My goal is to enable sentry on HUE only to protect some databases via hive and Impala
But both Impala/hive CLI should not be impacted.
CLI tools are isolated to an edge node and can only be directly accessed via ssh sessions by a select set of users
LDAP and Kerberos not enabled on HUE (maybe later?)
versions
Cloudera Express 5.4.7
Hue™ 3.7.0
Sentry installed correctly and running on same server as HUE
Hive and Impala do NOT have sentry enabled
admin groups and allowed connecting users
hive, impala, hue, hdfs and 1 custom service account (required to run batch jobs)
/user/hive/warehouse owned by custom service account :hive
or owned by impala:hive (does it have to be hive:hive)
all other settings are default
HUE is configured through CM
Sentry service checked - no snippet invoked
Authentication Backend = desktop.auth.backend.AllowFirstUserDjangoBackend
create_users_on_login checked
no LDAP settings not kerberized
Synced user and now have the Hue user and promoted account to be admin
When I try to add policy I get the following
Sentry Log
2017-03-29 17:37:25,030 ERROR org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor: Access denied to Hue org.apache.sentry.provider.db.SentryAccessDeniedException: Access denied to Hue at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.list_sentry_roles_by_group(SentryPolicyStoreProcessor.java:450) at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$list_sentry_roles_by_group.getResult(SentryPolicyService.java:953) at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$list_sentry_roles_by_group.getResult(SentryPolicyService.java:938) at sentry.org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) at sentry.org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) at org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:48) at sentry.org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) at sentry.org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:285) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745) ^@2017-03-29 17:38:56,565 ERROR org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor: Access denied to Hue org.apache.sentry.provider.db.SentryAccessDeniedException: Access denied to Hue at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.authorize(SentryPolicyStoreProcessor.java:205) at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.create_sentry_role(SentryPolicyStoreProcessor.java:215) at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$create_sentry_role.getResult(SentryPolicyService.java:833) at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$create_sentry_role.getResult(SentryPolicyService.java:818) at sentry.org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) at sentry.org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) at org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:48) at sentry.org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123) at sentry.org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:285) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:745)
HUE Error log
ERROR could not retrieve roles ^@[29/Mar/2017 10:38:56 -0700] hive ERROR could not create role Traceback (most recent call last): File "/opt/cloudera/parcels/CDH-5.4.10-1.cdh5.4.10.p0.16/lib/hue/apps/security/src/security/api/hive.py", line 156, in create_role api.create_sentry_role(role['name']) File "/opt/cloudera/parcels/CDH-5.4.10-1.cdh5.4.10.p0.16/lib/hue/desktop/libs/libsentry/src/libsentry/api.py", line 49, in decorator raise e SentryException: Access denied to Hue