Member since
09-20-2017
49
Posts
3
Kudos Received
3
Solutions
My Accepted Solutions
Title | Views | Posted |
---|---|---|
2070 | 02-14-2019 12:54 PM | |
2572 | 02-13-2019 08:32 AM | |
1469 | 01-28-2019 11:42 PM |
02-14-2019
12:54 PM
I managed to fix this by configuring CompositeGroupMapping instead of LdapGroupMapping.
... View more
02-14-2019
04:31 AM
Hello,
I have an HDFS-Hive-Impala regression script that works fine on my kerberized & sentry protected CDH cluster.
Now, I enabled LDAP authentication on HDFS (LdapGroupsMapping), Hive and Impala and the regression script passes HDFS and Hive but fails on the SELECT-INSERT-CREATE Impala actions:
Failure 1 & 2 (similar error for select and insert):
Query: select * from customer.cons limit 10
ERROR: AnalysisException: Failed to load metadata for table: 'customer.cons'
CAUSED BY: TableLoadingException: Failed to load file metadata for 1 paths for table customer.cons. Table's file metadata could be partially loaded. Check the Catalog server log for more details.
Failure 2:
Query: create table customer.test_141226 (id int)
ERROR: ImpalaRuntimeException: Error making 'createTable' RPC to Hive Metastore:
CAUSED BY: MetaException: Got exception: org.apache.hadoop.security.AccessControlException Permission denied: user=impala, access=WRITE, inode="/user/hive/warehouse/customer.db":hive:hive:drwxrwx--t
Note 1: Hive and Impala share the exact the same queries on the regression script. The latter seems like an impersonation problem, but why does it appear now and not before LDAP?
Note 2: services principals are localy (KDC) while user principals on AD.
Thank you,
Gerasimos
... View more
Labels:
02-13-2019
08:32 AM
core-site.xml had empty values not *. No issue.
... View more
02-13-2019
08:22 AM
Hello, In my kerberized and Sentry-protected CDH, I started getting the following errors on hive metastore: Caused by: org.apache.hadoop.security.authorize.AuthorizationException:
User: hive/master.hadoop.local@HADOOP.LOCAL is not allowed to
impersonate sentry/worker1.hadoop.local@HADOOP.LOCAL In core-site.xml I have: hadoop.proxyuser.hive.groups=*
hadoop.proxyuser.hive.users=* The error started after I was playing around with LDAP integration, though I rollback my configurations to the previous no-LDAP state. I am trying to figure out what I missed.
... View more
Labels:
- Labels:
-
Apache Sentry
-
Kerberos
02-12-2019
04:15 AM
Hello @bgooley Cross-realm trust is OK. I can `kinit` principals from both MIT KDC and AD realms. Hue-LDAP authenticaion is also OK, however (for now) LDAP users can only perform action not related to HDFS, HIVE and IMPALA. My target is to have some users (humans) to be authenticated against LDAP (for Hue and all CLI hive-impala-etc actions) and some other users (oozie pipelines) as well as all services to be authenticated against MIT KDC. Now, I am reading here https://www.cloudera.com/documentation/enterprise/5-15-x/topics/cm_sg_ldap_grp_mappings.html that: "The local user:group accounts must be mapped to LDAP for group mappings in Hadoop. You must create the users and groups for your Hadoop services in LDAP. To integrate the cluster with an LDAP service, the user:group relationships must be contained in the LDAP directory. The admin must create the user accounts and define groups for user:group relationships on each host." This is confusing, as it is supposed (https://www.cloudera.com/documentation/enterprise/5-14-x/topics/sg_auth_overview.html#concept_n5q_5h2_bt__local-mit-to-active-dir-architecture) that only user principals should be configured in AD. My question is whether in this architecture I need to define services user:group relationships etc in LDAP. (for User-group mapping I am trying both LdapGroupsMapping and SSSD - none have worked yet though) Thank you, Gerasimos
... View more
02-08-2019
08:24 AM
You are right. I had forgot a dual backend configuration in hue_safety_valve.ini.
... View more
02-08-2019
08:06 AM
... but the "Password" fields are now disabled: I edited the HTML page and removed "readonly=true", and I managed to create the user.
... View more
02-08-2019
08:01 AM
Yeap! Removing the URL auto-removed all the accompanied LDAP parameters (so I have to re-write them later to enable LDAP, which I tried to avoid) Thank you, Gerasimos
... View more
02-08-2019
03:00 AM
Hello, I am experimenting with LDAP integration, which I managed to make it work in Hue. Now, I switched the 'backend' property back to 'desktop.auth.backend.AllowFirstUserDjango.Backend', restarted Hue and I can login with the local user as before LDAP. However, on the User Admin page I still see "Add/Sync LDAP user" and not the local "Add user". Which other option prevents the local functionality from showing up? Thank you, Gerasimos
... View more
Labels:
- Labels:
-
Cloudera Hue
02-06-2019
05:05 AM
Hello @bgooley This is the error when syncing an existing group: views WARNING There was a naming conflict while importing group sentryadmins in pattern sentryadmins and more specifically, this line of useradmin/views.py group, created = Group.objects.get_or_create(name=ldap_info['name']) returns group=sentryadmins
created=False So, I can tell that the group is not created at Django level when it already exists. Looking closer in the python code, there is a comment: # This is a Hue group, and shouldn't be overwritten which is right! The group already exists, should not be overwritten, but users should become members of the group during sync, which is not happening.
... View more