Reply
Highlighted
Contributor
Posts: 90
Registered: ‎11-12-2015

AuthorizationException: Can´t gant roles to a user in HUE

[ Edited ]

Hello,

 

I'm installing a new Cloudera 6.2 Cluster and I used to use The sentry policy file for creating roles, groups and users. Now I'm trying to migrate that to the sentry service configuration. But I'm stuck in this issue, and I think I missed a step.

 

This is what I did:

  1. Enable the sentry service in Hive and Impala.
  2. Enable Sentry Synchronization in HDFS.
  3. Create an admin user (in my case I used the impala user).
  4. Create a test group (group_testdb_admin) in the "Manage user" section in HUE.
  5. Create a test role (testdb_admin_role) in the security section. (server=server1  db=testdb  action=ALL)
  6. Assing the role to the group.
  7. Create a testuser1 and assigned the group that I just created to the user.

 

I can confirm that Sentry is Synchronized with HDFS:

 

sudo -u hdfs hdfs dfs -getfacl /user/hive/warehouse/testdb.db
group:group_testdb_admin:rwx

 

Also, the roles and groups are created

 

SHOW ROLE GRANT GROUP group_testdb_admin;
testdb_admin_role

 

But here is my problem. When I login as testuser1 and try to access the testdb database I get an AuthorizationException

 

show tables in testdb;
AuthorizationException: User 'usertest1' does not have privileges to access: testdb.*.*

 

 

Considerations:

- I'm not using a Kerberized Cluster.

- I didn't create the user in the local FS.

 

So, what step I'm missing?.

 

Regards,

 

Silva

 

 

 

 

Cloudera Employee
Posts: 760
Registered: ‎03-23-2015

Re: AuthorizationException: Can´t gant roles to a user in HUE

Hi Silva,

For sentry to work properly, you will need to have your cluster kerberized, you need to have authentication before authorization.

Also, you will need users both in local FS as well as in HDFS, as sentry will use the user on the host to do group mapping and match with the role.

Cheers
Eric