Member since 
    
	
		
		
		09-20-2017
	
	
	
	
	
	
	
	
	
	
	
	
	
	
			
      
                49
            
            
                Posts
            
        
                3
            
            
                Kudos Received
            
        
                3
            
            
                Solutions
            
        My Accepted Solutions
| Title | Views | Posted | 
|---|---|---|
| 2485 | 02-14-2019 12:54 PM | |
| 3017 | 02-13-2019 08:32 AM | |
| 1829 | 01-28-2019 11:42 PM | 
			
    
	
		
		
		02-14-2019
	
		
		12:54 PM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
		
	
				
		
			
					
				
		
	
		
					
							 I managed to fix this by configuring CompositeGroupMapping instead of LdapGroupMapping. 
						
					
					... View more
				
			
			
			
			
			
			
			
			
			
		
			
    
	
		
		
		02-14-2019
	
		
		04:31 AM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
		
	
				
		
			
					
				
		
	
		
					
							 Hello, 
   
 I have an HDFS-Hive-Impala regression script that works fine on my kerberized & sentry protected CDH cluster. 
   
 Now, I enabled LDAP authentication on HDFS (LdapGroupsMapping), Hive and Impala and the regression script passes HDFS and Hive but fails on the SELECT-INSERT-CREATE Impala actions: 
   
 Failure 1 & 2 (similar error for select and insert): 
   
 Query: select * from customer.cons limit 10
ERROR: AnalysisException: Failed to load metadata for table: 'customer.cons'
CAUSED BY: TableLoadingException: Failed to load file metadata for 1 paths for table customer.cons. Table's file metadata could be partially loaded. Check the Catalog server log for more details. 
   
  Failure 2:  
   
 Query: create table customer.test_141226 (id int)
ERROR: ImpalaRuntimeException: Error making 'createTable' RPC to Hive Metastore: 
CAUSED BY: MetaException: Got exception: org.apache.hadoop.security.AccessControlException Permission denied: user=impala, access=WRITE, inode="/user/hive/warehouse/customer.db":hive:hive:drwxrwx--t 
   
 Note 1: Hive and Impala share the exact the same queries on the regression script. The latter seems like an impersonation problem, but why does it appear now and not before LDAP? 
 Note 2: services principals are localy (KDC) while user principals on AD. 
   
 Thank you, 
 Gerasimos 
						
					
					... View more
				
			
			
			
			
			
			
			
			
			
		
		
			
				
						
							Labels:
						
						
		
	
					
			
		
	
	
	
	
				
		
	
	
			
    
	
		
		
		02-13-2019
	
		
		08:32 AM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
		
	
				
		
			
					
				
		
	
		
					
							 core-site.xml had empty values not *.     No issue. 
						
					
					... View more
				
			
			
			
			
			
			
			
			
			
		
			
    
	
		
		
		02-13-2019
	
		
		08:22 AM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
		
	
				
		
			
					
				
		
	
		
					
							 Hello,     In my kerberized and Sentry-protected CDH, I started getting the following errors on hive metastore:     Caused by: org.apache.hadoop.security.authorize.AuthorizationException: 
User: hive/master.hadoop.local@HADOOP.LOCAL is not allowed to 
impersonate sentry/worker1.hadoop.local@HADOOP.LOCAL  In core-site.xml I have:     hadoop.proxyuser.hive.groups=*
hadoop.proxyuser.hive.users=*  The error started after I was playing around with LDAP integration, though I rollback my configurations to the previous no-LDAP state. I am trying to figure out what I missed. 
						
