Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

HUE with IMPALA with LDAP, SENTRY enabled

avatar
Contributor

Environment CDH 5.12, OPEN LDAP

We've enabled LDAP auth on Impala and it's working fine except in HUE. When I try to launch HUE/Impala Editor it fails with this error in GUI.

 

We have configured safety valve in HUE with this.

 

[desktop]
ldap_username=ldaptest
ldap_password=ldaptest

 

I'm logging into HUE as user cloudera ( FYI ; we don't have LDAP enabled on HUE ; cloudera is just a user managed within HUE )

 

User 'ldaptest' is not authorized to delegate to 'cloudera'.
 
 
Bad status for request TOpenSessionReq(username='hue', password=None, client_protocol=6, configuration={'idle_s
ession_timeout': '3600', 'impala.doas.user': u'cloudera'}): TOpenSessionResp(status=TStatus(errorCode=None, errorMessage="User 'ldaptest' is not authorized to delegate to 'cloudera'.\n", sqlState='HY000', infoMessages=None, statusCode=3), sessionHandle=TSessionHandle(sessionId=THandleIdentifier(secret='\x06\xd1\xc8\xe5\xd2\xc1Ck\xbd\xc7\xc5\xdb\xc5\x12\xdb\x8b', guid='*QiZ\xb0\xc7H\x0f\x8c5\xec\x14\xdf*7H')), configuration=None, serverProtocolVersion=5)
 
How can I enable user ldaptest to be able to delegate to cloudera ?
1 ACCEPTED SOLUTION

avatar
Contributor

Actualy I figured out. I had to configure Impala to allow user ldaptest to impersonate as user cloudera ( hue login).

 

I appended this to the cloudera manager property Proxy User Configuration ( authorized_proxy_user_config )

hue=*;ldaptest=cloudera

 

So user hue can impersonate anyone and user 'ldaptest' can impersonate as 'cloudera'.

View solution in original post

4 REPLIES 4

avatar
Master Collaborator

@sunilosunil Are you using cloudera manager:

 

Authentication Backend desktop.auth.backend.LdapBackend
LDAP URL ldap://your_ldap_url
LDAP Search Base
LDAP Bind User
LDAP Bind Password
LDAP User Filter
LDAP Username Attribute
LDAP Group Filter
LDAP Group Name Attribute
LDAP Group Membership Attribute
Active Directory Domain

 

You need your system admin to create you a user in the LDAP and provide you with this parameters.

 

Then you can just restart Hue service

avatar
Contributor

Actualy I figured out. I had to configure Impala to allow user ldaptest to impersonate as user cloudera ( hue login).

 

I appended this to the cloudera manager property Proxy User Configuration ( authorized_proxy_user_config )

hue=*;ldaptest=cloudera

 

So user hue can impersonate anyone and user 'ldaptest' can impersonate as 'cloudera'.

avatar
New Contributor

Where exactly was this entry made?I am facing the same issue even after making the entry Proxy User Configuration authorized_proxy_user_config under Impala service wide.

avatar
Master Guru

@Telematics,

 

 

In Cloudera Manager, edit Proxy User Configuration 

What did you enter in the field?

It should look like this, for example:

joe=alice,bob;hue=*;admin=*

 

See the Description of Proxy User Configuration in Cloudera Manager (click the question mark next to the property)

 

-Ben