Sentry--Sentry无法授权的问题
发现问题
- 添加完Sentry,什么都配置好了,添加相应
hue用户
,把hue用户授权给hue组
,查看Sentry表
:
- 即,在
hue里面使用sentry,没有修改配置角色的权限
,很郁闷,通过官网的视频开看明明是有的!http://gethue.com/apache-sentry-made-easy-with-the-new-hue-security-app/
查找原因
- 修改后,去查看各种配置,修改各种权限,还是没有结果。全都设置为最大权限了,为啥还是不行,这里卡了很长的一段时间。发现忘了一件事情,没看日志。于是就看了看
日志
:点击角色-实例--然后Log Files,如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15Role: TListSentryRolesRequest(protocol_version:2, requestorUserName:hue, groupName:default) couldn't be retrieved.
org.apache.sentry.provider.db.SentryNoSuchObjectException: Group default
at org.apache.sentry.provider.db.service.persistent.SentryStore.getMSentryRolesByGroupName(SentryStore.java:1140)
at org.apache.sentry.provider.db.service.persistent.SentryStore.getTSentryRolesByGroupName(SentryStore.java:1170)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.list_sentry_roles_by_group(SentryPolicyStoreProcessor.java:567)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$list_sentry_roles_by_group.getResult(SentryPolicyService.java:1017)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$list_sentry_roles_by_group.getResult(SentryPolicyService.java:1002)
at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
at org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:35)
at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
问题解决
Google了一下,发现了问题:https://groups.google.com/a/cloudera.org/forum/#!topic/hue-user/vNPeGDCysFQ
我复制过来,粘贴在下面:
The ‘default’ group is comes from Hue (https://github.com/cloudera/hue/blob/master/desktop/conf.dist/hue.ini#L1072), it is not a unix group so it won’t be understood by Sentry.
We improved the error message recently in https://github.com/cloudera/hue/commit/1c0e1e3f86330ac77cdb1b30db710767fd3b9d69 so it won’t show up. The current workaround is to not select this group.
Same with hive, if this is not a unix group Sentry won’t understand it.
As long as your admin users belong to one of sentry.service.admin.group in Hue they will have edit permissions in the Sentry UI
hue用户默认是“default”组,但是“default”它不是linux/unix组,所以Sentry就无法识别,然后在hue里面添加一个比如“root”组,然后把改组授权给相应用户就行了。
注 :
一般做Sentry权限管理的,使用一个超级管理员用户就可以了,用它来专门做权限。
上一篇:Sentry--通过Cloudera Manager配置Sentry
下一篇:SBT--Error during sbt execution: Error retrieving required libraries