Reply
Contributor
Posts: 111
Registered: ‎10-15-2014

HUE created roles not applying to users in HUE

So after 5 days of following 

https://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_sentry_service.html

http://gethue.com/apache-sentry-made-easy-with-the-new-hue-security-app/#howto

 

testing out with policy files and not policy files, hdfs ownership, and finally after followinghttp://www.yourtechchick.com/hadoop/no-databases-available-permissions-missing-error-hive-sentry/  I  can create roles in HUE - I can see them, manage them and I see the Sentry logs updating something 

Admin users can see query and work with everything. And error messages are no longer comming in on HUE; small victories

 

After applying roles to groups to limit access to certain db (the only thing I needed Sentry to do) 

The users belonging to the limited set cannot see any database 

and hive is throwing the following 

 

 

 

2017-03-30 22:48:09,619 ERROR org.apache.hadoop.hive.ql.Driver: FAILED: SemanticException No valid privileges
 Required privileges for this query: Server=server1->Db=*->Table=+->action=insert;Server=server1->Db=*->Table=+->action=select;
org.apache.hadoop.hive.ql.parse.SemanticException: No valid privileges
 Required privileges for this query: Server=server1->Db=*->Table=+->action=insert;Server=server1->Db=*->Table=+->action=select;
	at org.apache.sentry.binding.hive.HiveAuthzBindingHook.postAnalyze(HiveAuthzBindingHook.java:356)
	at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:436)
	at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:306)
	at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1120)
	at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1113)
	at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:99)
	at org.apache.hive.service.cli.operation.SQLOperation.runInternal(SQLOperation.java:170)
	at org.apache.hive.service.cli.operation.Operation.run(Operation.java:257)
	at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementInternal(HiveSessionImpl.java:398)
	at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatement(HiveSessionImpl.java:379)
	at org.apache.hive.service.cli.CLIService.executeStatement(CLIService.java:245)
	at org.apache.hive.service.cli.thrift.ThriftCLIService.ExecuteStatement(ThriftCLIService.java:487)
	at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1313)
	at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1298)
	at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
	at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
	at org.apache.hive.service.auth.TSetIpAddressProcessor.process(TSetIpAddressProcessor.java:56)
	at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:285)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.hadoop.hive.ql.metadata.AuthorizationException: User vchetty does not have privileges for SWITCHDATABASE
	at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.authorize(HiveAuthzBinding.java:320)
	at org.apache.sentry.binding.hive.HiveAuthzBindingHook.authorizeWithHiveBindings(HiveAuthzBindingHook.java:540)
	at org.apache.sentry.binding.hive.HiveAuthzBindingHook.postAnalyze(HiveAuthzBindingHook.java:346)
	... 20 more

 

Technically my goal is to have sentry manage users in HUE on what they can see via Impala and BeesWax(hive) 

 

versions
Cloudera Express 5.4.7
Hue™ 3.7.0

Sentry installed correctly and running on same server as HUE

 

config

LDAP and Kerberos not enabled  

 

On Hive 

Hive sentry is enabled 

sentry-site.xml has  <property>  <name>sentry.hive.testing.mode</name>  <value>true</value></property> 

 

hive.server2.enable.impersonation, hive.server2.enable.doAs is off

 

On HUE 

Hue sentry is enabled

user_augmentor desktop.auth.backend.DefaultUserAugmentor

desktop.auth.backend.AllowFirstUserDjangoBackend

sentry-site.xml has  <property>  <name>sentry.hive.testing.mode</name>  <value>true</value></property> 

 

beeline CLI shows the roles and I can show a specific role on which databases it can use

the user is mapped to that specific role in HUE

 

Haven't tried any settings on Impala, I hope it just adopts hive settings once enabled

Any ideas on what I may be missing ??

 

LDAP and kerberos is not something I am willing to deal with at this time

 

 

 

Contributor
Posts: 111
Registered: ‎10-15-2014

Re: HUE created roles not applying to users in HUE

Additional information

if at all possible - I would like to only use the users in HUE and not build the users on the local server, or activate LDAP.  Unless absolutely required

Announcements