Reply
Contributor
Posts: 126
Registered: ‎10-15-2014

Sentry on HUE but not on impala or hive CLI

My goal is to enable sentry on HUE only to protect some databases via hive and Impala
But both Impala/hive CLI should not be impacted.
CLI tools are isolated to an edge node and can only be directly accessed via ssh sessions by a select set of users

LDAP and Kerberos not enabled on HUE (maybe later?)

versions
Cloudera Express 5.4.7
Hue™ 3.7.0

Sentry installed correctly and running on same server as HUE

Hive and Impala do NOT have sentry enabled


admin groups and allowed connecting users
hive, impala, hue, hdfs and 1 custom service account
all other settings are default

HUE is configured through CM
Sentry service checked - no snippet invoked
Authentication Backend = desktop.auth.backend.AllowFirstUserDjangoBackend
create_users_on_login checked
no LDAP settings not kerberized

Synced user and now have the Hue user and promoted account to be admin

 

When I try to add policy I get the following

 

Sentry Log

2017-03-29 17:37:25,030 ERROR org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor: Access denied to Hue
org.apache.sentry.provider.db.SentryAccessDeniedException: Access denied to Hue
	at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.list_sentry_roles_by_group(SentryPolicyStoreProcessor.java:450)
	at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$list_sentry_roles_by_group.getResult(SentryPolicyService.java:953)
	at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$list_sentry_roles_by_group.getResult(SentryPolicyService.java:938)
	at sentry.org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
	at sentry.org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
	at org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:48)
	at sentry.org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
	at sentry.org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:285)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)
^@2017-03-29 17:38:56,565 ERROR org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor: Access denied to Hue
org.apache.sentry.provider.db.SentryAccessDeniedException: Access denied to Hue
	at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.authorize(SentryPolicyStoreProcessor.java:205)
	at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.create_sentry_role(SentryPolicyStoreProcessor.java:215)
	at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$create_sentry_role.getResult(SentryPolicyService.java:833)
	at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$create_sentry_role.getResult(SentryPolicyService.java:818)
	at sentry.org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
	at sentry.org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
	at org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:48)
	at sentry.org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
	at sentry.org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:285)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)

HUE Error log

ERROR    could not retrieve roles
^@[29/Mar/2017 10:38:56 -0700] hive         ERROR    could not create role
Traceback (most recent call last):
  File "/opt/cloudera/parcels/CDH-5.4.10-1.cdh5.4.10.p0.16/lib/hue/apps/security/src/security/api/hive.py", line 156, in create_role
    api.create_sentry_role(role['name'])
  File "/opt/cloudera/parcels/CDH-5.4.10-1.cdh5.4.10.p0.16/lib/hue/desktop/libs/libsentry/src/libsentry/api.py", line 49, in decorator
    raise e
SentryException: Access denied to Hue
Highlighted
Contributor
Posts: 126
Registered: ‎10-15-2014

Re: Sentry on HUE but not on impala or hive CLI

2 things to update

1 - all under /user/hive/warehouse set to hive (probably not the problem)

2 - user is case sensative - I had Hue in the portal, CM has HUE, but linux has hue in groups

Correcting the username in the portal to lower case allowed me to create roles 

Announcements