Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Impala with sentry

Highlighted

Impala with sentry

Explorer

Hi,

 

I have recently setup hive and impala with LDAP authentication and am now implementing sentry for role authorization. So far I have successfully setup sentry as a service for hive, however, I am unable to get the same results with impala. I have added the users in ldap to a user group which has "grant all on server server1". I know that these permissions work because they work correctly in hive (perhaps they differ in impala?).

 

This is the following error that I receive after logging into the impala-shell once authenticating.

"ERROR: AuthorizationException: User 'xxxx' does not have privileges to access: default.*"

 

Now my guess is that this has something to do with sentry and not ldap integration since impala works fine once I disable the sentry dependancy. What I cannot find is where to declare the sentry server for impala to point to for permissions.  The link listed below mentions a setting in the "/etc/default/impala" file (I cannot find this file). I believe that this is the root cause for my authorization issues sense the error appears after authenticating and impala seems to have no way of understanding where to locate my permission list.

 

http://www.cloudera.com/content/cloudera/en/documentation/cloudera-impala/latest/topics/impala_autho...

 

Thanks

4 REPLIES 4

Re: Impala with sentry

Hi Jy,

Did you set Impala's dependency on Sentry? You need to set the dependency on Sentry in both the Hive service and the Impala service.

Thanks,
Darren

Re: Impala with sentry

Explorer

Correct, I did. I believe that sentry is working correctly it is just that impala does not know where the sentry server is. In no steps did I point impala at the sentry server.

 

Thanks

Re: Impala with sentry

Explorer

Looking at the the guide from http://www.cloudera.com/content/cloudera/en/documentation/cloudera-impala/latest/topics/impala_autho... I am unable to find the following see below.

 

In an environment managed by Cloudera Manager, the server name is specified through Impala > Service-Wide > Advanced > Server Name for Sentry Authorization.

 

I found this setting in hive but not in impala.

Re: Impala with sentry

New Contributor

Did you get this working? I was facing the same issue and I get it working by removing the configuration documeted in the Sentry setup:

Configuring Impala as a Client for the Sentry Service
Set the following configuration properties in sentry-site.xml.
<property>
<name>sentry.service.client.server.rpc-port</name>
<value>3893</value>
</property>
<property>
<name>sentry.service.client.server.rpc-address</name>
<value>hostname</value>
</property>
<property>
<name>sentry.service.client.server.rpc-connection-timeout</name>
<value>200000</value>
</property>
<property>
<name>sentry.service.security.mode</name>
<value>none</value>
</property>

 
Don't have an account?
Coming from Hortonworks? Activate your account here