The application won't work without a running HiveServer2 and Access denied erors after enabling LDAP

Cloudera Express 5.9.3

Hue 3.11

Sentry is enabled, admin groups are added to Admin Groups and admin users are added into Allowed Connecting Users in the Setry configuration.


SSSD is enabled on the servers, this means that users exist only in LDAP, but can log in into OS using their LDAP credentials. Admin users accounts exist in servers OS and match admin users accounts made in LDAP (and also match admin users accounts in Hue).

System account such as hue, hive, cloudera-scm etc aslo made in LDAP.


After enabling LDAP for Hue adn Hive I recieve errors

Potential misconfiguration detected. Fix and restart Hue.


The application won't work without a running HiveServer2.

When trying to enter Security - Hive tables an error Access denied to user occure.


Query Editors- Hive Bad status: 3 (PLAIN auth failed: LDAP Authentication failed for user) (code THRIFTTRANSPORT): TTransportException('Bad status: 3 (PLAIN auth failed: LDAP Authentication failed for user)',)


Hive log:

org.apache.thrift.transport.TTransportException: PLAIN auth failed: LDAP Authentication failed for user



I have tried all the advices, posted here, nothing helped.


Long journey, so I hope this does the trick.

While not exposed in Cloudera Manager, you can identify an alternative userid attribute.  By default, for posix objecdts, the default is memberUid (which won't work for you unless memberUid contains the numeric id).


Try this:


- In Cloudera Manager, navigate to:


Clusters --> HDFS --> Configuration


- Search for:


Cluster-wide Advanced Configuration Snippet (Safety Valve) for core-site.xml


- Add the following:


Value: uid


- Save

- Restart the cluster (so the servers can detect the new settings)




As you observed, by default HDFS assumes that the memberUid attribute will have a value of the uidNumber of the user account.  The configuration I mentioned above lets you adjust this so that rather than searching for "memberUid=1004" the search will contain "uid=maslova"


You can find more information here:


This is the description:
"The attribute of posixAccount to use when groups for membership. Mostly useful for schemas wherein groups have memberUids that use an attribute other than uidNumber."


As you can see, the configuration for hdfs meets the needs of your situation.





Sorry for the mistake... I meant that now with the suggested change, the resulting group lookup filter will be:




This is because the property tells ldapgroupmapping which user attribute to use to obtain the value for group lookup.  In your LDAP config that is "uid"


If you want Hue to authenticate to Hive via LDAP, you need to make sure you have configured the username and password of an LDAP user hue can use for auth:






The above assumes you have a user named "hue" in your ldap server who can authenticate.

You would add this to Hue Service Advanced Configuration Snippet (Safety Valve) for hue_safety_valve.ini


If you want to use kerberos for Hue to authenticate, then do the following:




In CM > Hive > Configuration > Advanced > Hive Client Advanced Configuration Snippet (Safety Valve) for hive-site.xml


Name: hive.server2.authentication
Value: kerberos







Restart Hue Service


Reason:  Hue picks up its Hive authentication method from the hive-site.xml that is emitted.  If you enable LDAP authentication in Hive, the hive.server2.authentication becomes LDAP which Hue will then try to use.  To tell Hue to use kerberos, you can use the above technique.



Thank you for the answer. The application won't work without a running HiveServer2 error disappeared and Hive Query Editor doesn't show any mistakes.


But Sentry still gives Access denied to admin despite the fact that the user admin in in admin group everywhere: LDAP, Hue, OS

It seems that Sentry does not get the correct group for the user from LDAP.


DEBUG doGetGroups(maslova) return [llord]


ERROR org.apache.sentry.provider.db.generic.service.thrift.SentryGenericPolicyProcessor: Access denied to maslova


LDAP groups:



dn: cn=admins,ou=Groups,dc=dom

objectClass: top

objectClass: posixGroup

cn: admins

gidNumber: 1500

memberUid: llord

memberUid: lmaslova

memberUid: maslova


dn: cn=llord,ou=Groups,dc=dom

objectClass: top

objectClass: posixGroup

cn: llord

gidNumber: 1050

memberUid: llord


Why does it happen?


The other part of log looks like this



Also users, which do not have privileges in Security-Hive tables for some hive tabels can select data. There are no error messages in logs about it.

Hi @Paulina,


Sentry will use OS group lookup to resolve group membership.  Are you using OS level configuration that maps to LDAP users?  Also, being an Admin does not grant any access to servers; rather, it gives grant privlige.


