Cloudera Sentry with LDAP - Unable to add user as Sentry admin

Question

Background:

By default the Sentry service has the users hive, hue and impala as the sentry admins. This is w.r.t to the property on Cloudera Manager (CM) sentry.service.admin.group. I want to add a user or group which has my user account, so that I can become the Sentry admin.

Current environment:

1. Cloudera 5.4.7 with CM
2. Postgres databases for CDH, Hive and Sentry
3. Sentry version 1.4

Question:

I have integrated OpenLDAP so that Beeline authentication can be done through LDAP user and password credentials. Before LDAP integration to HiveServer2, I used root as the Sentry admin, (Beeline does not strictly check for password without LDAP) so I could execute commands like show roles; and create roles; as root.

Now with LDAP integrated I cannot login as root, since it does not have an entry on the LDAP server and adding it there is not an option, so I want to add a user called johndoe as the admin for Sentry so that he can create roles like how root did.

Is this something that I need to set at a Postgres level? I mean by entering the Sentry database and GRANT'ing some privilege there?

What have I tried so far:

1. I have tried all combinations of using local users in the property sentry.service.admin.group, adding local users to the hive group, using LDAP users, LDAP groups - Nothing !

2. I don't understand where it is going wrong. Or is it that Sentry only identifies hive, hue and impala as the admins.

Any help would be greatly appreciated. Stuck on this for ten days now.

Answer 1

You need to use the Unix group to which the Unix-User you are using belongs. Sentry can only use the Unix group, which in the case of Hive, Hue and Impala in the default configuration is hive, hue and impala.

Sentry cannot use LDAP groups. You need to use Unix groups in the setting sentry.service.admin.group.