Reply
Explorer
Posts: 13
Registered: ‎09-25-2016

How to create a role admin user / priviledge

Even though user has ALL priviledges with grant option set to true, can not create /show roles.

How to create a role/ assign priviledge to create/show roles to a user/group ?

 

My set up CDH 5.12. Impala with Sentry (service) enabled.

[myserver.com:21000] > version;

Shell version: Impala Shell v2.9.0-cdh5.12.0 (03c6ddb) built on Thu Jun 29 04:17:31 PDT 2017
Server version: impalad version 2.9.0-cdh5.12.0 RELEASE (build 03c6ddbdcec39238be4f5b14a300d5c4f576097e)

 

Roles and users set up

[myserver.com:21000] > show grant role admin;
Query: show grant role admin
+--------+----------+-------+--------+-----+-----------+--------------+-------------------------------+
| scope  | database | table | column | uri | privilege | grant_option | create_time                   |
+--------+----------+-------+--------+-----+-----------+--------------+-------------------------------+
| SERVER |          |       |        |     | ALL       | true         | Fri, Aug 11 2017 05:55:28.694 |
+--------+----------+-------+--------+-----+-----------+--------------+-------------------------------+
Fetched 1 row(s) in 0.01s

[myserver.com:21000] > show current roles;
Query: show current roles
+--------------+
| role_name    |
+--------------+
| admin        |
+--------------+
Fetched 1 row(s) in 0.01s

 

 Exception when user tries to run show roles or create roles.

[myserver.com:21000] >show roles;
Query: show roles
ERROR: AuthorizationException: User 'sunil' does not have privileges to access the requested policy metadata or Sentry Service is unavailable.
Explorer
Posts: 13
Registered: ‎09-25-2016

Re: How to create a role admin user / priviledge

We're blocked here. Is there a way to make any other users besides Impala, Hive role admin ? i.e. grant access to  show and create roles ?

Champion
Posts: 463
Registered: ‎05-16-2016

Re: How to create a role admin user / priviledge

1 . Check the policy file 

2 . Check if the user "sunil " is in Impala group .

if nothing helps 

 to dig more use the safety valve to enable log4j root logger 

and share the logs if you can 

 

log4j.logger.org.apache.sentry=DEBUG

 

 

 

Explorer
Posts: 13
Registered: ‎09-25-2016

Re: How to create a role admin user / priviledge

I'm using Sentry service using Cloudera manager. I just realized that I can other users / groups to sentry config in cloudera manager and allow them to run Grant / Create role commands.

Announcements