What we really need to do is clearly define what you have configured in terms of grants and user/group membership so we can start to clarify what you expect to have happen and what is actually happening.


- is the grants you have made that you perceive are not having the desired effect

- the result of "id -Gn <user>"

- groups that are listed as Sentry Admin Groups

- test results with beeline (to remove the level of abstraction introduced by Hue).



1. Sentry does not take the correct groups for admin user from LDAP.

LDAP is used everywhere across Hadoop.


Hue -> Configuration


Authentication Backend - desktop.auth.backend.LdapBackend
LDAP URL ldaps://sspeapp01v.sec.oteco
LDAP Search Base dc=sec,dc=oteco
LDAP Bind User Distinguished Name cn=admin,dc=sec,dc=oteco
LDAP Bind Password xxxxxx
LDAP User Filter (objectClass=posixAccount)
LDAP Username Attribute uid
LDAP Group Filter (objectClass=posixGroup)
LDAP Group Name Attribute cn
LDAP Group Membership Attribute memberUid
Use Search Bind Authentication true
LDAP Server CA Certificate also set


Sentry admin groups: hive, impala, hue, solr, admins
Allowed Connecting Users: hive, impala, hue, hdfs, solr, kafka, maslova


id -Gn maslova maslova wheel


dn: cn=admins,ou=Groups,dc=dom
objectClass: top
objectClass: posixGroup
cn: admins
gidNumber: 1051


memberUid: maslova

dn: uid=maslova,ou=users,dc=sec,dc=oteco
objectClass: shadowAccount
objectClass: top
objectClass: posixAccount
objectClass: account
cn: maslova
gidNumber: 1004
homeDirectory: /home/maslova
uid: maslova
uidNumber: 1004
loginShell: /bin/bash
shadowLastChange: 17730
shadowMax: 99999
shadowMin: 0
shadowWarning: 7
userPassword:: e01ENX1JQ3k1WXF4WkIxdVdTd2NWTFNOTGNBPT0=

While searching user in LDAP Sentry return group polymatica


dn: cn=polymatica,ou=groups,dc=sec,dc=oteco
objectClass: top
objectClass: posixGroup
cn: polymatica
gidNumber: 1001
memberUid: polymatica


No group polymatica in OS



2. After recreating grants in Sentry the behavior has changed, but still the grants are not having the desired effect. Also external database disappeared.

The path for external database is /user/maslova/


Grants made

Role admins, group admins, server=server1  action=ALL


create table T1; create table T2;


Error while compiling statement: FAILED: SemanticException No valid privileges User maslova does not have privileges for SWITCHDATABASE The required privileges: Server=server1->Db=*->Table=+->Column=*->action=select;Server=server1->Db=*->Table=+->Column=*->action=insert;


From beeline


create table T1 (i int);
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
 User maslova does not have privileges for CREATETABLE
 The required privileges: Server=server1->Db=default->action=*; (state=42000,code=40000)

When you say that you are using LDAP everywhere, does that include LDAP group mapping for HDFS.  I wasn't clear on that.

The reason I ask is that the issue described has nothing to do with Hue at all; rather, this is a matter of Hue attempting to map access based on a defined role that is mapped to a group that includes one or more users.




beeline attempts to create a table as user maslova




HiveServer2 verifies this action is allowed by evaluating the desired action via Sentry




Sentry will attempt to see if maslova is a member of an OS group that is a member of a role that is granted the necessary access.  When you ran id -Gn we see the result was:


maslova maslova wheel


However, you granted access to the "admins" role, but maslova is not a member of "admins" group that is mapped to the admins role.




Make sure that you have set maslova to be a member of a group that is mapped to the role granted all access to "server1".


Also, verify your HDFS level group mapping by checking what value is set in your HDFS Hadoop User Group Mapping Implementation configuration.  Sentry will use the OS mapping by default (ShellBasedUnixGroupsMapping).




Thank you for the detailed response.


LDAP group mapping for HDFS is turned on.


Hadoop User Group Mapping Implementation




Enable Access Control Lists true

Enable Sentry Synchronization true

Sentry Synchronization Path Prefixes     /user/hive/warehouse, /user/maslova (external database)


Should group admins be set in OS if LDAP is used on HDFS?

We use SSSD and it is hard to create the same users in OS as we have in LDAP.

We have made OS group admins on all hadoop hosts and included user maslova into it.


id -Gn maslova
maslova wheel admins


But this action had no effect.