Support Questions

Find answers, ask questions, and share your expertise

Hue with Impala editor with LDAP

avatar
Explorer

Hello all, 

 

I have been facing an issue for the past week where I can not access the Impala editor in hue. I have setup LDAP for Hue, Hive, and Impala and Impala is the only one not working via Hue. I am able to access impala via the command shell, but when I try to connect to impala through hue I get an error. "'hue' is not authorized to delegate to 'username'. User delegation is disabled" (impersination is enabled and I have set hue=* for the Proxy user configueration under the impala config in clouder manager). 

 

Also when I run the check configuration on the hue home page I see impala - No available impalad to send queries to.   

10 REPLIES 10

avatar
Champion

@mfulwiler

 

As you have access via CLI but getting issue only in Hue, it should be permission setup issue in Hue againts your user id.

 

You can try this: Hue -> Login as admin user (top right drop down and choose as admin) -> Permissions tab -> choose the required services like impala, etc against your user id

 

 

avatar
Explorer

Thanks for the reply @saranvisa 

 

After checking it looks like both users have permission to impala. 

 

I even tried to log in as the hue user and I get these two error messages. 


Screen Shot 2018-01-09 at 1.45.25 PM.png

avatar
Champion

@mfulwiler

 

 

Go to Cloudera Manager -> Hue -> Configuration -> Impala Service -> Pls make sure it is enabled

 

Also Please make sure that you meet the "Configuring Impala Delegation for Hue and BI Tools" details mentioned in the below link

 

https://www.cloudera.com/documentation/enterprise/5-5-x/topics/impala_authentication.html

 

 

avatar
Explorer

@saranvisa

 

I have gone through and checked all these things mentioned in the documents and they are all set corretly. Also implas service is enabled under the Hue.

 

 

avatar
Master Guru

@mfulwiler,

 

The "delegation is disabled" error occurs for one reason:

 

  if (authorized_proxy_user_config_.size() == 0) {
    error_msg << " User delegation is disabled.";
    return Status(error_msg.str());
  }

 

That means the daemon is not seeing the configuration you mentioned you added for hue=*.  Can you share a screen shot of your Cloudera Manager config and then also show us the "--authorized_proxy_user_config" value during the daemon startup?  It should be in your "/var/log/imapad/impald.INFO" most likely

 

Based on what we see in the error response, Impalad is not configured for delegation, so Hue cannot leverage delegation.

 

-Ben

avatar
Explorer

I must be missing someting as here is the cloudera config setting to allow hue but when I look in the impald.INFO file it doesnt show any thing is set. 


Screen Shot 2018-01-10 at 4.35.29 PM.png

avatar
Explorer

wouldn't let me add two screenshots to a post..


Screen Shot 2018-01-10 at 4.36.03 PM.png

avatar
Master Guru

@mfulwiler,

 

If that last screen shot is from your most recent start of the impala daemon, it appears that Cloudera Manager is not starting it with the change you made in the configuration. Please make sure you did restart Impala service after making the change to authorized_proxy_user_config.  This seems to be more an issue of your configuration for Impala in Cloudera Manager than Hue itself.

 

If you see the correct configuration in the above steps, please take a screen shot of the Proxy User Configuration as it appears so we can look for clues. It could be that another role configuration for Impalad is overriding the Service-Wide configuration.

 

I assume you are using Sentry, but want to confirm.  I don't think that Hue can utilize Impala impersonation if Impala is not implemented with Sentry.

avatar
Explorer

@bgooley

 

We are not using Sentry as the plan was to set up Ldap then get Sentry setup. Maybe I completely missed it but, I have not seen any documentation stating that Sentry is needed to have Hue impersonation impala.

 

I have verify it was restarted and just for kicks I restarted it again, but still not seeing anything in the config for authorized_proxy_user_config. Not really sure where to look to tell if another role is overriding the config.