Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Zeppelin Hive interpreter problem with permissions

Zeppelin Hive interpreter problem with permissions

Expert Contributor

Hi,

I am using Zeppelin 0.7.1 configured AD authentication and HDP 2.5 with Kerberos. When I simply run "show databases" as "user1" I got error: "Permission denied: user [user1@MYDOMAIN.COM] does not have [USE] [...]". On my other cluster with the same configuration "user1" is treated as "user1" (without @MYDOMAIN.COM) so my policies are working good. Any ideas what could be the reason?

@EDIT

I have also noticed that hive interpreter is logging to separate log file on working cluster, while the cluster with not working Hive interpreter is logging to main Zeppelin log file (where authentication is logged etc.).

5 REPLIES 5

Re: Zeppelin Hive interpreter problem with permissions

@Edgar Daeds

It is likely you are logging into Zeppelin as user1@MYDOMAIN.COM but the access to databases are for user1. If that is the case you would need to reconfigure your shiro_ini to enable you getting authenticated to Zeppelin as user1 WITHOUT the domain. The following property would do that for you:

activeDirectoryRealm.principalSuffix = @mydomain.com

I hope this helps.

Re: Zeppelin Hive interpreter problem with permissions

Expert Contributor

@Daniel Kozlowski

Thank you for answer. Exactly, I am logging in as user1@MYDOMAIN.COM. However when I set

activeDirectoryRealm.principalSuffix = @MYDOMAIN.COM

I cant log in using user1, or even user1@MYDOMAIN.COM (ldap error 49, 52e). When I delete above parameter I can log in using @MYDOMAIN.COM upper, lower or mixed cases.

Re: Zeppelin Hive interpreter problem with permissions

@Edgar Daeds

ldap error 49, 52e - it is your systemUsername and systemPassword are incorrect. Basically, including the above parameter you need to provide systemUsername WITHOUT domain name.

Highlighted

Re: Zeppelin Hive interpreter problem with permissions

Expert Contributor

@Daniel Kozlowski

Still not working. I workaround this by setting local system authentication (which is SSSD). Now I can log in using just username without domain

Thanks

Re: Zeppelin Hive interpreter problem with permissions

@Edgar Daeds

Thanks for the information. It is good to hear you have got this working.

Don't have an account?
Coming from Hortonworks? Activate your account here