Known Issues in Hue in Cloudera Data Warehouse service on public clouds

DWX-4814: Impala query coordinator does not authorize Hue-Thrift connection
Problem: When you run a query in Hue, Hue forwards the query to the Impala query coordinator as the service user, which is admin. However, the admin user is not a part of the restricted group (cdp_hue) in the Virtual Warehouse. Moreover, the hue user does not exist in the default FreeIPA users. As a result, the Impala query coordinator does not authorize the Hue-Thrift connection, and you may see the following error message:
TSocket read 0 bytes (code THRIFTTRANSPORT): TTransportException(‘TSocket read 0 bytes’,)
Workaround: Add the admin user to the restricted group.
To add the admin user to the restricted group:
  1. Check the impalad-coordinator log by running the following command:
    kubectl logs coordinator-0 -c impalad-coordinator
    You may see an output as shown in the following example:
    I0717 19:55:05.979328   402 TAcceptQueueServer.cpp:340] New connection to server hiveserver2-frontend from client <Host: x.y.z.1 Port: 46596>
    ...
    ...
    E0717 19:55:05.988016   406 authentication.cc:160] SASL message (LDAP): Password verification failed
    I0717 19:55:05.988131   406 thrift-util.cc:96] TAcceptQueueServer: hiveserver2-frontend connection setup failed for client <Host: x.y.z.1 Port: 46596>.
    Caught TException: SASL(-13): user not found: Password verification failed
  2. SSH into the bastion host.
  3. SSH into the FreeIPA master host.
  4. Change user to “admin” by running the following command:
    kinit admin
  5. Specify a password for the admin user.
  6. Add the admin user to the cdp_hue group by running the following command:
    ipa group-add-member cdp_hue --users=admin
  7. Check whether you can query the Impala query coordinator without the error by viewing the impalad-coordinator logs:
    kubectl logs coordinator-0 -c impalad-coordinator
    If the operation is successful, then the impalad-coordinator log would look as shown in the following example:
    I0717 19:55:05.979328   402 TAcceptQueueServer.cpp:340] New connection to server hiveserver2-frontend from client <Host: x.y.z.1 Port: 46596>
    ...
    ...
    I0717 19:59:27.250118   404 authentication.cc:389] Successfully authenticated client user "admin"
    I0717 19:59:27.250178   404 TAcceptQueueServer.cpp:245] TAcceptQueueServer: hiveserver2-frontend finished connection setup for client <Host: x.y.z.1 Port: 46596>
DWX-4713: CDW service upgrade restarts Hive Virtual Warehouse and gets stuck in the starting state as Hue pods are stuck at init
Problem: If you have created a Hive Virtual Warehouse in the R3 release of CDW service (CDW version 1.1.1.0-173 or CDP version 7.1.1.0-364), then you will not be able to upgrade to the latest release (R7) because Hue is not supported to run in the Hive Virtual Warehouse (R3) when SAML is enabled. The health check feature that has been introduced in this release checks for the compatibility and will not allow the Hive Virtual Warehouse to start.
Workaround: You must recreate the Hive Virtual Warehouse in the current release (R7) and then use Hue with it.