Reply
All
Explorer
Posts: 15
Registered: ‎08-21-2015
Accepted Solution

Granted permissions of tables to user but still table is not listing + Sentry

Hi All

 

This post is regarding Sentry Authorization

I am able to Create/Grant/Revoke role now...

 

I would be thankfull if you can do a last help .

I logged in as Hive and granted permission to access table to an user but when logged with that user so those tables are not appearing to that user..

 

Please refer below scenario :-

 

> Logged on the machine from impadmin user

> Added user "impadmin" in "hadoop" group.

> Went to beeline client and passed below connection string

!connect jdbc:hive2://hadoopslave0.company.co.in:10000/default

 

Pass username = hive and password = *******

This hive user is a LDAP user

SET ROLE Manager;

> Created a new role named "developer" by using below command

CREATE ROLE developer;

 

> After that Granted this role to group hadoop

GRANT ROLE developer TO GROUP hadoop

 

> Created two tables named newtable_1 and newtable_2 in default DB and created one table named newtable_3 in a newly added DB kyvostestingdb

 

> GRANT SELECT ON DATABASE default TO ROLE developer;

 

As we have granted ROLE developer with SELECT privilege on DATABASE “default”, so all the groups belonging to this ROLE should have rights to VIEW tables inside this DB and can Query from tables.

 

> Now exit from beeline client

> Went to beeline client and passed below connection string

!connect jdbc:hive2://hadoopslave0.company.co.in:10000/default

username :- impadmin

password :- ******

 

> SET ROLE developer;

 

> After that execute command SHOW TABLES;

No results are coming after execution of this command. This user belongs to ROLE developer so all tables inside default DB should be appear..

Do u think i have done any thing wrong..?

I would be thankfull if u can do this last help

Posts: 1,760
Kudos: 378
Solutions: 282
Registered: ‎07-31-2013

Re: Granted permissions of tables to user but still table is not listing + Sentry

Do both of these assert the right values you've set?

SHOW CURRENT ROLES;
SHOW GRANT ROLE developer;

If yes, then the issue can likely be that HS2 and Sentry aren't really seeing the user 'impadmin' within the group 'hadoop'. On the HS2 and Sentry Service hosts, please check/pass the output of "id -Gn impadmin" Linux command.
All
Explorer
Posts: 15
Registered: ‎08-21-2015

Re: Granted permissions of tables to user but still table is not listing + Sentry

[ Edited ]

Hi Harsh J

 

Thanks for reply..

Just before giving answers of your questions . I want to make things more clear.

 

I have set Sentry User to Group Mapping Class to org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider

in Hive service thats why i have changed group of user impadmin from hadoop to an local group named engineering

 

Also Hadoop User Group Mapping Implementation is set org.apache.hadoop.security.ShellBasedUnixGroupsMapping in HDFS service on our cluster

 

Do u think any other setting will be required to use local user group ? As per my R&D these are only one

 

SHOW CURRENT ROLES;
SHOW GRANT ROLE developer;

 

While running above as a hive user so its giving proper results ....

 

I have also ran "id -Gn impadmin" Linux command on HS2 and Sentry Service hosts.. 

Its giving below response 

impadmin engineering

 

 

I added user in group using below command

 

usermod -G impadmin ,engineering impadmin 

 

Just to add more details :-

 

Our hive database name is metastore and sentry service database name is  sentry .. Both are mysql

I went to mysql and use metastore and show tables

so i can see an table named ROLES..

When query this table i can see below results

 

+---------+-------------+------------+-----------+
| ROLE_ID | CREATE_TIME | OWNER_NAME | ROLE_NAME |
+---------+-------------+------------+-----------+
| 1 | 1431503404 | admin | admin |
| 2 | 1431503404 | public | public |
+---------+-------------+------------+-----------+

 

....

Do u think we need to add role named developer in this table as well.. sorry just asking..may be its ilogical..

 

 

Posts: 1,760
Kudos: 378
Solutions: 282
Registered: ‎07-31-2013

Re: Granted permissions of tables to user but still table is not listing + Sentry

Given you want 'engineering' group members to have access to a role 'developer', your grant should be:

GRANT ROLE developer TO GROUP engineering

Not,

GRANT ROLE developer TO GROUP hadoop

--

Or was this already done? The response is unclear about this.
All
Explorer
Posts: 15
Registered: ‎08-21-2015

Re: Granted permissions of tables to user but still table is not listing + Sentry

Thanks Harsh J

 

My Sentry configuration is working fine now..

Thank you very much for all of your help

New Contributor
Posts: 3
Registered: ‎04-10-2018

Re: Granted permissions of tables to user but still table is not listing + Sentry

I have a similar problem where some AD group members are unable to access any objects in Hive. They lost all privileges. Whereas some users in the same AD group are able to access the objects without any issues.

 

Not understanding where to start troubleshooting. 

 

The "id -Gn <user_name> " results are showing appropriate AD groups assoicated with users. It is with Hive/Sentry the problem exists..

 

Please provide your suggestions.

New Contributor
Posts: 2
Registered: ‎11-26-2018

Re: Granted permissions of tables to user but still table is not listing + Sentry

I create maroof user on operating system with group maroof. then from hue browser i login from impala user which is sentry admin user. i create role named "readonly" and grant privileges of select on hive database default. now from hive CLI when i login from maroof OS user it allow me to select tables in hive default database. i also created user in hue browser with same name maroof when i select hive default tables then it throw error.

 

"AuthorizationException: User 'maroof' does not have privileges to execute 'SELECT' on: default.test101 "

 

but same select working fine from hive CLI and from hue browser it not allow me to select. what will be the issue?

your help is required on this please.

Announcements