					
					... View more
				
			
			
			
			
			
			
			
			
			
		
		
			
				
						
							Labels:
						
						
		
			
	
					
			
		
	
	
	
	
				
		
	
	
- Labels:
- 
						
							
		
			Apache Sentry
- 
						
							
		
			Kerberos
			
    
	
		
		
		02-12-2019
	
		
		04:15 AM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
		
	
				
		
			
					
				
		
	
		
					
							 Hello @bgooley     Cross-realm trust is OK. I can `kinit` principals from both MIT KDC and AD realms.     Hue-LDAP authenticaion is also OK, however (for now) LDAP users can only perform action not related to HDFS, HIVE and IMPALA.     My target is to have some users (humans) to be authenticated against LDAP (for Hue and all CLI hive-impala-etc actions) and some other users (oozie pipelines) as well as all services to be authenticated against MIT KDC.     Now, I am reading here https://www.cloudera.com/documentation/enterprise/5-15-x/topics/cm_sg_ldap_grp_mappings.html that:     "The local user:group accounts must be mapped to LDAP for group mappings in Hadoop. You must create the users and groups for your Hadoop services in LDAP.  To integrate the cluster with an LDAP service, the user:group relationships must be contained in the LDAP directory. The admin must create the user accounts and define groups for user:group relationships on each host."     This is confusing, as it is supposed (https://www.cloudera.com/documentation/enterprise/5-14-x/topics/sg_auth_overview.html#concept_n5q_5h2_bt__local-mit-to-active-dir-architecture) that only user principals should be configured in AD.     My question is whether in this architecture I need to define services user:group relationships etc in LDAP.  (for User-group mapping I am trying both LdapGroupsMapping and SSSD - none have worked yet though)     Thank you,  Gerasimos    
						
					
					... View more
				
			
			
			
			
			
			
			
			
			
		
			
    
	
		
		
		02-08-2019
	
		
		08:24 AM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
		
	
				
		
			
					
				
		
	
		
					
							 You are right. I had forgot a dual backend configuration in hue_safety_valve.ini. 
						
					
					... View more
				
			
			
			
			
			
			
			
			
			
		
			
    
	
		
		
		02-08-2019
	
		
		08:06 AM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
		
	
				
		
			
					
				
		
	
		
					
							 ... but the "Password" fields are now disabled:               I edited the HTML page and removed "readonly=true", and I managed to create the user. 
						
					
					... View more
				
			
			
			
			
			
			
			
			
			
		
			
    
	
		
		
		02-08-2019
	
		
		08:01 AM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
		
	
				
		
			
					
				
		
	
		
					
							 Yeap! Removing the URL auto-removed all the accompanied LDAP parameters (so I have to re-write them later to enable LDAP, which I tried to avoid)     Thank you,  Gerasimos 
						
					
					... View more
				
			
			
			
			
			
			
			
			
			
		
			
    
	
		
		
		02-08-2019
	
		
		03:00 AM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
		
	
				
		
			
					
				
		
	
		
					
							 Hello,     I am experimenting with LDAP integration, which I managed to make it work in Hue.     Now, I switched the 'backend' property back to 'desktop.auth.backend.AllowFirstUserDjango.Backend', restarted Hue and I can login with the local user as before LDAP.     However, on the User Admin page I still see "Add/Sync LDAP user" and not the local "Add user".     Which other option prevents the local functionality from showing up?     Thank you,  Gerasimos 
						
					
					... View more
				
			
			
			
			
			
			
			
			
			
		
		
			
				
						
							Labels:
						
						
		
			
	
					
			
		
	
	
	
	
				
		
	
	
- Labels:
- 
						
							
		
			Cloudera Hue
			
    
	
		
		
		02-06-2019
	
		
		05:05 AM
	
	
	
	
	
	
	
	
	
	
	
	
	
	
		
	
				
		
			
					
				
		
	
		
					
							 Hello @bgooley     This is the error when syncing an existing group:     views    WARNING  There was a naming conflict while importing group sentryadmins in pattern sentryadmins   and more specifically, this line of useradmin/views.py     group, created = Group.objects.get_or_create(name=ldap_info['name'])   returns      group=sentryadmins
created=False     So, I can tell that the group is not created at Django level when it already exists. Looking closer in the python code, there is a comment:     # This is a Hue group, and shouldn't be overwritten  which is right! The group already exists, should not be overwritten, but users should become members of the group during sync, which is not happening.    
						
					
					... View more
				
			
			
			
			
			
			
			
			
			
		 
        







