberos authentication (SPNEGO) for clients connecting to Hue.  Instead, it showed you how to configure Kerberos authentication from Hue to other components if you are not using Cloudera Manager.


Since you are using Cloudera Manager, you do not need to perform those steps to have Hue communicate with other services via kerberos.


What I recommend is reverting the changes from "Configuring Kerberos Authentication for Hue", restart Hue, then test.  Cloudera Manager should have managed all the necessary kerberos configuration for you.


I'll work with the documentation team to get this documentation corrected.


NOTE:  make sure you are using the 5.12 documentation since that is the version of Cloudera Manager and CDH you are using:




Re: Hue users lost access to sentry enabled hive databases/tables after Kerberizing Hue

Hi @bgooley,


Thanks for the help here. I followed your suggestions and all the errors/warnings are gone. However now the scenario is as follows:


-A hue user 'A' of 'sales' group, who also has account in linux in 'sales' group has access to hive databases as enabled in sentry.

-A new hue user 'B' in 'sales' group does not have access to the same databases which 'A' has. However this user gets all the access of 'sales' group as soon as I create his account in linux.


After creating his account, I did not even add principal for him and without generating kerberos ticket he got the access in hue. How come kerberos is working for this 'B' user. This suggest that kerberos did not work for this new hue user. Please suggest.





Re: Hue users lost access to sentry enabled hive databases/tables after Kerberizing Hue

Hi @bgooley


Can you help me in the above problem? Basically I want to resrict hue users to access hive tables without generating kerberos token. As of now all the hue users are able to access them even if their kerberos token has expired. However if I access the same database through command line of that user, its working fine and asks for kerberos token if not already generated but hue is bypassing kerberos.




Don't have an account?
Coming from Hortonworks? Activate your account here