Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

sentry doesnt work based on AD

Solved Go to solution
Highlighted

sentry doesnt work based on AD

Contributor

 hi, i actually met an issue when configure sentry with hive.

 

basically if i configure hue security with desktop.auth.backend.AllowFirstUserDjangoBackend, and use a local user to query hive, it would be succesful to query the right database.

 

but if i configure hue with AD server, and use an AD user to logon hue, it would not load any database that the user was supposed to have privileges on.

the AD user looks have more gourps: 

 

[root@ ~]# id jjiang
uid=16777217(jjiang) gid=16777216(domain users) groups=16777216(domain users),502(db_admin),16777225,16777217(apacsysadmin),16777218(apac),16777226,16777239(apac_connectivity),16777227,16777219(itsystems),16777220(apac_it),16777228,16777247(apac_marketing_services),16777229,16777221(nantong office),16777230,16777222(ap_all_okta_users),16777223(okta_o365_users),16777224(ap-fp-general-users),16777231(ap_slack_itops)

 

is it a problem with so many groups? the actual group i granted permission is db_admin. 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: sentry doesnt work based on AD

Contributor

this is sloved with building up with a new AD. the problem was some goup id cant be resolved.

View solution in original post

5 REPLIES 5
Highlighted

Re: sentry doesnt work based on AD

Contributor

i just noticed the error from sentry log:

 


2017-06-23 12:57:19,513 WARN org.apache.hadoop.security.ShellBasedUnixGroupsMapping: unable to return groups for user jjiang
PartialGroupNameException can't execute the shell command to get the list of group id for user 'jjiang'
at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.resolvePartialGroupNames(ShellBasedUnixGroupsMapping.java:228)
at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getUnixGroups(ShellBasedUnixGroupsMapping.java:133)
at org.apache.hadoop.security.ShellBasedUnixGroupsMapping.getGroups(ShellBasedUnixGroupsMapping.java:72)
at org.apache.hadoop.security.Groups$GroupCacheLoader.fetchGroupList(Groups.java:356)
at org.apache.hadoop.security.Groups$GroupCacheLoader.load(Groups.java:299)
at org.apache.hadoop.security.Groups$GroupCacheLoader.load(Groups.java:257)
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3568)
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2350)
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2313)
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2228)
at com.google.common.cache.LocalCache.get(LocalCache.java:3965)
at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3969)
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4829)
at org.apache.hadoop.security.Groups.getGroups(Groups.java:215)
at org.apache.sentry.provider.common.HadoopGroupMappingService.getGroups(HadoopGroupMappingService.java:60)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.getGroupsFromUserName(SentryPolicyStoreProcessor.java:717)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.getRequestorGroups(SentryPolicyStoreProcessor.java:684)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.list_sentry_roles_by_group(SentryPolicyStoreProcessor.java:552)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$list_sentry_roles_by_group.getResult(SentryPolicyService.java:1017)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$list_sentry_roles_by_group.getResult(SentryPolicyService.java:1002)
at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
at org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:35)
at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: PartialGroupNameException Number of group names and ids do not match. 

 

could anyone help ?

Highlighted

Re: sentry doesnt work based on AD

Contributor

this is sloved with building up with a new AD. the problem was some goup id cant be resolved.

View solution in original post

Highlighted

Re: sentry doesnt work based on AD

Explorer

Hi there.

 

I have the same problem but I didn't understand the solution. What did you do? Sorry but I'm a little desperate here... :(

Highlighted

Re: sentry doesnt work based on AD

Contributor

i built up a brand new AD environment instead of using the old one. the actual problem was it cant be resolved with group id for users.

Highlighted

Re: sentry doesnt work based on AD

Explorer
I can't actually do that, cause the AD comes from a major company... and it's managed by them. :(

Thanks for the reply!
Don't have an account?
Coming from Hortonworks? Activate your account here