Category Archives: apache-sentry

Cloudera Sentry with LDAP – Unable to add user as sentry admin

Background:

By default, Sentry service has Hive, Hue and impala as the sentry admins. This is w.r.t to the property on CM sentry.service.admin.group. I want to add a user or group which has my user account, so that I can become the sentry admin.

Current environment:

  1. Cloudera 5.4.7 with CM
  2. Postgres databases for CDH, Hive and Sentry.
  3. Sentry version 1.4

Question:

I have integrated OpenLDAP so that Beeline authentication can be done through LDAP user and password credentials. Before LDAP integration to Hive Server2, I used root as the sentry admin, (Beeline does not strict check for password without LDAP) so I could execute commands like show roles; create roles; with root.

Now with LDAP integrated I cannot login as root, since it does not have an entry on the LDAP server and adding it there is not an option, so I want to add a user called johndoe as the admin for sentry so that he can create roles like how root did.

Is this something that i need to set at a postgres level, i mean by entering the sentry database and GRANT'ing some privilege there.

What all have I tried:

  1. I have tried all combinations of using local users in the property sentry.service.admin.group, adding local users to the hive group, using LDAP users, LDAP groups - Nothing !!!!

  2. I don't understand where it is going wrong. Or is it that sentry only identifies hive, hue and impala as the admins.

Any help would be greatly appreciated. Stuck on this for ten days now.

Thanks, Aditya