Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Sentry No valid privileges Required privileges for this query

avatar
New Contributor

Hi,
I have unsecured cluster (CDH 5.4) and as I want to provide an access to data to more users, I would like to turn on the Sentry, so far without Kerberos (which comes after sucessful launch of Sentry).
As some other people might need Impala at the moment, I decided to set it up in Hive in first stage.

Steps I have taken:
1) I have set up 2 users: hive and tuser
tuser - group test
hive - group hive, zookeeper

group test
indexer.access, about.access, beeswax.access, filebrowser.access, hbase.write, hbase.access, help.access, impala.access, jobbrowser.access,
jobsub.access, metastore.write, metastore.access, oozie.dashboard_jobs_access, oozie.access, pig.access, proxy.access, rdbms.access,
search.access, security.impersonate, security.access, spark.access, sqoop.access, useradmin.access_view:useradmin:edit_user, useradmin.access, zookeeper.access

group hive
beeswax.access

group hive has role admin (the first one with an unlocked lock):
SERVER
server=server1 action=ALL
SERVER
server=server1 action=ALL

group test has role neco
SERVER
server=server1 action=ALL
URI
server=server1 hdfs://...:8020/user/hive/warehouse action=ALL
DATABASE
server=server1 db=default action=ALL

Moreover, the user hive is in both sets sentry.service.admin.group and sentry.service.allow.connect.

2) I have turned on the sentry
- in Hive checked the Sentry Service from "none" to "Sentry"
- in Hive Service Advanced Configuration Snippet (Safety Valve) for sentry-site.xml inserted <property> <name>sentry.hive.testing.mode</name><value>true</value></property>
+ restarted Sentry

Result:
User hive can access anything in Hive. That's what I was expecting.
User tuser can't access anything in Hive (Error while compiling statement: FAILED: SemanticException No valid privileges Required privileges for this query: Server=server1->Db=*->Table=+->action=insert;Server=server1->Db=*->Table=+->action=select;)

What am I missing?

1 ACCEPTED SOLUTION

avatar
New Contributor

Finally I was adviced what was wrong: The Hue groups must be the same as the groups on the Namenode's linux (as the HDFS org.apache.hadoop.security.ShellBasedUnixGroupsMapping is checked). In the case of Impala, all of nodes with Impala Daemons have to have same groups. However, I am going to overtake the groups from LDAP (option org.apache.hadoop.security.LdapGroupsMapping).

View solution in original post

8 REPLIES 8

avatar
New Contributor
Plus:
All in /user/hive/warehouse has owner and group hive + 777.
Moreover, I tried to add tuser into hive group, and added it into groups sentry.service.admin.group and sentry.service.allow.connect, and sentry.metastore.service.users, but the result is the same.

avatar
New Contributor

Finally I was adviced what was wrong: The Hue groups must be the same as the groups on the Namenode's linux (as the HDFS org.apache.hadoop.security.ShellBasedUnixGroupsMapping is checked). In the case of Impala, all of nodes with Impala Daemons have to have same groups. However, I am going to overtake the groups from LDAP (option org.apache.hadoop.security.LdapGroupsMapping).

avatar
Community Manager

@Petr Thanks for sharing the solution in case it can be of assistance to others. 🙂


Cy Jervis, Manager, Community Program
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Explorer

Hi,

 

Im trying to create a table as mentioned below. I have all the read/write/execute permissions for the mentioned users.

 

CREATE EXTERNAL TABLE stage_rtra_transaction_ext_1(
attemptid string,
trns_sur_key string,
sender_gi string,
payee_gi string,
success_flag string,
atch_que_name string,
transactionstate string,
pay_mtcn_nr string,
swb_zone string,
swb_zone_pay string,
que_name string,
moneyordertype string,
trns_ts string,
ext_seq_no string,
field_name string,
field_value string)
PARTITIONED BY (
year int,
month int,
day int)
ROW FORMAT DELIMITED
FIELDS TERMINATED BY '\u0001'
STORED AS RCFILE
LOCATION 'hdfs://nameservice1/compliance/compliancehadoop/data/stage/rtra/STAGE_RTRA_TRANSACTION_EXT/';

 

while running in beeline im getting the below error.

 

Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User compliance does not have privileges for CREATETABLE
The required privileges: Server=server1->URI=hdfs://nameservice1/compliance/compliancehadoop/data/stage/rtra/STAGE_RTRA_TRANSACTION_EXT->action=*; (state=42000,code=40000)

 

On removing the LOCATION line, the query works fine.

 

Please anyone help me to sort out this.

 

Thanks,

Mjoy

avatar
Explorer

Can i have resolution for this....

 

All permissions are perfect but still i could not able to create the External table as a specific user.

 

avatar
Contributor

do you mind expanding on the answer a bit

I have the same problem 

is the group setting in CM or on hdfs or os files system?

 

avatar
New Contributor

Hi,

 

I am not sure where to go for configuring roles as you have mentioned in your post.

In the Hue UI, I can see the interface for adding groups/permissions.

avatar
New Contributor

Hi,

 

I am not sure where to go for configuring roles. In the Hue UI, I can see interface for adding groups/permissions but not roles. Please advise.

 

group hive has role admin (the first one with an unlocked lock):
SERVER
server=server1 action=ALL
SERVER
server=server1 action=ALL

group test has role neco
SERVER
server=server1 action=ALL
URI
server=server1 hdfs://...:8020/user/hive/warehouse action=ALL
DATABASE
server=server1 db=default action=ALL