Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Impala with sentry

avatar
author-rank Jy
Contributor

Created on ‎01-12-2015 04:39 PM - edited ‎09-16-2022 02:18 AM

Hi,

 

I have recently setup hive and impala with LDAP authentication and am now implementing sentry for role authorization. So far I have successfully setup sentry as a service for hive, however, I am unable to get the same results with impala. I have added the users in ldap to a user group which has "grant all on server server1". I know that these permissions work because they work correctly in hive (perhaps they differ in impala?).

 

This is the following error that I receive after logging into the impala-shell once authenticating.

"ERROR: AuthorizationException: User 'xxxx' does not have privileges to access: default.*"

 

Now my guess is that this has something to do with sentry and not ldap integration since impala works fine once I disable the sentry dependancy. What I cannot find is where to declare the sentry server for impala to point to for permissions.  The link listed below mentions a setting in the "/etc/default/impala" file (I cannot find this file). I believe that this is the root cause for my authorization issues sense the error appears after authenticating and impala seems to have no way of understanding where to locate my permission list.

 

http://www.cloudera.com/content/cloudera/en/documentation/cloudera-impala/latest/topics/impala_autho...

 

Thanks

7,519 Views
0 Kudos
1
4 REPLIES 4

avatar
author-rank Darren author-rank
Guru

Created ‎01-12-2015 05:09 PM

Hi Jy,

Did you set Impala's dependency on Sentry? You need to set the dependency on Sentry in both the Hive service and the Impala service.

Thanks,
Darren
7,373 Views
0 Kudos

avatar
author-rank Jy
Contributor

Created ‎01-13-2015 08:10 AM

Correct, I did. I believe that sentry is working correctly it is just that impala does not know where the sentry server is. In no steps did I point impala at the sentry server.

 

Thanks

7,370 Views
0 Kudos

avatar
author-rank Jy
Contributor

Created ‎01-13-2015 09:28 AM

Looking at the the guide from http://www.cloudera.com/content/cloudera/en/documentation/cloudera-impala/latest/topics/impala_autho... I am unable to find the following see below.

 

In an environment managed by Cloudera Manager, the server name is specified through Impala > Service-Wide > Advanced > Server Name for Sentry Authorization.

 

I found this setting in hive but not in impala.

7,367 Views
0 Kudos

avatar
author-rank Catherine
Explorer

Created ‎01-28-2015 09:33 AM

Did you get this working? I was facing the same issue and I get it working by removing the configuration documeted in the Sentry setup:

Configuring Impala as a Client for the Sentry Service
Set the following configuration properties in sentry-site.xml.
<property>
<name>sentry.service.client.server.rpc-port</name>
<value>3893</value>
</property>
<property>
<name>sentry.service.client.server.rpc-address</name>
<value>hostname</value>
</property>
<property>
<name>sentry.service.client.server.rpc-connection-timeout</name>
<value>200000</value>
</property>
<property>
<name>sentry.service.security.mode</name>
<value>none</value>
</property>

 
7,327 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements