About JoaoBarreto

JoaoBarreto · ‎12-04-2018

I don't fully remember but, I think back then we had to use SSSD (Via LDAP. We have another customer via Keytab) to fetch the groups with hadoop.security.group.mapping = org.apache.hadoop.security.ShellBasedUnixGroupsMapping That way we are able to fetch the groups of each user on the backend.

JoaoBarreto · ‎10-23-2018

Just a few changes I've detected. In the agent configuration don't use EXPORT. In /etc/default/cloudera-scm-agent just add: KRB5_CONFIG=/path/krb5.conf Also, you will need to hammer Kerberos Server and Kadmin files. KDC -> /etc/sysconfig/krb5kdc Add: KRB5_CONFIG=/path/krb5.conf And also: Kadmin -> /etc/sysconfig/kadmin Add: KRB5_CONFIG=/path/krb5.conf This will allow you to start both services after you create the databases (kdb5_util create -s). If you don't do this, kerberos will still read /etc/krb5.conf and weird stuff will appear. LET'S GO PEOPLE!!! 😄 Hammer on!

JoaoBarreto · ‎10-18-2018

Dude, with this reply you should really get a raise! Thanks! We will test this solution! Thank you so much! ____________________________________________________ After some tests the solution is correct! It worked 🙂

JoaoBarreto · ‎10-16-2018

Hi. I've been able to configure our cluster with a local kerberos realm using the usual /etc/krb5.conf file. The thing is... we need to change the path that the system will use. Basically the customer is using the path /etc/krb5.conf with something else, but we need to setup Cloudera Manager (and the rest of the big data services) to use a different krb5.conf location. Anyone know how to perform this change in Cloudera Manager (cluster wide)? To use a different krb5.conf file, other than the usual /etc/krb5.conf? Thanks... :'(

JoaoBarreto · ‎10-08-2018

Hi. One of our customers asked us if it was possible to change the username of the CDH installation from "cloudera-scm" to another username. Is this possible without using single-user mode? I've searched in the internet but did not find anything related to this. Thank you.

JoaoBarreto · ‎01-05-2018

I'm currently trying to run HDFS DFS -LS / with 1 kerberos principal (one that should be in the AD) and we are having some issues... try to run debug on kerberos to check if you can run commands on HDFS with a principal that is in the AD. We are doing this in order to test if the problem is in the HDFS/Kerberos/AD configuration.

JoaoBarreto · ‎12-27-2017

I can't actually do that, cause the AD comes from a major company... and it's managed by them. 😞 Thanks for the reply!

JoaoBarreto · ‎12-22-2017

Hi there. I have the same problem but I didn't understand the solution. What did you do? Sorry but I'm a little desperate here... 😞

JoaoBarreto · ‎12-21-2017

Hi. My company is running a CDH Cluster, with Hue setup with AD. Sentry and Hive. Below all this we also have Kerberos. The main problem right now is that when Hive tries to search for the groups of a user I get this error. 2017-12-21 14:12:57,687 WARN org.apache.hadoop.security.LdapGroupsMapping: [HiveServer2-Handler-Pool: Thread-108]: Failed to get groups for user ex76196 (retry=0) by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839] 2017-12-21 14:12:57,706 WARN org.apache.hadoop.security.LdapGroupsMapping: [HiveServer2-Handler-Pool: Thread-108]: Failed to get groups for user ex76196 (retry=1) by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839] 2017-12-21 14:12:57,724 WARN org.apache.hadoop.security.LdapGroupsMapping: [HiveServer2-Handler-Pool: Thread-108]: Failed to get groups for user ex76196 (retry=2) by javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839] 2017-12-21 14:12:57,724 WARN org.apache.sentry.provider.common.HadoopGroupMappingService: [HiveServer2-Handler-Pool: Thread-108]: Unable to obtain groups for ex76196 java.io.IOException: No groups found for user ex76196 at org.apache.hadoop.security.Groups.noGroupsForUser(Groups.java:190) at org.apache.hadoop.security.Groups.access$400(Groups.java:69) at org.apache.hadoop.security.Groups$GroupCacheLoader.load(Groups.java:307) at org.apache.hadoop.security.Groups$GroupCacheLoader.load(Groups.java:257) at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3568) at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2350) at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2313) at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2228) at com.google.common.cache.LocalCache.get(LocalCache.java:3965) at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3969) at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4829) at org.apache.hadoop.security.Groups.getGroups(Groups.java:215) at org.apache.sentry.provider.common.HadoopGroupMappingService.getGroups(HadoopGroupMappingService.java:60) at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.getGroups(HiveAuthzBinding.java:372) at org.apache.sentry.binding.hive.HiveAuthzBindingHook.postAnalyze(HiveAuthzBindingHook.java:395) at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:449) at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:312) at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1201) at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1188) at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:143) at org.apache.hive.service.cli.operation.SQLOperation.runInternal(SQLOperation.java:215) at org.apache.hive.service.cli.operation.Operation.run(Operation.java:326) at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementInternal(HiveSessionImpl.java:425) at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementAsync(HiveSessionImpl.java:402) at org.apache.hive.service.cli.CLIService.executeStatementAsync(CLIService.java:258) at org.apache.hive.service.cli.thrift.ThriftCLIService.ExecuteStatement(ThriftCLIService.java:500) at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1313) at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1298) at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor.process(HadoopThriftAuthBridge.java:746) at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) When I try to setup Hive with AD/LDAP it says that only Kerberos or AD/LDAP can be on. Anyone have any idea how to solve this? The objective is basically give the AD groups permissions to the Hive tables. Kind of lost right now... any ideas would be very appreciated. Thanks.

Online	Offline
Last Visited	‎12-15-2021 03:18 AM

Member Since	‎12-19-2017 05:37 AM
Last Visited	‎12-15-2021 03:18 AM
Posts	23
Kudos received	2

Cloudera Community

Cloudera Community

Re: Hive, Sentry, Kerberos and Active Directory - ...

Re: [Kerberos] How to setup Cloudera Manager in or...

Re: [Kerberos] How to setup Cloudera Manager in or...

[Kerberos] How to setup Cloudera Manager in order ...

Changing installation username from "cloudera-scm"...

Re: Hive, Sentry, Kerberos and Active Directory - ...

Re: sentry doesnt work based on AD

Re: sentry doesnt work based on AD

Hive, Sentry, Kerberos and Active Directory - "No ...