Support Questions

Find answers, ask questions, and share your expertise

Impala with sentry

avatar
Contributor

Hi,

 

I have recently setup hive and impala with LDAP authentication and am now implementing sentry for role authorization. So far I have successfully setup sentry as a service for hive, however, I am unable to get the same results with impala. I have added the users in ldap to a user group which has "grant all on server server1". I know that these permissions work because they work correctly in hive (perhaps they differ in impala?).

 

This is the following error that I receive after logging into the impala-shell once authenticating.

"ERROR: AuthorizationException: User 'xxxx' does not have privileges to access: default.*"

 

Now my guess is that this has something to do with sentry and not ldap integration since impala works fine once I disable the sentry dependancy. What I cannot find is where to declare the sentry server for impala to point to for permissions.  The link listed below mentions a setting in the "/etc/default/impala" file (I cannot find this file). I believe that this is the root cause for my authorization issues sense the error appears after authenticating and impala seems to have no way of understanding where to locate my permission list.

 

http://www.cloudera.com/content/cloudera/en/documentation/cloudera-impala/latest/topics/impala_autho...

 

Thanks

4 REPLIES 4

avatar
Hi Jy,

Did you set Impala's dependency on Sentry? You need to set the dependency on Sentry in both the Hive service and the Impala service.

Thanks,
Darren

avatar
Contributor

Correct, I did. I believe that sentry is working correctly it is just that impala does not know where the sentry server is. In no steps did I point impala at the sentry server.

 

Thanks

avatar
Contributor

Looking at the the guide from http://www.cloudera.com/content/cloudera/en/documentation/cloudera-impala/latest/topics/impala_autho... I am unable to find the following see below.

 

In an environment managed by Cloudera Manager, the server name is specified through Impala > Service-Wide > Advanced > Server Name for Sentry Authorization.

 

I found this setting in hive but not in impala.

avatar
Explorer

Did you get this working? I was facing the same issue and I get it working by removing the configuration documeted in the Sentry setup:

Configuring Impala as a Client for the Sentry Service
Set the following configuration properties in sentry-site.xml.
<property>
<name>sentry.service.client.server.rpc-port</name>
<value>3893</value>
</property>
<property>
<name>sentry.service.client.server.rpc-address</name>
<value>hostname</value>
</property>
<property>
<name>sentry.service.client.server.rpc-connection-timeout</name>
<value>200000</value>
</property>
<property>
<name>sentry.service.security.mode</name>
<value>none</value>
</property>