diff --git a/pom.xml b/pom.xml
index 46f44ea..70ab604 100644
--- a/pom.xml
+++ b/pom.xml
@@ -4,7 +4,7 @@
 
   <groupId>tech.stackable</groupId>
   <artifactId>hdfs-utils</artifactId>
-  <version>0.1.0</version>
+  <version>0.1.1</version>
 
   <name>Apache Hadoop HDFS utils</name>
   <url>https://github.com/stackabletech/hdfs-utils/</url>
diff --git a/src/main/java/tech/stackable/hadoop/OpaAllowQuery.java b/src/main/java/tech/stackable/hadoop/OpaAllowQuery.java
index 1c6737c..df170d6 100644
--- a/src/main/java/tech/stackable/hadoop/OpaAllowQuery.java
+++ b/src/main/java/tech/stackable/hadoop/OpaAllowQuery.java
@@ -1,6 +1,7 @@
 package tech.stackable.hadoop;
 
 import org.apache.hadoop.hdfs.server.namenode.INodeAttributeProvider;
+import org.apache.hadoop.security.UserGroupInformation;
 
 public class OpaAllowQuery {
   public final OpaAllowQueryInput input;
@@ -9,9 +10,14 @@ public OpaAllowQuery(OpaAllowQueryInput input) {
     this.input = input;
   }
 
+  /**
+   * Wrapper around {@link INodeAttributeProvider.AuthorizationContext}, which uses our custom wrapper around
+   * {@link UserGroupInformation}, {@link OpaQueryUgi}.
+   */
   public static class OpaAllowQueryInput {
     public java.lang.String fsOwner;
     public java.lang.String supergroup;
+    // Wrapping this
     public OpaQueryUgi callerUgi;
     public org.apache.hadoop.hdfs.server.namenode.INodeAttributes[] inodeAttrs;
     public org.apache.hadoop.hdfs.server.namenode.INode[] inodes;
diff --git a/src/main/java/tech/stackable/hadoop/OpaQueryUgi.java b/src/main/java/tech/stackable/hadoop/OpaQueryUgi.java
index a3e5c3b..84f3b0d 100644
--- a/src/main/java/tech/stackable/hadoop/OpaQueryUgi.java
+++ b/src/main/java/tech/stackable/hadoop/OpaQueryUgi.java
@@ -6,7 +6,8 @@
 import java.util.List;
 
 public class OpaQueryUgi {
-    public UserGroupInformation realUser;
+    // Wrapping this
+    public OpaQueryUgi realUser;
     public String userName;
     public String shortUserName;
 
@@ -16,8 +17,18 @@ public class OpaQueryUgi {
     public UserGroupInformation.AuthenticationMethod authenticationMethod;
     public UserGroupInformation.AuthenticationMethod realAuthenticationMethod;
 
+    /**
+     * Wrapper around {@link UserGroupInformation}, which does not throw random errors during serialization when no primary
+     * group is known for the user.
+     * "Caused by: com.fasterxml.jackson.databind.JsonMappingException: Unexpected IOException (of type java.io.IOException): There is no primary group for UGI hive/hive-iceberg.default.svc.cluster.local@KNAB.COM (auth:KERBEROS)"
+     */
     public OpaQueryUgi(UserGroupInformation ugi) {
-        this.realUser = ugi.getRealUser();
+        UserGroupInformation realUser = ugi.getRealUser();
+        if (realUser != null) {
+            this.realUser = new OpaQueryUgi(ugi.getRealUser());
+        } else {
+            this.realUser = null;
+        }
         this.userName = ugi.getUserName();
         this.shortUserName = ugi.getShortUserName();
         try {