I'm trying to get Hue working with Impala with impersonation
turned on, but it's not working as expected. I am using
this version of Cloudera Manager
Cloudera Express 5.8.1 (#7 built by jenkins on 20160722-1141 git:
a0886a893750079a4dc7f902be22d6f6e63b85a1)
and CDH 5.8.0
In impalad_flags is this line:
-authorized_proxy_user_config='dp-admin=*'
which I thought would allow dp-admin to delete to any user. But despite that
I keep getting this error in my Hue log:
[22/Sep/2016 12:51:20 -0700] conf ERROR No available
Impalad to send queries to.
Traceback (most recent call last):
File
"/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hue/apps/impala/src/impala/conf.py",
line 186, in config_validator
server.get_databases()
File
"/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hue/apps/beeswax/src/beeswax/server/dbms.py",
line 149, in get_databases
databases = self.client.get_databases(schemaName=database_names)
File
"/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hue/apps/beeswax/src/beeswax/server/hive_server2_lib.py",
line 1117, in get_databases
return [table[col] for table in self._client.get_databases(schemaName)]
File
"/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hue/apps/beeswax/src/beeswax/server/hive_server2_lib.py",
line 660, in get_databases
res = self.call(self._client.GetSchemas, req)
File
"/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hue/apps/beeswax/src/beeswax/server/hive_server2_lib.py",
line 630, in call
session = self.open_session(self.user)
File
"/opt/cloudera/parcels/CDH-5.8.0-1.cdh5.8.0.p0.42/lib/hue/apps/beeswax/src/beeswax/server/hive_server2_lib.py",
line 590, in open_session
raise QueryServerException(Exception('Bad status for request
%s:\n%s' % (req, res)), message=message)
QueryServerException: Bad status for request
TOpenSessionReq(username='hue', password=None, client_protocol=6,
configuration={'idle_session_timeout': '43200', 'impala.doas.user':
u'phil.rhodes'}):
TOpenSessionResp(status=TStatus(errorCode=None, errorMessage="User
'dp-admin' is not authorized to delegate to 'phil.rhodes'.\n",
sqlState='HY000', infoMessages=None, statusCode=3),
sessionHandle=TSessionHandle(sessionId=THandleIdentifier(secret='\x90\xdb\xb2\xfa\xe9\xd8A\x94\xbasy\x13\xee\xdbH\xd9',
guid='\xa1\x0f\xf2z\xe01B\xe1\xb8M"\x99\xb3s\xde\x17')),
configuration=None, serverProtocolVersion=5)
[22/Sep/2016 12:51:20 -0700] thrift_util DEBUG Thrift call <class
'ImpalaService.ImpalaHiveServer2Service.Client'>.OpenSession returned
in 16ms: TOpenSessionResp(status=TStatus(errorCode=None,
errorMessage="User 'dp-admin' is not authorized to delegate to
'phil.rhodes'.\n", sqlState='HY000', infoMessages=None, statusCode=3),
sessionHandle=TSessionHandle(sessionId=THandleIdentifier(secret='\x90\xdb\xb2\xfa\xe9\xd8A\x94\xbasy\x13\xee\xdbH\xd9',
guid='\xa1\x0f\xf2z\xe01B\xe1\xb8M"\x99\xb3s\xde\x17')),
configuration=None, serverProtocolVersion=5)
[22/Sep/2016 12:51:20 -0700] thrift_util DEBUG Thrift call: <class
'ImpalaService.ImpalaHiveServer2Service.Client'>.OpenSession(args=(TOpenSessionReq(username='hue',
password=None, client_protocol=6,
configuration={'idle_session_timeout': '43200', 'impala.doas.user':
u'phil.rhodes'}),), kwargs={})
[22/Sep/2016 12:51:20 -0700] hive_server2_lib INFO Opening impala
thrift session for user phil.rhodes
[22/Sep/2016 12:51:20 -0700] hive_server2_lib INFO Retrying with a
new session because for phil.rhodes of
TGetSchemasResp(status=TStatus(errorCode=None, errorMessage='Invalid
session id\n', sqlState='HY000', infoMessages=None, statusCode=3),
operationHandle=TOperationHandle(hasResultSet=False,
modifiedRowCount=None, operationType=3,
operationId=THandleIdentifier(secret='', guid='')))
[22/Sep/2016 12:51:20 -0700] thrift_util DEBUG Thrift call <class
'ImpalaService.ImpalaHiveServer2Service.Client'>.GetSchemas returned
in 11ms: TGetSchemasResp(status=TStatus(errorCode=None,
errorMessage='Invalid session id\n', sqlState='HY000',
infoMessages=None, statusCode=3),
operationHandle=TOperationHandle(hasResultSet=False,
modifiedRowCount=None, operationType=3,
operationId=THandleIdentifier(secret='', guid='')))
[22/Sep/2016 12:51:20 -0700] thrift_util DEBUG Thrift call: <class
'ImpalaService.ImpalaHiveServer2Service.Client'>.GetSchemas(args=(TGetSchemasReq(schemaName=None,
sessionHandle=TSessionHandle(sessionId=THandleIdentifier(secret='\x0e\xe8)\xca4\x96Aw\x8c*\x1b\x8e\xd9\x8a\x90\xb6',
guid='\x16\x17[\xd9-\xf2L\xcf\xacQm\xc2;#B\x0c')),
catalogName=None),), kwargs={})
[22/Sep/2016 12:51:20 -0700] hive_server2_lib INFO impala:
use_sasl=True, mechanism=PLAIN, kerberos_principal_short_name=impala,
impersonation_enabled=True, auth_username=dp-admin
[22/Sep/2016 12:51:20 -0700] dbms DEBUG Query Server:
{'SESSION_TIMEOUT_S': 43200, 'QUERY_TIMEOUT_S': 600, 'server_name':
'impala', 'server_host': 'dp-lab-datanode-1.distil.us',
'querycache_rows': 50000, 'server_port': 21050, 'auth_password_used':
True, 'impersonation_enabled': True, 'auth_username': 'dp-admin',
'principal': 'impala/dp-lab-cdh-1.distil.us'}
[22/Sep/2016 12:51:20 -0700] dbms DEBUG Query Server:
{'SESSION_TIMEOUT_S': 43200, 'QUERY_TIMEOUT_S': 600, 'server_name':
'impala', 'server_host': 'dp-lab-datanode-1.distil.us',
'querycache_rows': 50000, 'server_port': 21050, 'auth_password_used':
True, 'impersonation_enabled': True, 'auth_username': 'dp-admin',
'principal': 'impala/dp-lab-cdh-1.distil.us'}
[22/Sep/2016 12:51:20 -0700] resource DEBUG GET Got response:
{"FileStatus":{"pathSuffix":"","type":"DIRECTORY","length":0,"owner":"hive","group":"hive","permission":"1777","accessTime":0,"modificationTime":1471548083385,"blockSize":0,"replication":0}}
This seems to suggest that Impala is not configured to allow
the dp-admin user to delegate to user 'phil.rhodes', but I have enabled
what I believe to be the correct option to enable that.
Any idea why this wouldn't work?
Thanks,
Phil
