Trouble enabling impersonation for Impala connections from Hue
230 views
Skip to first unread message
Phil Rhodes
Sep 13, 2016, 4:40:29 PM9/13/16
to hue-...@cloudera.org
Hi all, I'm having some issues getting Hue impersonate users when
working with Impala using LDAP. Briefly here's
what I have:
CDH 5.8.0
Impala is configured to authenticate against our OpenLDAP server, and using
impala-shell with the -l arg works fine, as does connecting with the JDBC
driver. We're able to use authenticated connections just fine in both of those
scenarios.
Hue is configured for LDAP authentication, in terms of logging into
Hue itself and
that works fine.
If I leave the impersonation_enabled=True setting out, I'm able to run
queries from Hue, but they all show as belong to the Hue service
account.
I tried adding impersonation_enabled=True to the Hue file through CDH,
and as best as I can tell, it would go in the hue_safety_valve.ini
block. So that block looks like this:
[desktop]
ldap_username=username
ldap_password=password
[impala]
impersonation_enabled=True
But with this set, when I log into Hue, I get the error:
No available Impalad to send queries to.
If I ssh into the server and go to
/run/cloudera-scm-agent/process/XXX-hue-HUE_SERVER
I see that hue.ini has the block like this in it:
[impala]
server_host=hostname
server_port=21050
server_conn_timeout=120
and
hue_safety_valve.ini has:
[desktop]
ldap_username=username
ldap_password=password
[impala]
impersonation_enabled=True
But yet it can't find the impalad. If I take out the impersonation_enabled
stuff, it goes back to working as before - queries work, but no impersonation.
Any ideas on how to resolve this?
Phil
working with Impala using LDAP. Briefly here's
what I have:
CDH 5.8.0
Impala is configured to authenticate against our OpenLDAP server, and using
impala-shell with the -l arg works fine, as does connecting with the JDBC
driver. We're able to use authenticated connections just fine in both of those
scenarios.
Hue is configured for LDAP authentication, in terms of logging into
Hue itself and
that works fine.
If I leave the impersonation_enabled=True setting out, I'm able to run
queries from Hue, but they all show as belong to the Hue service
account.
I tried adding impersonation_enabled=True to the Hue file through CDH,
and as best as I can tell, it would go in the hue_safety_valve.ini
block. So that block looks like this:
[desktop]
ldap_username=username
ldap_password=password
[impala]
impersonation_enabled=True
But with this set, when I log into Hue, I get the error:
No available Impalad to send queries to.
If I ssh into the server and go to
/run/cloudera-scm-agent/process/XXX-hue-HUE_SERVER
I see that hue.ini has the block like this in it:
[impala]
server_host=hostname
server_port=21050
server_conn_timeout=120
and
hue_safety_valve.ini has:
[desktop]
ldap_username=username
ldap_password=password
[impala]
impersonation_enabled=True
But yet it can't find the impalad. If I take out the impersonation_enabled
stuff, it goes back to working as before - queries work, but no impersonation.
Any ideas on how to resolve this?
Phil
Romain Rigaux
Sep 14, 2016, 12:01:48 PM9/14/16
to Phil Rhodes, Hue-Users
Could you get the error trace from the /logs page of Hue or the CM Hue process role log tab?
Did you check on the /desktop/dump_config what exactly is used in the [impala] section?
You could also try to directly put the LDAP params in the [impala] config:
https://github.com/cloudera/hue/blob/master/desktop/conf.dist/hue.ini#L955
Did you check on the /desktop/dump_config what exactly is used in the [impala] section?
You could also try to directly put the LDAP params in the [impala] config:
https://github.com/cloudera/hue/blob/master/desktop/conf.dist/hue.ini#L955
Maybe there is a safey valve merging issue. AFAI impersonation is independent of using LDAP or other auth system.
Phil
--
You received this message because you are subscribed to the Google Groups "Hue-Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to hue-user+unsubscribe@cloudera.org.
Phil Rhodes
Sep 21, 2016, 1:59:52 PM9/21/16
to Romain Rigaux, Hue-Users
On Wed, Sep 14, 2016 at 12:01 PM, Romain Rigaux <rom...@cloudera.com> wrote:
> Could you get the error trace from the /logs page of Hue or the CM Hue
> process role log tab?
Here's what I see there:
> Could you get the error trace from the /logs page of Hue or the CM Hue
> process role log tab?
[21/Sep/2016 10:49:28 -0700] connectionpool INFO Starting new HTTP
connection (1): dp-lab-datanode-1.distil.us
[21/Sep/2016 10:49:28 -0700] conf ERROR No available
Impalad to send queries to.
Traceback (most recent call last):
File "/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hue/apps/impala/src/impala/conf.py",
line 186, in config_validator
server.get_databases()
File "/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hue/apps/beeswax/src/beeswax/server/dbms.py",
line 149, in get_databases
databases = self.client.get_databases(schemaName=database_names)
File "/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hue/apps/beeswax/src/beeswax/server/hive_server2_lib.py",
line 1117, in get_databases
return [table[col] for table in self._client.get_databases(schemaName)]
File "/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hue/apps/beeswax/src/beeswax/server/hive_server2_lib.py",
line 660, in get_databases
res = self.call(self._client.GetSchemas, req)
File "/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hue/apps/beeswax/src/beeswax/server/hive_server2_lib.py",
line 630, in call
session = self.open_session(self.user)
File "/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hue/apps/beeswax/src/beeswax/server/hive_server2_lib.py",
line 590, in open_session
raise QueryServerException(Exception('Bad status for request
%s:\n%s' % (req, res)), message=message)
QueryServerException: Bad status for request
TOpenSessionReq(username='hue', password=None, client_protocol=6,
configuration={'idle_session_timeout': '43200', 'impala.doas.user':
u'phil.rhodes'}):
TOpenSessionResp(status=TStatus(errorCode=None, errorMessage="User
'dp-admin' is not authorized to delegate to 'phil.rhodes'. User
delegation is disabled.\n", sqlState='HY000', infoMessages=None,
statusCode=3), sessionHandle=TSessionHandle(sessionId=THandleIdentifier(secret='\xe8\xf5mQ(\xedI\x19\xa8\xafqn\x95\x84\xc5\xc2',
guid='\xad\xcc\xb1\x83*|F\xe7\x8c\xf3\xf5\xba\x90\x953\xbf')),
configuration=None, serverProtocolVersion=5)
Looks like this "dp-admin is not authorized to delegate" / "User
delegation is disabled" bit might be the problem. Any pointers on
what the resolution to that might be? Is there an Impala setting for
enabling delegation?
Phil
Reply all
Reply to author
Forward
0 new messages