About Jy

Jy · ‎01-13-2015

Hi, Does LDAP integration with cloudera manager require an enterprise license? If so where can I find more information about setting up an enterprise license. Thanks

Jy · ‎01-13-2015

Looking at the the guide from http://www.cloudera.com/content/cloudera/en/documentation/cloudera-impala/latest/topics/impala_authorization.html. I am unable to find the following see below. In an environment managed by Cloudera Manager, the server name is specified through Impala > Service-Wide > Advanced > Server Name for Sentry Authorization. I found this setting in hive but not in impala.

Jy · ‎01-13-2015

Correct, I did. I believe that sentry is working correctly it is just that impala does not know where the sentry server is. In no steps did I point impala at the sentry server. Thanks

Jy · ‎01-12-2015

Hi, I have recently setup hive and impala with LDAP authentication and am now implementing sentry for role authorization. So far I have successfully setup sentry as a service for hive, however, I am unable to get the same results with impala. I have added the users in ldap to a user group which has "grant all on server server1". I know that these permissions work because they work correctly in hive (perhaps they differ in impala?). This is the following error that I receive after logging into the impala-shell once authenticating. "ERROR: AuthorizationException: User 'xxxx' does not have privileges to access: default.*" Now my guess is that this has something to do with sentry and not ldap integration since impala works fine once I disable the sentry dependancy. What I cannot find is where to declare the sentry server for impala to point to for permissions. The link listed below mentions a setting in the "/etc/default/impala" file (I cannot find this file). I believe that this is the root cause for my authorization issues sense the error appears after authenticating and impala seems to have no way of understanding where to locate my permission list. http://www.cloudera.com/content/cloudera/en/documentation/cloudera-impala/latest/topics/impala_authorization.html Thanks

Jy · ‎01-06-2015

Thanks Darren, I think I have sentry setup correctly now. However, is it possible to grant roles to an individual user? or does a user always have to be part of a group. I received an error when I tried to do the following: "grant role super_user to user cloudera" (FAILED: SemanticException Sentry does not allow grant/revoke on: USER (state=42000,code=40000)). Also, at what level do I add individual users to a group is this at the OS level or somewhere else? For example, I have user "cloudera" added in the user group and admin group within sentry. But lets say I have another user "bob" who I want to add to this group called "cloudera", where do I add "bob" for group cloudera? Thanks

Jy · ‎01-06-2015

Thanks, for the quick response. I removed all xml properties from the "Hive Service Advanced Configuration Snippet" (hive > service-wide > advanced) and from the "HiveServer2 Advanced Configuration Snippet" (hive > hiveserver2 base group > advanced). I enabled sentry as a dependent for hive (hive > service-wide), disabled hiveserver2 impersonation, and configured the settings in YARN then restarted/redeployed client configurations. Since I am not using kerberos or ldap at the moment (just testing role based authorization) I added the "sentry.hive.testing.mode" xml tags into the "Sentry Service Advanced Configuration Snippet" (sentry > service-wide > advanced). When I launch hive or beeline through the CLI I receive the following errors when trying to view/create roles. I feel that I am still configuring something wrong here. I am doing these configurations in the cloudera-quickstart-vm-5.2.0 (would like to get sentry working before pushing this out to our dev cluster). Thanks

Jy · ‎01-06-2015

Hi, What alternatives are there to authorization with hive/impala besides sentry? Also, I am having difficulties setting up sentry as a service. The following is the guide I am using http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/sg_sentry_service_config.html. The issue I run into is setting the path for "hive.sentry.conf.url" within the hive-site.xml. I am unable to find the sentry-site.xml, the closest file that I am able to find is the sentry-store-site.xml file. What is the difference between sentry-site.xml vs sentry-store-site.xml. Thanks

Jy · ‎11-17-2014

Thanks for the quick response Tgrayson. For the firewall rule, the source subnets would be for example 192.168.x.x (IP of client machine connecting). As for when I try to connect I recieve a "connection failed" with telnet (client to cluster). With a web browser I receive a "connection refused" in google chrome. Currently, I have resolved the issue temporarly with a firewall rule to accept my full IP but from the sounds of it I need the subnet of the user clients who would be accessing. What is happening when you attempt to access things, is the page never connecting or not completing, what happens when you telnet from your desktop to the port 7180 for the HTTP process? I receive a "connect failed" on port 23. However, I receive the same message when I enter in the full IP with port previously before the firewall rule had been created. Will try out your suggestion and post back.

Jy · ‎11-14-2014

Hi, I'm having some issues with connecting to the CM admin page in addition to other daemon web UI's. Originally I had requested firewall changes to allow the ports for each of the daemons and CM admin page, this worked but does not work as a valid solution for dynamic IPs. Other computers are unable to access the CM admin page from different IPs. This also means that the current computer I am accessing the CM admin page from will require the port to be allowed for each dynamic IP that I am assigned. I'm curious if there is a work around for this that does not involve shutting down a network firewall. Other clusters that are setup in my environment do not have these firewall issues. I confirmed that SElinux was disabled and the iptables match the settings in the other clusters (those that are not having firewall issues). I added all the ips/domain names to the /etc/hosts on all nodes. The cluster that is having the firewall issues are all physical machines and not VMs, I'm not sure if this makes any difference in how the dns is resolved. Thanks CM 5.2

Jy · ‎10-28-2014

Hi, I have a 6 node cluster running in HA and noticed the growth rate of the TS data. I understand that the data storage for CM host/service monitor has a limit set which can be adjusted but is this normal for a HA cluster as for the rate of growth, considering that there are no jobs running in the cluster? Granted it will cap out at 10gb for each directory but is there a way to slow down the rate of consumption? I saw an option in the CM manager "event publication log quiet time period" would this change the rate at which each "monitor storage directory" collects data? Again, if this is normal and expected then I just need to ensure that there is enough overhead for the TS data to begin rolling. Thanks CM 5.2

Online	Offline
Last Visited	‎02-29-2016 06:36 PM

Member Since	‎09-30-2014 11:28 AM
Last Visited	‎02-29-2016 06:36 PM
Posts	21
Kudos received	6

Cloudera Community

LDAP integration cloudera manager

Re: Impala with sentry

Re: Impala with sentry

Impala with sentry

Re: Role based authorization

Re: Role based authorization

Role based authorization

Re: cloudera manager 7180 firewall issues

cloudera manager 7180 firewall issues

CM host/service monitor TS question