@soundy Yes the feature already exists in CDH to allow HiveServer2 to be configured for both Kerberos and LDAP authentication at the same time, just like Impala.  You don't need any "testing mode" configurations or anything like that. ... View more

What do you mean by SSO?  SAML?  Also, clients don't talk directly to Sentry.  Clients talk to Sentry-enabled services such as Hive, Impala, and Solr.  With that in mind, are you instead asking whether SAML is going to be supported as authentication mechanism for those Sentry-enabled services?  I am not aware of that being on a near-term roadmap. ... View more

I presume that adding/removing groups is not that frequent of a change, and hopefully you have considered integrating your linux machines to an upstream LDAP provider.   Be that as it may, you can also force the NameNode to refresh the user to group mappings by executing the following command:   hdfs dfsadmin  -refreshUserToGroupsMappings ... View more

Using LDAP authentication is much easier to manage JDBC/ODBC clients with Impala (and HiveServer2 for that matter).  Each Impala daemon can support both authentication mechanisms at the same time, so it is very easy for clients to access it. ... View more

Kerberos authentication is a given for a secure environment.  However, it absolutely makes sense to also provide LDAP authentication for JDBC/ODBC clients.  This is common.  Currently you need to choose either Kerberos or LDAP for a single HiveServer2, but this is changing imminently to be like Impalad, where a single instance can support either authentication method.  Keep in mind that this is just authentication from clients to the service.  From that service to the rest of the internal cluster, Kerberos is used. ... View more

The short answer is no.   The problem is that HDFS ACLs protect the data in HDFS, but it does nothing to protect the metadata inside the Hive metastore.  Sentry comes with a plugin for the Hive Metastore Server that is used for exactly that purpose.   You didn't clarify what you meant by AD.  AD is a lot of things, and specifically for this conversation it could be the mechanism that provides group memberships, and/or it could be LDAP authentication for HiveServer2.  Neither of these things are a substitute for Sentry, but rather, complementary pieces to integrate better with your enterprise infrastructure. ... View more

Does your EC2 instance have connectivity to the NTP servers it is configured with?  Maybe the security group is not open?   Try stopping your ntp service and running the command:   ntpdate -s <address_of_ntp_server>   Does that work?  I have seen in the past where ntp fails to automatically synchronize the clock if the original clock value is too far off.  Forcing it to set it using ntpdate, then starting up ntp again, should fix it.  Of course, all of this depends on connectivity to the ntp server... ... View more

If you go to Hive service -> Instances tab -> click HiveServer2, then click on Processes.  Do you see the advanced configuration snippet for sentry.hive.testing.mode in your sentry-site.xml?  If you don't, you don't have the property set right.  Make sure you put the configuration in the Service-Wide advanced configuration snippet for sentry-site.xml.  This effectively puts it into both HiveServer2 and Hive Metastore Server role configurations. ... View more

Have you also deployed the client configurations?  Is the node you are submitting the job from configured with a YARN gateway role?   The MapReduce configurations for YARN are gateway configurations, so restarting the cluster on its own is not enough to reflect the changes you made.  Check the /etc/hadoop/conf directory on the node you are submitting the jobs from to verify. ... View more

Did you have any issues running the scm_prepare_database.sh script?  What configuration did you use for /etc/my.cnf?  We have an example configuration for MySQL at: http://www.cloudera.com/content/www/en-us/documentation/enterprise/latest/topics/cm_ig_mysql.html#cmig_topic_5_5_2_unique_1   ... View more