That's correct Prasad. Let me try this and see if it works.
Thanks, Anurag Tangri On Thu, Jun 5, 2014 at 10:35 AM, Prasad Mujumdar <[email protected]> wrote: > Hi Anurag, > > If this is active directory, then try setting a config property > hive.server2.authentication.ldap.Domain to your LDAP domain (a.b). Then you > can login with the short userid atangri. > Are you using LDAP group mapping in Hadoop as well ? > > thanks > Prasad > > > > On Thu, Jun 5, 2014 at 7:43 AM, Anurag <[email protected]> wrote: > >> >> Any response anyone? >> >> Sent from my iPhone >> > On Jun 4, 2014, at 3:20 PM, Anurag Tangri <[email protected]> wrote: >> > >> > + sentry mailing list >> > >> > >> >> On Wed, Jun 4, 2014 at 12:27 AM, Anurag Tangri <[email protected]> >> wrote: >> >> So, I am working on setting this up. >> >> >> >> I have HDFS integrated with LDAP and working fine. >> >> >> >> I also added ldap params in hive-site along with sentry conf : >> >> >> >> ==== >> >> <property> >> >> <name>hive.server2.authentication</name> >> >> <value>LDAP</value> >> >> </property> >> >> <property> >> >> <name>hive.server2.authentication.ldap.url</name> >> >> <value>ldap://<ip></value> >> >> </property> >> >> >> >> <property> >> >> <name>hive.server2.authentication.ldap.baseDN</name> >> >> <value>dc=a,dc=b</value> >> >> </property> >> >> >> >> ====== >> >> >> >> Now when I go to beeline, I type: >> >> >> >> /usr/local/lib/hive/bin/beeline -u jdbc:hive2://<host>:10000 >> >> Beeline version 0.10.0-cdh4.6.0 by Apache Hive >> >> 0: jdbc:hive2://<host>:10000> !connect jdbc:hive2://<host>:10000 >> >> >> >> >> >> It asks for username and password. I give LDAP credentials as: >> >> >> >> Connecting to jdbc:hive2://<host>:10000 >> >> Enter username for jdbc:hive2://<host>:10000: [email protected] >> >> Enter password for jdbc:hive2://<host>:10000: ********** >> >> Error: Invalid URL: jdbc:hive2://<host>:10000 (state=08S01,code=0) >> >> 1: jdbc:hive2://<host>:10000> >> >> >> >> >> >> Now if I type, hive queries, i see error in hive log: >> >> >> >> 2014-06-04 07:15:13,211 WARN file.HadoopGroupMappingService >> (HadoopGroupMappingService.java:getGroups(42)) - Unable to obtain groups >> for [email protected] >> >> java.io.IOException: No groups found for user [email protected] >> >> at org.apache.hadoop.security.Groups.getGroups(Groups.java:105) >> >> at >> org.apache.sentry.provider.file.HadoopGroupMappingService.getGroups(HadoopGroupMappingService.java:40) >> >> at >> org.apache.sentry.provider.file.ResourceAuthorizationProvider.doHasAccess(ResourceAuthorizationProvider.java:98) >> >> at >> org.apache.sentry.provider.file.ResourceAuthorizationProvider.hasAccess(ResourceAuthorizationProvider.java:93) >> >> at >> org.apache.sentry.binding.hive.authz.HiveAuthzBinding.authorize(HiveAuthzBinding.java:179) >> >> at >> org.apache.sentry.binding.hive.HiveAuthzBindingHook.filterShowTables(HiveAuthzBindingHook.java:561) >> >> at >> org.apache.sentry.binding.hive.HiveAuthzBindingHook.postDriverFetch(HiveAuthzBindingHook.java:634) >> >> at >> org.apache.hadoop.hive.ql.Driver.fireFilterHooks(Driver.java:1455) >> >> at org.apache.hadoop.hive.ql.Driver.getResults(Driver.java:1475) >> >> at >> org.apache.hive.service.cli.operation.SQLOperation.getNextRowSet(SQLOperation.java:200) >> >> at >> org.apache.hive.service.cli.operation.OperationManager.getOperationNextRowSet(OperationManager.java:179) >> >> at >> org.apache.hive.service.cli.session.HiveSessionImpl.fetchResults(HiveSessionImpl.java:468) >> >> at >> org.apache.hive.service.cli.CLIService.fetchResults(CLIService.java:318) >> >> at >> org.apache.hive.service.cli.thrift.ThriftCLIService.FetchResults(ThriftCLIService.java:398) >> >> at >> org.apache.hive.service.cli.thrift.TCLIService$Processor$FetchResults.getResult(TCLIService.java:1613) >> >> at >> org.apache.hive.service.cli.thrift.TCLIService$Processor$FetchResults.getResult(TCLIService.java:1598) >> >> at >> org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) >> >> at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) >> >> at >> org.apache.hive.service.cli.thrift.TSetIpAddressProcessor.process(TSetIpAddressProcessor.java:38) >> >> at >> org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:244) >> >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >> >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >> >> at java.lang.Thread.run(Thread.java:722) >> >> ======= >> >> >> >> >> >> I think the issue is my account on LDAP is atangri, not [email protected]. >> >> >> >> Any thoughts on how to fix this ? >> >> >> >> >> >> Thanks, >> >> Anurag Tangri >> >> >> >> >> >> >> >> >> >> >> >> >> >> ===== >> >> 2014-06-04 07:15:13,211 WARN file.HadoopGroupMappingService >> (HadoopGroupMappingService.java:getGroups(42)) - Unable to obtain groups >> for [email protected] >> >> java.io.IOException: No groups found for user [email protected] >> >> >> >> >> >>> On Tue, Jun 3, 2014 at 12:49 PM, Anurag <[email protected]> wrote: >> >>> Thanks Philippe! >> >>> >> >>> This answers almost all of my questions. >> >>> >> >>> Thanks, >> >>> Anurag Tangri >> >>> >> >>>> On Jun 3, 2014, at 12:08 PM, Philippe Marseille <[email protected]> >> wrote: >> >>>> >> >>>> I think the Hive CLI (Command line interface tool) is now >> deprecated. see >> http://blog.cloudera.com/blog/2014/02/migrating-from-hive-cli-to-beeline-a-primer/ >> >>>> >> >>>> >> >>>> The metastore has nothing to do with it. The Metastore Daemon is >> used by all clients. >> >>>> >> >>>> The new flow is : >> >>>> >> >>>> Beeline -> HiveServer2 -> Metastore Daemon -> Metastore Database >> (MySql for example). >> >>>> >> >>>> The previous flow was : >> >>>> >> >>>> Hive CLI (shell ) -> Metastore Daemon -> Metastore Database >> >>>> >> >>>> And before the Metastore Daemon ever existed, it was : >> >>>> >> >>>> Hive CLI -> Metastore Database >> >>>> >> >>>>> On Tuesday, 3 June 2014 13:06:22 UTC-4, Anurag Tangri wrote: >> >>>>> Thanks Casey. >> >>>>> >> >>>>> This is going to be big shift to ask all our users to go to >> beeline from hive. >> >>>>> >> >>>>> Is there no way to have consistency between what roles and policies >> are seen in HUE via hiveserver2 and hive metastore on hive shell ? >> >>>>> Also, is there a reason why hive metastore was excluded from Sentry >> design ? >> >>>>> >> >>>>> >> >>>>> >> >>>>> Thanks, >> >>>>> Anurag Tangri >> >>>>> >> >>>>> >> >>>>> >> >>>>> >> >>>>>> On Tue, Jun 3, 2014 at 9:54 AM, Casey Brotherton < >> [email protected]> wrote: >> >>>>>> Hello Anurag, >> >>>>>> >> >>>>>> To use Sentry, as Johndee mentioned, you must use Hiveserver2. >> That means you will need to transition users from the hive command line to >> the beeline command line. >> >>>>>> >> >>>>>> This link has more information for CDH4.5 >> >>>>>> >> http://www.cloudera.com/content/cloudera-content/cloudera-docs/CDH4/4.5.0/CDH4-Security-Guide/cdh4sg_Sentry.html >> >>>>>> >> >>>>>> There is a link to "Securing the Hive Metastore" which suggests >> to limit connections using iptables, and granting of permissions. >> >>>>>> >> >>>>>> Hope this helps, >> >>>>>> Casey >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>>> On Tue, Jun 3, 2014 at 11:45 AM, Anurag Tangri < >> [email protected]> wrote: >> >>>>>>> Hey Philippe, >> >>>>>>> No, HUE should be fine as per Johndee's explanation as it can be >> pointed to hiveserver2. >> >>>>>>> >> >>>>>>> By metastore, I mean mysql database that hosts hive metadata. >> >>>>>>> >> >>>>>>> This is the database that people go against when they login to >> hive shell for a hadoop client box. >> >>>>>>> >> >>>>>>> >> >>>>>>> Thanks, >> >>>>>>> Anurag Tangri >> >>>>>>> >> >>>>>>> >> >>>>>>> >> >>>>>>>> On Tue, Jun 3, 2014 at 8:11 AM, Philippe Marseille < >> [email protected]> wrote: >> >>>>>>>> By "Hive Metastore", are you referring to the app in Hue? >> >>>>>>>> >> >>>>>>>> >> >>>>>>>>> On Tuesday, 3 June 2014 00:32:53 UTC-4, Anurag Tangri wrote: >> >>>>>>>>> Thanks Johndee. >> >>>>>>>>> >> >>>>>>>>> Can