Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Where to find passwords for autogenerated principals in kerberized cluster

Where to find passwords for autogenerated principals in kerberized cluster

Contributor

Hi,

 

I've enabled Kerberos on my CDH cluster using the existing Active Directory.

I've also reated a new superuser as a substitue for the previouls hdfs user.

 

The problem is that now since Cloudera automatically generated AD users for all services, now I don't know their passwords.  

 

I need to know the passwords, because now I want to connect to impala-shell with one of those users (hive, actually) in order to use it to grant Sentru permissions to other users. The superuser I created previously cannot grant permissios.

 

Maybe I'm missing something, but which user should I use to grant permissions in Sentry to other users? Or how can I find the password or the keytab of the hive user, which I used to grant Sentry permissions to others before the cluster was kerberized? 

 

 

 

3 REPLIES 3

Re: Where to find passwords for autogenerated principals in kerberized cluster

Super Collaborator

At first, you need to use a "sentry" superadmin.

 

By default, hive, impala and hue are considered a superadmin I think. But you can modify the configuration of Sentry for adding a customised user to the superadmin.

The property to modify : sentry.service.admin.group

Highlighted

Re: Where to find passwords for autogenerated principals in kerberized cluster

Contributor

I have put superuser in sentry.service.admin.group along as the defaults. Still I get permissions denied.

Screen Shot 2017-03-24 at 14.01.20.png

 

For example first I do "kinit superuser" and then:

[user@hadoop-node ~]$ beeline -u "jdbc:hive2://hadoop-node.organization.net:10000/default;principal=hive/hadoop-node.organization.net@organization.NET"
scan complete in 2ms
Connecting to jdbc:hive2://hadoop-node.organization.net:10000/default;principal=hive/hadoop-node.organization.net@organization.NET
Connected to: Apache Hive (version 1.1.0-cdh5.10.0)
Driver: Hive JDBC (version 1.1.0-cdh5.10.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
Beeline version 1.1.0-cdh5.10.0 by Apache Hive
0: jdbc:hive2://hadoop-node.organization.> GRANT ALL ON SERVER server1 TO ROLE admin;
INFO  : Compiling command(queryId=hive_20170324135252_2b7ca8ce-76fe-4beb-ab8d-771df032e629): GRANT ALL ON SERVER server1 TO ROLE admin
INFO  : Semantic Analysis Completed
INFO  : Returning Hive schema: Schema(fieldSchemas:null, properties:null)
INFO  : Completed compiling command(queryId=hive_20170324135252_2b7ca8ce-76fe-4beb-ab8d-771df032e629); Time taken: 0.099 seconds
INFO  : Executing command(queryId=hive_20170324135252_2b7ca8ce-76fe-4beb-ab8d-771df032e629): GRANT ALL ON SERVER server TO ROLE admin
INFO  : Starting task [Stage-0:DDL] in serial mode
ERROR : Error processing Sentry command: superuser has no grant!.Please grant admin privilege to superuser.
ERROR : FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. SentryAccessDeniedException: superuser has no grant!
INFO  : Completed executing command(queryId=hive_20170324135252_2b7ca8ce-76fe-4beb-ab8d-771df032e629); Time taken: 0.031 seconds
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. SentryAccessDeniedException: superuser has no grant! (state=08S01,code=1)
0: jdbc:hive2://hadoop-node.organization.>

 

or same with impala:

[user@hadoop-node ~]$ impala-shell -i impala.organization.net -l  -u superuser  --auth_creds_ok_in_clear
Starting Impala Shell using LDAP-based authentication
LDAP password for superuser:
Connected to impala.organization.net:21000
Server version: impalad version 2.7.0-cdh5.10.0 RELEASE (build 785a073cd07e2540d521ecebb8b38161ccbd2aa2)
***********************************************************************************
Welcome to the Impala shell.
(Impala Shell v2.7.0-cdh5.10.0 (785a073) built on Fri Jan 20 12:03:56 PST 2017)

When pretty-printing is disabled, you can use the '--output_delimiter' flag to set
the delimiter for fields in the same row. The default is ','.
***********************************************************************************
\nLDAP authentication is enabled, but the connection to Impala is not secured by TLS.
ALL PASSWORDS WILL BE SENT IN THE CLEAR TO IMPALA.

[impala.organization.net:21000] > GRANT ALL ON SERVER server1 TO ROLE admin;
Query: grant ALL ON SERVER server1 TO ROLE admin
Query submitted at: 2017-03-24 13:59:04 (Coordinator: http://hadoop-datanode02.organization.net:25000)
ERROR:
AuthorizationException: User 'superuser' does not have privileges to execute: GRANT_PRIVILEGE

[impala.organization.net:21000] >

Which user can I use to grant permissions in Sentry after enabling Kerberos?

 

Re: Where to find passwords for autogenerated principals in kerberized cluster

Contributor

I've managed to login in beeline with the Hive user though the following way:

 

1. I changed password of the hive/hadoop-master01.domain.com@DOMAIN.COM in the Active Directory. (now I know the pass)

2. Then I authenticated to kerberos with kinit hive/hadoop-master01.domain.com@DOMAIN.COM (and obtained ticket valid through some time)

3. After that I went to Cloudera Manager stopped the Hive service and then regenerated the credentials for the Hive user (since I changed the pass manually, Cloudera didn't knew it anymore, so now it regenerated the hive user in AD which means it knows the password again, but I don't. However this is fine as I already got a kerberos keytab for this user)

4. Finally I login to beeline like this:

 beeline -u "jdbc:hive2://hadoop-master01.domain.com:10000/default;principal=hive/hadoop-master01.domain.net@DOMAIN.NET;auth-kerberos"

and I am allowed to do this even if I don't know the password for it, since I have a valid kerberos ticket for the hive user, which I obtained earlier when I knew the password, and before the user was regenerated by Cloudera Manager. 

 

However I still have a problem: I can now grant roles to groups in Sentry when I login with the hive user, however when I then login with a user, which is in a group that was granted permissions, the user doesn't actually have the granted permissions. I grant permissions to AD groups and then login with a user which is in this AD group, but the user doesn't have the permissions that was granted to the group.