Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Zeppelin Hive interpreter problem with permissions

Labels:
frank93
Expert Contributor

Created ‎07-10-2017 12:53 PM

Hi,

I am using Zeppelin 0.7.1 configured AD authentication and HDP 2.5 with Kerberos. When I simply run "show databases" as "user1" I got error: "Permission denied: user [user1@MYDOMAIN.COM] does not have [USE] [...]". On my other cluster with the same configuration "user1" is treated as "user1" (without @MYDOMAIN.COM) so my policies are working good. Any ideas what could be the reason?

@EDIT

I have also noticed that hive interpreter is logging to separate log file on working cluster, while the cluster with not working Hive interpreter is logging to main Zeppelin log file (where authentication is logged etc.).

2,183 Views
0 Kudos
5 REPLIES 5

dkozlowski
Guru

Created ‎07-12-2017 03:23 PM

@Edgar Daeds

It is likely you are logging into Zeppelin as user1@MYDOMAIN.COM but the access to databases are for user1. If that is the case you would need to reconfigure your shiro_ini to enable you getting authenticated to Zeppelin as user1 WITHOUT the domain. The following property would do that for you:

activeDirectoryRealm.principalSuffix = @mydomain.com

I hope this helps.

1,788 Views
0 Kudos

frank93
Expert Contributor

Created ‎07-13-2017 05:37 AM

@Daniel Kozlowski

Thank you for answer. Exactly, I am logging in as user1@MYDOMAIN.COM. However when I set 

activeDirectoryRealm.principalSuffix = @MYDOMAIN.COM

I cant log in using user1, or even user1@MYDOMAIN.COM (ldap error 49, 52e). When I delete above parameter I can log in using @MYDOMAIN.COM upper, lower or mixed cases.

1,788 Views
0 Kudos

dkozlowski
Guru

Created ‎07-13-2017 06:52 AM

@Edgar Daeds

ldap error 49, 52e - it is your systemUsername and systemPassword are incorrect. Basically, including the above parameter you need to provide systemUsername WITHOUT domain name.

1,788 Views
0 Kudos

frank93
Expert Contributor

Created ‎07-14-2017 12:32 PM

@Daniel Kozlowski

Still not working. I workaround this by setting local system authentication (which is SSSD). Now I can log in using just username without domain

Thanks

1,788 Views
0 Kudos

dkozlowski
Guru

Created ‎07-14-2017 12:38 PM

@Edgar Daeds

Thanks for the information. It is good to hear you have got this working.

1,788 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Community Announcements
March 2023 Community Highlights
What's New @ Cloudera
Cloudera DataFlow Designer for self-service data flow development is now generally available to all CDP Public Cloud customers
What's New @ Cloudera
Cloudera Operational Database (COD) UI provides the JWT configuration details to connect to your HBase client
What's New @ Cloudera
Cloudera Operational Database (COD) UI allows storage type selection when creating an operational database
What's New @ Cloudera
Release of Cloudera Streaming Analytics (CSA) 1.9.0 for CDP 7.1.7 SP2 & CDP 7.1.8
View More Announcements