Assuming that I already had (OS & Hue) group "sentryadmins", then I am getting error on "Add/Sync LDAP group":       But, if I first delete the Hue group "sentryadmins", then the sync functionality works. Any idea for this? It is supposed that sync will sync existing groups (my case) or add any new ones. ... View more

Hello @bgooley   Thanks again. I enabled the logging, I saw how ldap queries are constructed and finally I got it working. Minor, but I think that I first need to do at least one "Add/Sync LDAP Group" of a specific group in order to be synced during login of new users.   So, what I have managed so far is:   1. Define (new) users in AD  2. Define the old hadoop groups in AD as well and configure users' memberships appropriately (I guess I have to do this to keep Sentry working as before)  3. When a user login in Hue, he get the group membership from AD   I am going further now with this, thank you again.   Gerasimos ... View more

Hello @bgooley   Thank you again for your guided reply. I spent some time with some hands-on so I have a better view now.   I started with Hue integration, which seemed the most straightforward (before go to hadoop level). I set-up an Active Directory 2008, and created some users under the "Users" container. In there, I also defined a "sentryadmins" group and made "user1" member of this group. I would expect this group (which by the way also exists in Hue and OS level) to be imported to Hue when user1 logs-in (shouldn't I?)   LDAP authentication works great when I login to Hue with "user1". I can also see that firstName, lastName and email fields have been imported. However, I have 2 issues with Hue authentication:   1. "sentryadmins" group is not imported as "user1" membership. I tried the "sync" functionality and nothing changes. 2. When I press "Sync LDAP users/groups" no users or groups are imported.   Can these be addressed?   Also, in case that something goes really bad with LDAP integration, how can I manually switch back to "AllowFirstUserDjangoBackend"? I am using CM for Hue configuration (and a bit of code in hue_safety_valve.ini)   Thank you, Gerasimos ... View more

Hello @bgooley,   Thank you for the detailed explanation. To clarify myself, when I said "kerberos" I meant the MIT KDC implementation, and yes I do not know much about LDAP and AD.   My organization has an Microsoft AD. It also has a CDH that uses MIT Kerberos for hadoop user and services authentication. CM and Hue have their own users.   The task is to review what needs to be done in order to have users declared in AD to use the cluster, e.g. for submiting Spark jobs, executing Impala queries, use CM, Hue etc.   As far as I have undestood, I can keep both existing user principals along with the AD users (on different realms). Is this right?   For users controlled by AD, will I still need to create them in OS level? If no, how HDFS user and group permissions are affected?   After your reply, I read again the link above, and I think that the key in this task is to undestand this: "A one-way, cross-realm trust must be set up from the local Kerberos realm to the central AD realm containing the user principals that require access to the CDH cluster".   Thank you again for your effort. ... View more

Thank you @Tomas79   I am also searching for architecture designs for Active-Active or Active-Passive DR configurations using 2 clusters. This article  has some introductory info on this. I was wondring whether more resources are available on this topic.   Best regards, Gerasimos ... View more

Thank you,   I added cloudera repo to my gradle configuration and builds and functions run from Impala without problems. ... View more