HUE integration with HBASE and Kerberos

Alejandro

unread,

Oct 18, 2016, 7:08:48 AM10/18/16

to Hue-Users

Hi everyone,

I have problems with HUE and HBASE integration with Kerberos + impersonation. My environment is an Ambari-managed Hortonworks.

I have followed the following URL:

http://gethue.com/hbase-browsing-with-doas-impersonation-and-kerberos/

If I use hbase/_HO...@example.com for the thrift principal then HUE's HBASE view returns an authentication error. Looking at network captures I see that the base64 authentication token send by HUE to the thrift server references HTTP/_HOST instead of hbase/_HOST, which is odd (BTW, there is also a "doAs: hue" header in case is of interest).

If I change the thrift principal to HTTP/_HO...@example.com then the authentication issue disappears, which is coherent with what the authentication token states...however the Hbase view now gets stuck forever and eventually a "too many retries" kind of error is shown.

Looking at network captures I see the following message in the communication between the thrift server and the Hbase Master (in particular, it is a message returned by the Master):

6org.apache.hadoop.hbase.security.AccessDeniedException.YUser: HTTP/edge....@example.com is not allowed to impersonate hue(.

The meaning of the messsage is clear, but I do not know how to fix it. I presume that the thrift server should try to impersonate hue while being hbase, achieved by following the procedure above, but as mentioned the standard procedure fails on me.

Can you give me a clue of what could be happening? Many thanks in advance.

Romain Rigaux

unread,

Oct 19, 2016, 2:38:11 AM10/19/16

to Alejandro, Hue-Users

The latest error is the closet to make it work. Could you make sure the HTTP user is allowed to impersonate? Usually the Hadoop proxy user list is in core-site.xml. The Thrift server user will then be allowed to impersonate hue users under their correct usernames.

--
You received this message because you are subscribed to the Google Groups "Hue-Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hue-user+u...@cloudera.org.

Alejandro Gomez

unread,

Oct 22, 2016, 8:03:36 AM10/22/16

to Romain Rigaux, Hue-Users

Hello,

Thank you for your answer. The values for user HTTP are filled by Ambari server and by default are:

hadoop.proxyuser.HTTP.hosts manager.hadoop

hadoop.proxyuser.HTTP.groups users

I remember that at some point I changed both values to

hadoop.proxyuser.HTTP.hosts manager.hadoop,*

hadoop.proxyuser.HTTP.groups users,*

So that all hosts and groups would be included but the error remained the same.

It is strange since from official sources the user that should try to impersonate hue should be hbase, not HTTP/<hostname>@<realm name>

Regards,

To unsubscribe from this group and stop receiving emails from it, send an email to hue-user+unsubscribe@cloudera.org.

Reply all

Reply to author

Forward