Reply
Contributor
Posts: 31
Registered: ‎06-26-2015
Accepted Solution

Hue Impala query run user with kerberos?

Hello

Why does Hue run Impala query as 'hue/master1@MY-REALM' instead my username 'ben'?

 

I get this error (even i'm logged-in as 'ben' user)

 

Your query has the following error(s):

Request from user 'hue/master1@MY-REALM' with requested pool 'it' denied access to assigned pool 'root.it'

 

Previous to Cloudera 5.7 i think Cloudera had llama service and ran Impala query as 'llama' user. Now with Cloudera 5.7 I could have Impala without llama and have it's own Dynamic Resource Management. but problem is Hue runs query as hue/master1... user instead of my username.

 

Similar thing happens to Hive. Hive runs hive query as 'hive' user instead of my username. I found it pretty annoying..

 

Does anyone has better idea to this?

Ben

Cloudera Employee
Posts: 723
Registered: ‎07-30-2013

Re: Hue Impala query run user with kerberos?

Is impersonation turned on on the Hue side and Impala side?

For hue
https://github.com/cloudera/hue/blob/master/desktop/conf.dist/hue.ini#L867
Contributor
Posts: 31
Registered: ‎06-26-2015

Re: Hue Impala query run user with kerberos?

 

I added this configuration to Hue Server

[impala]
impersonation_enabled=True

 

 

Now i get this error

User 'hue/master1@MYREALM.COM' is not authorized to delegate to 'ben'. User delegation is disabled.

Cloudera Employee
Posts: 723
Registered: ‎07-30-2013

Re: Hue Impala query run user with kerberos?

Do you have impersonation ON on the the Impala side?

https://groups.google.com/a/cloudera.org/forum/#!topic/hue-user/RNbjg2v7Zcc
Contributor
Posts: 31
Registered: ‎06-26-2015

Re: Hue Impala query run user with kerberos?

I have had authorized_proxy_user_config=hue=* configuration on CM, but for some reason it wasn't being populated on impalad configuration.

 

after reading the post you provided me, instead of manually adding it to "advanced snippet", I enabled Sentry Authorization on Impala. Now the configuration appears on the impalad, and impersonation works fine.

 

Thank you for your help Romain

Ben