you point to some documentation on hive group and rejecting >> requests from metastore ? >> >>>>>>>>> >> >>>>>>>>> Hiveserver2 is mainly for jdbc interface, hue etc. >> >>>>>>>>> >> >>>>>>>>> For people going via hive metastore, we will need to enforce >> same set of roles and policies as via hiveserver2. >> >>>>>>>>> >> >>>>>>>>> Thanks, >> >>>>>>>>> Anurag Tangri >> >>>>>>>>> >> >>>>>>>>>> On Jun 2, 2014, at 7:57 PM, Johndee Cloudera < >> [email protected]> wrote: >> >>>>>>>>>> >> >>>>>>>>>> When it comes to hive and sentry you need at least Hive Server >> 2. Hive Server 2 is what actually runs the Sentry daemon. The Hive >> Metastore Server handles metadata requests, and in the setup guide is >> configured to reject all connections from users not in the hive group >> typically. >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>>> On Mon, Jun 2, 2014 at 10:15 PM, Anurag Tangri < >> [email protected]> wrote: >> >>>>>>>>>>> Hi all, >> >>>>>>>>>>> From what I read everywhere, sentry is to be used in >> conjunction with hiveserver2. >> >>>>>>>>>>> >> >>>>>>>>>>> Is it true that it can be used with hive metastore ? If yes, >> Any links explaining how to do so would be great. >> >>>>>>>>>>> >> >>>>>>>>>>> Thanks, >> >>>>>>>>>>> Anurag Tangri >> >>>>>>>>>>> >> >>>>>>>>>>> -- >> >>>>>>>>>>> >> >>>>>>>>>>> --- >> >>>>>>>>>>> You received this message because you are subscribed to the >> Google Groups "CDH Users" group. >> >>>>>>>>>>> To unsubscribe from this group and stop receiving emails from >> it, send an email to [email protected]. >> >>>>>>>>>>> >> >>>>>>>>>>> For more options, visit >> https://groups.google.com/a/cloudera.org/d/optout. >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> >> >>>>>>>>>> -- >> >>>>>>>>>> - JRB >> >>>>>>>>>> -- >> >>>>>>>>>> >> >>>>>>>>>> --- >> >>>>>>>>>> You received this message because you are subscribed to the >> Google Groups "CDH Users" group. >> >>>>>>>>>> To unsubscribe from this group and stop receiving emails from >> it, send an email to [email protected]. >> >>>>>>>>>> >> >>>>>>>>>> For more options, visit >> https://groups.google.com/a/cloudera.org/d/optout. >> >>>>>>>> >> >>>>>>>> -- >> >>>>>>>> >> >>>>>>>> --- >> >>>>>>>> You received this message because you are subscribed to the >> Google Groups "CDH Users" group. >> >>>>>>>> To unsubscribe from this group and stop receiving emails from >> it, send an email to [email protected]. >> >>>>>>>> For more options, visit >> https://groups.google.com/a/cloudera.org/d/optout. >> >>>>>>> >> >>>>>>> -- >> >>>>>>> >> >>>>>>> --- >> >>>>>>> You received this message because you are subscribed to the >> Google Groups "CDH Users" group. >> >>>>>>> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> >>>>>>> For more options, visit >> https://groups.google.com/a/cloudera.org/d/optout. >> >>>>>> >> >>>>>> >> >>>>>> >> >>>>>> -- >> >>>>>> Casey J. Brotherton >> >>>>>> Customer Operations Engineer >> >>>>>> >> >>>>>> -- >> >>>>>> >> >>>>>> --- >> >>>>>> You received this message because you are subscribed to the Google >> Groups "CDH Users" group. >> >>>>>> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> >>>>>> For more options, visit >> https://groups.google.com/a/cloudera.org/d/optout. >> >>>> >> >>>> -- >> >>>> >> >>>> --- >> >>>> You received this message because you are subscribed to the Google >> Groups "CDH Users" group. >> >>>> To unsubscribe from this group and stop receiving emails from it, >> send an email to [email protected]. >> >>>> For more options, visit >> https://groups.google.com/a/cloudera.org/d/optout. >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> Groups "CDH Users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > For more options, visit >> https://groups.google.com/a/cloudera.org/d/optout. >> > > -- > > --- > You received this message because you are subscribed to the Google Groups > "CDH Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/a/cloudera.org/d/optout. >
