Support Questions

jjiang · ‎06-24-2017

hi, i actually met an issue when configure sentry with hive.

basically if i configure hue security with desktop.auth.backend.AllowFirstUserDjangoBackend, and use a local user to query hive, it would be succesful to query the right database.

but if i configure hue with AD server, and use an AD user to logon hue, it would not load any database that the user was supposed to have privileges on.

the AD user looks have more gourps:

[root@ ~]# id jjiang
uid=16777217(jjiang) gid=16777216(domain users) groups=16777216(domain users),502(db_admin),16777225,16777217(apacsysadmin),16777218(apac),16777226,16777239(apac_connectivity),16777227,16777219(itsystems),16777220(apac_it),16777228,16777247(apac_marketing_services),16777229,16777221(nantong office),16777230,16777222(ap_all_okta_users),16777223(okta_o365_users),16777224(ap-fp-general-users),16777231(ap_slack_itops)

is it a problem with so many groups? the actual group i granted permission is db_admin.

jjiang · ‎06-27-2017

this is sloved with building up with a new AD. the problem was some goup id cant be resolved.

View solution in original post

jjiang · ‎06-24-2017

i just noticed the error from sentry log:

2017-06-23 12:57:19,513 WARN org.apache.hadoop.security.ShellBasedUnixGroupsMapping: unable to return groups for user jjiang
PartialGroupNameException can't execute the shell command to get the list of group id for user 'jjiang'
at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.resolvePartialGroupNames(ShellBasedUnixGroupsMapping.java:228)
at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:133)
at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:72)
at org.apache.hadoop.security.Groups$GroupCacheLoader.fetchGroupList(Groups.java:356)
at org.apache.hadoop.security.Groups$GroupCacheLoader.load(Groups.java:299)
at org.apache.hadoop.security.Groups$GroupCacheLoader.load(Groups.java:257)
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3568)
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2350)
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2313)
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2228)
at com.google.common.cache.LocalCache.get(LocalCache.java:3965)
at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3969)
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4829)
at org.apache.hadoop.security.Groups.getGroups(Groups.java:215)
at org.apache.sentry.provider.common.HadoopGroupMappingService.getGroups(HadoopGroupMappingService.java:60)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.getGroupsFromUserName(SentryPolicyStoreProcessor.java:717)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.getRequestorGroups(SentryPolicyStoreProcessor.java:684)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.list_sentry_roles_by_group(SentryPolicyStoreProcessor.java:552)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$list_sentry_roles_by_group.getResult(SentryPolicyService.java:1017)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$list_sentry_roles_by_group.getResult(SentryPolicyService.java:1002)
at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
at org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:35)
at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: PartialGroupNameException Number of group names and ids do not match.

could anyone help ?

jjiang · ‎06-27-2017

this is sloved with building up with a new AD. the problem was some goup id cant be resolved.

JoaoBarreto · ‎12-22-2017

Hi there.

I have the same problem but I didn't understand the solution. What did you do? Sorry but I'm a little desperate here... 😞

jjiang · ‎12-25-2017

i built up a brand new AD environment instead of using the old one. the actual problem was it cant be resolved with group id for users.

JoaoBarreto · ‎12-27-2017

I can't actually do that, cause the AD comes from a major company... and it's managed by them. 😞

Thanks for the reply!

Cloudera Community

Support Questions

sentry doesnt work based on AD

kafka-sentry -lr not working

How to make CN=Configuration branch visible in AD

Getting error while adding sentry service

Working with Beeline

Can CDH5.3 Sentry work without Kerberos?

kafka-sentry command is not working

Working with airbnb's Superset

Configuring Ranger Usersync with AD/LDAP for a com...

Adding new columns to an already partitioned Hive ...

Working with CDE Files Resources