I'm trying to get Hue working with Impala with impersonation
turned on, but it's not working as expected.   I am using
this version of Cloudera Manager
Cloudera Express 5.8.1 (#7 built by jenkins on 20160722-1141 git:
a0886a893750079a4dc7f902be22d6f6e63b85a1)

and CDH 5.8.0

In impalad_flags is this line:

-authorized_proxy_user_config='dp-admin=*'

which I thought would allow dp-admin to delete to any user.  But despite that
I keep getting this error in my Hue log:


[22/Sep/2016 12:51:20 -0700] conf         ERROR    No available
Impalad to send queries to.
Traceback (most recent call last):
  File 
"/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hue/apps/impala/src/impala/conf.py",
line 186, in config_validator
    server.get_databases()
  File 
"/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hue/apps/beeswax/src/beeswax/server/dbms.py",
line 149, in get_databases
    databases = self.client.get_databases(schemaName=database_names)
  File 
"/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hue/apps/beeswax/src/beeswax/server/hive_server2_lib.py",
line 1117, in get_databases
    return [table[col] for table in self._client.get_databases(schemaName)]
  File 
"/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hue/apps/beeswax/src/beeswax/server/hive_server2_lib.py",
line 660, in get_databases
    res = self.call(self._client.GetSchemas, req)
  File 
"/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hue/apps/beeswax/src/beeswax/server/hive_server2_lib.py",
line 630, in call
    session = self.open_session(self.user)
  File 
"/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hue/apps/beeswax/src/beeswax/server/hive_server2_lib.py",
line 590, in open_session
    raise QueryServerException(Exception('Bad status for request
%s:\n%s' % (req, res)), message=message)
QueryServerException: Bad status for request
TOpenSessionReq(username='hue', password=None, client_protocol=6,
configuration={'idle_session_timeout': '43200', 'impala.doas.user':
u'phil.rhodes'}):
TOpenSessionResp(status=TStatus(errorCode=None, errorMessage="User
'dp-admin' is not authorized to delegate to 'phil.rhodes'.\n",
sqlState='HY000', infoMessages=None, statusCode=3),
sessionHandle=TSessionHandle(sessionId=THandleIdentifier(secret='\x90\xdb\xb2\xfa\xe9\xd8A\x94\xbasy\x13\xee\xdbH\xd9',
guid='\xa1\x0f\xf2z\xe01B\xe1\xb8M"\x99\xb3s\xde\x17')),
configuration=None, serverProtocolVersion=5)

[22/Sep/2016 12:51:20 -0700] thrift_util  DEBUG    Thrift call <class
'ImpalaService.ImpalaHiveServer2Service.Client'>.OpenSession returned
in 16ms: TOpenSessionResp(status=TStatus(errorCode=None,
errorMessage="User 'dp-admin' is not authorized to delegate to
'phil.rhodes'.\n", sqlState='HY000', infoMessages=None, statusCode=3),
sessionHandle=TSessionHandle(sessionId=THandleIdentifier(secret='\x90\xdb\xb2\xfa\xe9\xd8A\x94\xbasy\x13\xee\xdbH\xd9',
guid='\xa1\x0f\xf2z\xe01B\xe1\xb8M"\x99\xb3s\xde\x17')),
configuration=None, serverProtocolVersion=5)

[22/Sep/2016 12:51:20 -0700] thrift_util  DEBUG    Thrift call: <class
'ImpalaService.ImpalaHiveServer2Service.Client'>.OpenSession(args=(TOpenSessionReq(username='hue',
password=None, client_protocol=6,
configuration={'idle_session_timeout': '43200', 'impala.doas.user':
u'phil.rhodes'}),), kwargs={})

[22/Sep/2016 12:51:20 -0700] hive_server2_lib INFO     Opening impala
thrift session for user phil.rhodes

[22/Sep/2016 12:51:20 -0700] hive_server2_lib INFO     Retrying with a
new session because for phil.rhodes of
TGetSchemasResp(status=TStatus(errorCode=None, errorMessage='Invalid
session id\n', sqlState='HY000', infoMessages=None, statusCode=3),
operationHandle=TOperationHandle(hasResultSet=False,
modifiedRowCount=None, operationType=3,
operationId=THandleIdentifier(secret='', guid='')))

[22/Sep/2016 12:51:20 -0700] thrift_util  DEBUG    Thrift call <class
'ImpalaService.ImpalaHiveServer2Service.Client'>.GetSchemas returned
in 11ms: TGetSchemasResp(status=TStatus(errorCode=None,
errorMessage='Invalid session id\n', sqlState='HY000',
infoMessages=None, statusCode=3),
operationHandle=TOperationHandle(hasResultSet=False,
modifiedRowCount=None, operationType=3,
operationId=THandleIdentifier(secret='', guid='')))

[22/Sep/2016 12:51:20 -0700] thrift_util  DEBUG    Thrift call: <class
'ImpalaService.ImpalaHiveServer2Service.Client'>.GetSchemas(args=(TGetSchemasReq(schemaName=None,
sessionHandle=TSessionHandle(sessionId=THandleIdentifier(secret='\x0e\xe8)\xca4\x96Aw\x8c*\x1b\x8e\xd9\x8a\x90\xb6',
guid='\x16\x17[\xd9-\xf2L\xcf\xacQm\xc2;#B\x0c')),
catalogName=None),), kwargs={})

[22/Sep/2016 12:51:20 -0700] hive_server2_lib INFO     impala:
use_sasl=True, mechanism=PLAIN, kerberos_principal_short_name=impala,
impersonation_enabled=True, auth_username=dp-admin

[22/Sep/2016 12:51:20 -0700] dbms         DEBUG    Query Server:
{'SESSION_TIMEOUT_S': 43200, 'QUERY_TIMEOUT_S': 600, 'server_name':
'impala', 'server_host': 'dp-lab-datanode-1.distil.us',
'querycache_rows': 50000, 'server_port': 21050, 'auth_password_used':
True, 'impersonation_enabled': True, 'auth_username': 'dp-admin',
'principal': 'impala/dp-lab-cdh-1.distil.us'}

[22/Sep/2016 12:51:20 -0700] dbms         DEBUG    Query Server:
{'SESSION_TIMEOUT_S': 43200, 'QUERY_TIMEOUT_S': 600, 'server_name':
'impala', 'server_host': 'dp-lab-datanode-1.distil.us',
'querycache_rows': 50000, 'server_port': 21050, 'auth_password_used':
True, 'impersonation_enabled': True, 'auth_username': 'dp-admin',
'principal': 'impala/dp-lab-cdh-1.distil.us'}

[22/Sep/2016 12:51:20 -0700] resource     DEBUG    GET Got response:
{"FileStatus":{"pathSuffix":"","type":"DIRECTORY","length":0,"owner":"hive","group":"hive","permission":"1777","accessTime":0,"modificationTime":1471548083385,"blockSize":0,"replication":0}}


This seems to suggest that Impala is not configured to allow
the dp-admin user to delegate to user 'phil.rhodes', but I have enabled
what I believe to be the correct option to enable that.


Any idea why this wouldn't work?


Thanks,


Phil

Reply via email to