Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Impala with sentry

avatar
author-rank Jy
Contributor

Created on ‎01-12-2015 04:39 PM - edited ‎09-16-2022 02:18 AM

Hi,

 

I have recently setup hive and impala with LDAP authentication and am now implementing sentry for role authorization. So far I have successfully setup sentry as a service for hive, however, I am unable to get the same results with impala. I have added the users in ldap to a user group which has "grant all on server server1". I know that these permissions work because they work correctly in hive (perhaps they differ in impala?).

 

This is the following error that I receive after logging into the impala-shell once authenticating.

"ERROR: AuthorizationException: User 'xxxx' does not have privileges to access: default.*"

 

Now my guess is that this has something to do with sentry and not ldap integration since impala works fine once I disable the sentry dependancy. What I cannot find is where to declare the sentry server for impala to point to for permissions.  The link listed below mentions a setting in the "/etc/default/impala" file (I cannot find this file). I believe that this is the root cause for my authorization issues sense the error appears after authenticating and impala seems to have no way of understanding where to locate my permission list.

 

http://www.cloudera.com/content/cloudera/en/documentation/cloudera-impala/latest/topics/impala_autho...

 

Thanks

7,124 Views
0 Kudos
1
4 REPLIES 4

avatar
author-rank Darren author-rank
Guru

Created ‎01-12-2015 05:09 PM

Hi Jy,

Did you set Impala's dependency on Sentry? You need to set the dependency on Sentry in both the Hive service and the Impala service.

Thanks,
Darren
6,995 Views
0 Kudos

avatar
author-rank Jy
Contributor

Created ‎01-13-2015 08:10 AM

Correct, I did. I believe that sentry is working correctly it is just that impala does not know where the sentry server is. In no steps did I point impala at the sentry server.

 

Thanks

6,992 Views
0 Kudos

avatar
author-rank Jy
Contributor

Created ‎01-13-2015 09:28 AM

Looking at the the guide from http://www.cloudera.com/content/cloudera/en/documentation/cloudera-impala/latest/topics/impala_autho... I am unable to find the following see below.

 

In an environment managed by Cloudera Manager, the server name is specified through Impala > Service-Wide > Advanced > Server Name for Sentry Authorization.

 

I found this setting in hive but not in impala.

6,989 Views
0 Kudos

avatar
author-rank Catherine
Explorer

Created ‎01-28-2015 09:33 AM

Did you get this working? I was facing the same issue and I get it working by removing the configuration documeted in the Sentry setup:

Configuring Impala as a Client for the Sentry Service
Set the following configuration properties in sentry-site.xml.
<property>
<name>sentry.service.client.server.rpc-port</name>
<value>3893</value>
</property>
<property>
<name>sentry.service.client.server.rpc-address</name>
<value>hostname</value>
</property>
<property>
<name>sentry.service.client.server.rpc-connection-timeout</name>
<value>200000</value>
</property>
<property>
<name>sentry.service.security.mode</name>
<value>none</value>
</property>

 
6,949 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements