Hi Anurag, If this is active directory, then try setting a config property hive.server2.authentication.ldap.Domain to your LDAP domain (a.b). Then you can login with the short userid atangri. Are you using LDAP group mapping in Hadoop as well ?
thanks Prasad On Thu, Jun 5, 2014 at 7:43 AM, Anurag <[email protected]> wrote: > > Any response anyone? > > Sent from my iPhone > > On Jun 4, 2014, at 3:20 PM, Anurag Tangri <[email protected]> wrote: > > > > + sentry mailing list > > > > > >> On Wed, Jun 4, 2014 at 12:27 AM, Anurag Tangri <[email protected]> > wrote: > >> So, I am working on setting this up. > >> > >> I have HDFS integrated with LDAP and working fine. > >> > >> I also added ldap params in hive-site along with sentry conf : > >> > >> ==== > >> <property> > >> <name>hive.server2.authentication</name> > >> <value>LDAP</value> > >> </property> > >> <property> > >> <name>hive.server2.authentication.ldap.url</name> > >> <value>ldap://<ip></value> > >> </property> > >> > >> <property> > >> <name>hive.server2.authentication.ldap.baseDN</name> > >> <value>dc=a,dc=b</value> > >> </property> > >> > >> ====== > >> > >> Now when I go to beeline, I type: > >> > >> /usr/local/lib/hive/bin/beeline -u jdbc:hive2://<host>:10000 > >> Beeline version 0.10.0-cdh4.6.0 by Apache Hive > >> 0: jdbc:hive2://<host>:10000> !connect jdbc:hive2://<host>:10000 > >> > >> > >> It asks for username and password. I give LDAP credentials as: > >> > >> Connecting to jdbc:hive2://<host>:10000 > >> Enter username for jdbc:hive2://<host>:10000: [email protected] > >> Enter password for jdbc:hive2://<host>:10000: ********** > >> Error: Invalid URL: jdbc:hive2://<host>:10000 (state=08S01,code=0) > >> 1: jdbc:hive2://<host>:10000> > >> > >> > >> Now if I type, hive queries, i see error in hive log: > >> > >> 2014-06-04 07:15:13,211 WARN file.HadoopGroupMappingService > (HadoopGroupMappingService.java:getGroups(42)) - Unable to obtain groups > for [email protected] > >> java.io.IOException: No groups found for user [email protected] > >> at org.apache.hadoop.security.Groups.getGroups(Groups.java:105) > >> at > org.apache.sentry.provider.file.HadoopGroupMappingService.getGroups(HadoopGroupMappingService.java:40) > >> at > org.apache.sentry.provider.file.ResourceAuthorizationProvider.doHasAccess(ResourceAuthorizationProvider.java:98) > >> at > org.apache.sentry.provider.file.ResourceAuthorizationProvider.hasAccess(ResourceAuthorizationProvider.java:93) > >> at > org.apache.sentry.binding.hive.authz.HiveAuthzBinding.authorize(HiveAuthzBinding.java:179) > >> at > org.apache.sentry.binding.hive.HiveAuthzBindingHook.filterShowTables(HiveAuthzBindingHook.java:561) > >> at > org.apache.sentry.binding.hive.HiveAuthzBindingHook.postDriverFetch(HiveAuthzBindingHook.java:634) > >> at > org.apache.hadoop.hive.ql.Driver.fireFilterHooks(Driver.java:1455) > >> at org.apache.hadoop.hive.ql.Driver.getResults(Driver.java:1475) > >> at > org.apache.hive.service.cli.operation.SQLOperation.getNextRowSet(SQLOperation.java:200) > >> at > org.apache.hive.service.cli.operation.OperationManager.getOperationNextRowSet(OperationManager.java:179) > >> at > org.apache.hive.service.cli.session.HiveSessionImpl.fetchResults(HiveSessionImpl.java:468) > >> at > org.apache.hive.service.cli.CLIService.fetchResults(CLIService.java:318) > >> at > org.apache.hive.service.cli.thrift.ThriftCLIService.FetchResults(ThriftCLIService.java:398) > >> at > org.apache.hive.service.cli.thrift.TCLIService$Processor$FetchResults.getResult(TCLIService.java:1613) > >> at > org.apache.hive.service.cli.thrift.TCLIService$Processor$FetchResults.getResult(TCLIService.java:1598) > >> at > org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) > >> at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) > >> at > org.apache.hive.service.cli.thrift.TSetIpAddressProcessor.process(TSetIpAddressProcessor.java:38) > >> at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:244) > >> at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > >> at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > >> at java.lang.Thread.run(Thread.java:722) > >> ======= > >> > >> > >> I think the issue is my account on LDAP is atangri, not [email protected]. > >> > >> Any thoughts on how to fix this ? > >> > >> > >> Thanks, > >> Anurag Tangri > >> > >> > >> > >> > >> > >> > >> ===== > >> 2014-06-04 07:15:13,211 WARN file.HadoopGroupMappingService > (HadoopGroupMappingService.java:getGroups(42)) - Unable to obtain groups > for [email protected] > >> java.io.IOException: No groups found for user [email protected] > >> > >> > >>> On Tue, Jun 3, 2014 at 12:49 PM, Anurag <[email protected]> wrote: > >>> Thanks Philippe! > >>> > >>> This answers almost all of my questions. > >>> > >>> Thanks, > >>> Anurag Tangri > >>> > >>>> On Jun 3, 2014, at 12:08 PM, Philippe Marseille <[email protected]> > wrote: > >>>> > >>>> I think the Hive CLI (Command line interface tool) is now deprecated. > see > http://blog.cloudera.com/blog/2014/02/migrating-from-hive-cli-to-beeline-a-primer/ > >>>> > >>>> > >>>> The metastore has nothing to do with it. The Metastore Daemon is > used by all clients. > >>>> > >>>> The new flow is : > >>>> > >>>> Beeline -> HiveServer2 -> Metastore Daemon -> Metastore Database > (MySql for example). > >>>> > >>>> The previous flow was : > >>>> > >>>> Hive CLI (shell ) -> Metastore Daemon -> Metastore Database > >>>> > >>>> And before the Metastore Daemon ever existed, it was : > >>>> > >>>> Hive CLI -> Metastore Database > >>>> > >>>>> On Tuesday, 3 June 2014 13:06:22 UTC-4, Anurag Tangri wrote: > >>>>> Thanks Casey. > >>>>> > >>>>> This is going to be big shift to ask all our users to go to beeline > from hive. > >>>>> > >>>>> Is there no way to have consistency between what roles and policies > are seen in HUE via hiveserver2 and hive metastore on hive shell ? > >>>>> Also, is there a reason why hive metastore was excluded from Sentry > design ? > >>>>> > >>>>> > >>>>> > >>>>> Thanks, > >>>>> Anurag Tangri > >>>>> > >>>>> > >>>>> > >>>>> > >>>>>> On Tue, Jun 3, 2014 at 9:54 AM, Casey Brotherton < > [email protected]> wrote: > >>>>>> Hello Anurag, > >>>>>> > >>>>>> To use Sentry, as Johndee mentioned, you must use Hiveserver2. > That means you will need to transition users from the hive command line to > the beeline command line. > >>>>>> > >>>>>> This link has more information for CDH4.5 > >>>>>> > http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/4.5.0/CDH4-Security-Guide/cdh4sg_Sentry.html > >>>>>> > >>>>>> There is a link to "Securing the Hive Metastore" which suggests to > limit connections using iptables, and granting of permissions. > >>>>>> > >>>>>> Hope this helps, > >>>>>> Casey > >>>>>> > >>>>>> > >>>>>> > >>>>>>> On Tue, Jun 3, 2014 at 11:45 AM, Anurag Tangri <[email protected]> > wrote: > >>>>>>> Hey Philippe, > >>>>>>> No, HUE should be fine as per Johndee's explanation as it can be > pointed to hiveserver2. > >>>>>>> > >>>>>>> By metastore, I mean mysql database that hosts hive metadata. > >>>>>>> > >>>>>>> This is the database that people go against when they login to > hive shell for a hadoop client box. > >>>>>>> > >>>>>>> > >>>>>>> Thanks, > >>>>>>> Anurag Tangri > >>>>>>> > >>>>>>> > >>>>>>> > >>>>>>>> On Tue, Jun 3, 2014 at 8:11 AM, Philippe Marseille < > [email protected]> wrote: > >>>>>>>> By "Hive Metastore", are you referring to the app in Hue? > >>>>>>>> > >>>>>>>> > >>>>>>>>> On Tuesday, 3 June 2014 00:32:53 UTC-4, Anurag Tangri wrote: > >>>>>>>>> Thanks Johndee. > >>>>>>>>> > >>>>>>>>> Can you point to some documentation on hive group and rejecting > requests from metastore ? > >>>>>>>>> > >>>>>>>>> Hiveserver2 is mainly for jdbc interface, hue etc. > >>>>>>>>> > >>>>>>>>> For people going via hive metastore, we will need to enforce > same set of roles and policies as via hiveserver2. > >>>>>>>>> > >>>>>>>>> Thanks, > >>>>>>>>> Anurag Tangri > >>>>>>>>> > >>>>>>>>>> On Jun 2, 2014, at 7:57 PM, Johndee Cloudera < > [email protected]> wrote: > >>>>>>>>>> > >>>>>>>>>> When it comes to hive and sentry you need at least Hive Server > 2. Hive Server 2 is what actually runs the Sentry daemon. The Hive > Metastore Server handles metadata requests, and in the setup guide is > configured to reject all connections from users not in the hive group > typically. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> On Mon, Jun 2, 2014 at 10:15 PM, Anurag Tangri < > [email protected]> wrote: > >>>>>>>>>>> Hi all, > >>>>>>>>>>> From what I read everywhere, sentry is to be used in > conjunction with hiveserver2. > >>>>>>>>>>> > >>>>>>>>>>> Is it true that it can be used with hive metastore ? If yes, > Any links explaining how to do so would be great. > >>>>>>>>>>> > >>>>>>>>>>> Thanks, > >>>>>>>>>>> Anurag Tangri > >>>>>>>>>>> > >>>>>>>>>>> -- > >>>>>>>>>>> > >>>>>>>>>>> --- > >>>>>>>>>>> You received this message because you are subscribed to the > Google Groups "CDH Users" group. > >>>>>>>>>>> To unsubscribe from this group and stop receiving emails from > it, send an email to [email protected]. > >>>>>>>>>>> > >>>>>>>>>>> For more options, visit > https://groups.google.com/a/cloudera.org/d/optout. > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> -- > >>>>>>>>>> - JRB > >>>>>>>>>> -- > >>>>>>>>>> > >>>>>>>>>> --- > >>>>>>>>>> You received this message because you are subscribed to the > Google Groups "CDH Users" group. > >>>>>>>>>> To unsubscribe from this group and stop receiving emails from > it, send an email to [email protected]. > >>>>>>>>>> > >>>>>>>>>> For more options, visit > https://groups.google.com/a/cloudera.org/d/optout. > >>>>>>>> > >>>>>>>> -- > >>>>>>>> > >>>>>>>> --- > >>>>>>>> You received this message because you are subscribed to the > Google Groups "CDH Users" group. > >>>>>>>> To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >>>>>>>> For more options, visit > https://groups.google.com/a/cloudera.org/d/optout. > >>>>>>> > >>>>>>> -- > >>>>>>> > >>>>>>> --- > >>>>>>> You received this message because you are subscribed to the Google > Groups "CDH Users" group. > >>>>>>> To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >>>>>>> For more options, visit > https://groups.google.com/a/cloudera.org/d/optout. > >>>>>> > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> Casey J. Brotherton > >>>>>> Customer Operations Engineer > >>>>>> > >>>>>> -- > >>>>>> > >>>>>> --- > >>>>>> You received this message because you are subscribed to the Google > Groups "CDH Users" group. > >>>>>> To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >>>>>> For more options, visit > https://groups.google.com/a/cloudera.org/d/optout. > >>>> > >>>> -- > >>>> > >>>> --- > >>>> You received this message because you are subscribed to the Google > Groups "CDH Users" group. > >>>> To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected]. > >>>> For more options, visit > https://groups.google.com/a/cloudera.org/d/optout. > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "CDH Users" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > For more options, visit > https://groups.google.com/a/cloudera.org/d/optout. >
