Hue with kerberos enabled cannot talk to sentry server

[Shenggu Lu]

Hi all,

I'm trying to use Hue on my cluster with kerberos and sentry. Basically I followed the steps describe here: http://www.cloudera.com/documentation/archive/cdh/4-x/4-4-0/CDH4-Security-Guide/cdh4sg_topic_5_1.html and add the profiles of sentry server to the [sentry] section in hue's config. I also installed the missing package "cyrus-sasl-gssapi" and started the sentry server in the end.

I am able to use the shell of hive, hbase on the cluster directly and other service on my cluster that using sentry&kerberos works fine. But when I'm trying to access the services(hive in this case) on the cluster through hue, it threw the error of 

           "Thrift exception; retrying: Could not start SASL: Error in sasl_client_start (-1) SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Credentials cache file '/tmp/hue_krb5_ccache' not found)"

I could not figure out how to generate this kerberos cache file. So I tried to do  `kinit -kt hue.service.keytab hue/principal ` under root to generate a cache file using Hue's principal and then cp the cache file to /tmp/hue_krb5_cache and set the permission of file to the user that starts the hue server.

In this way, hue gives the same error but the minor code changes to something like `server principal *** not found in kerberos database`. And I had no idea where to add this. Or there should be some configs that I missed so I did not have the cache file?

Any ideas on what's wrong with my cluster? Thanks a lot for the help!