@soundy Yes the feature already exists in CDH to allow HiveServer2 to be configured for both Kerberos and LDAP authentication at the same time, just like Impala.  You don't need any "testing mode" configurations or anything like that. ... View more

The answer of @SpiveyBen is ok. This issue already solved: https://community.cloudera.com/t5/Batch-SQL-Apache-Hive/Sentry-doesn-t-seem-to-work-with-LDAP-CDH-5-3/td-p/23673 ... View more

I have added a user to two user groups in the OS. The changes are not showing in HDFS even after running the  hdfs dfsadmin  -refreshUserToGroupsMappings command   $groups user1 user1 : users group1 group2 newgroup1 newgroup2 $hdfs groups user1 user1 : users group1 group2    Is there an extra step I need to take?   ... View more

Thanks Ben for your reply   we use ODBC with authentification name/password(technical account) and in Microsoft linked server we map users in security tab ... View more

What do you mean by SSO?  SAML?  Also, clients don't talk directly to Sentry.  Clients talk to Sentry-enabled services such as Hive, Impala, and Solr.  With that in mind, are you instead asking whether SAML is going to be supported as authentication mechanism for those Sentry-enabled services?  I am not aware of that being on a near-term roadmap. ... View more

The short answer is no.   The problem is that HDFS ACLs protect the data in HDFS, but it does nothing to protect the metadata inside the Hive metastore.  Sentry comes with a plugin for the Hive Metastore Server that is used for exactly that purpose.   You didn't clarify what you meant by AD.  AD is a lot of things, and specifically for this conversation it could be the mechanism that provides group memberships, and/or it could be LDAP authentication for HiveServer2.  Neither of these things are a substitute for Sentry, but rather, complementary pieces to integrate better with your enterprise infrastructure. ... View more

  Thanks for the reply , but I am sorry it is not very clear to me , can you please provide any link to the required steps , in this case.   Yoru help is appreciated!     ... View more

scm_prepare_database.sh script went fine. Following is the output. [user1@cluster ~]$ sudo /usr/share/cmf/schema/scm_prepare_database.sh mysql cmf cmf cmf JAVA_HOME=/usr/java/jdk1.7.0_67-cloudera Verifying that we can write to /etc/cloudera-scm-server Creating SCM configuration file in /etc/cloudera-scm-server Executing: /usr/java/jdk1.7.0_67-cloudera/bin/java -cp /usr/share/java/mysql-connector-java.jar:/usr/share/java/oracle-connector-java.jar:/usr/share/cmf/schema/../lib/* com.cloudera.enterprise.dbutil.DbCommandExecutor /etc/cloudera-scm-server/db.properties com.cloudera.cmf.db. 2015-12-30 16:35:23,255 [main] INFO com.cloudera.enterprise.dbutil.DbCommandExecutor - Successfully connected to database. All done, your SCM database is configured correctly!   I have used /etc/my.conf similar to one provided in the link. I have more strong feeling about docker causing an issue. Although I have not tried to reproduce problem on standalone centos vm. ... View more

Does your EC2 instance have connectivity to the NTP servers it is configured with?  Maybe the security group is not open?   Try stopping your ntp service and running the command:   ntpdate -s <address_of_ntp_server>   Does that work?  I have seen in the past where ntp fails to automatically synchronize the clock if the original clock value is too far off.  Forcing it to set it using ntpdate, then starting up ntp again, should fix it.  Of course, all of this depends on connectivity to the ntp server... ... View more