Reply
Explorer
Posts: 17
Registered: ‎11-03-2016

Is this expected ? Sentry configuration changes after show current roles command

Hi Folks,

 

We have identified below behaviour (possible bug?) with Cloudera Sentry. The following sessions witness the same. When we execute show current roles command (first) before any select <column> from <table> causing the issue.

 

Please see the below session output for more details. Is this expected ?

The cluster is running CDH 5.7.x.  Kerberos + TLS/SSL is enabled on cluster. 

 

Any thoughts would be appreciated. 


[nagaraj@cemhadoopactive01sl1al ~]$ beeline
beeline> !connect jdbc:hive2://192.168.11.224:8092/default;principal=hive/192.168.11.224@NOKIA.COM;ssl=true;sslTrustStore=/opt/cloudera/security/jks/jssecacerts;trustStorePassword=changeit
scan complete in 2ms
Connecting to jdbc:hive2://192.168.11.224:8092/default;principal=hive/192.168.11.224@NOKIA.COM;ssl=true;sslTrustStore=/opt/cloudera/security/jks/jssecacerts;trustStorePassword=changeit
Connected to: Apache Hive (version 1.1.0-cdh5.7.0)
Driver: Hive JDBC (version 1.1.0-cdh5.9.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://192.168.11.224:8092/default> select city from mobile;
INFO : Compiling command(queryId=hive_20161227115656_d8f0299c-0078-4acf-b4cf-b4507576e572): select city from mobile
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:city, type:string, comment:null)], properties:null)
INFO : Completed compiling command(queryId=hive_20161227115656_d8f0299c-0078-4acf-b4cf-b4507576e572); Time taken: 0.149 seconds
INFO : Executing command(queryId=hive_20161227115656_d8f0299c-0078-4acf-b4cf-b4507576e572): select city from mobile
INFO : Completed executing command(queryId=hive_20161227115656_d8f0299c-0078-4acf-b4cf-b4507576e572); Time taken: 0.001 seconds
INFO : OK
+------------+--+
| city |
+------------+--+
| Bangalore |
| Mumbai |
| NewDelhi |
+------------+--+
3 rows selected (0.376 seconds)

0: jdbc:hive2://192.168.11.224:8092/default> [nagaraj@cemhadoopactive01sl1al ~]$ beeline
beeline> !connect jdbc:hive2://192.168.11.224:8092/default;principal=hive/192.168.11.224@NOKIA.COM;ssl=true;sslTrustStore=/opt/cloudera/security/jks/jssecacerts;trustStorePassword=changeit
scan complete in 1ms
Connecting to jdbc:hive2://192.168.11.224:8092/default;principal=hive/192.168.11.224@NOKIA.COM;ssl=true;sslTrustStore=/opt/cloudera/security/jks/jssecacerts;trustStorePassword=changeit
Connected to: Apache Hive (version 1.1.0-cdh5.7.0)
Driver: Hive JDBC (version 1.1.0-cdh5.9.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://192.168.11.224:8092/default> show current roles;
+---------+--+
| role |
+---------+--+
| report |
+---------+--+
1 row selected (0.178 seconds)
0: jdbc:hive2://192.168.11.224:8092/default> select city from mobile;
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User nagaraj does not have privileges for QUERY
The required privileges: Server=server1->Db=default->Table=mobile->Column=city->action=select; (state=42000,code=40000)
0: jdbc:hive2://192.168.11.224:8092/default> !quit
Closing: 0: jdbc:hive2://192.168.11.224:8092/default;principal=hive/192.168.11.224@NOKIA.COM;ssl=true;sslTrustStore=/opt/cloudera/security/jks/jssecacerts;trustStorePassword=changeit
[nagaraj@cemhadoopactive01sl1al ~]$
[nagaraj@cemhadoopactive01sl1al ~]$



[nagaraj@cemhadoopactive01sl1al ~]$ beeline
SLF4J: Class path contains multiple SLF4J bindings.
beeline> !connect jdbc:hive2://192.168.11.224:8092/default;principal=hive/192.168.11.224@NOKIA.COM;ssl=true;sslTrustStore=/opt/cloudera/security/jks/jssecacerts;trustStorePassword=changeit
scan complete in 1ms
Connecting to jdbc:hive2://192.168.11.224:8092/default;principal=hive/192.168.11.224@NOKIA.COM;ssl=true;sslTrustStore=/opt/cloudera/security/jks/jssecacerts;trustStorePassword=changeit
Connected to: Apache Hive (version 1.1.0-cdh5.7.0)
Driver: Hive JDBC (version 1.1.0-cdh5.9.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://192.168.11.224:8092/default> select city from mobile;
INFO : Compiling command(queryId=hive_20161227115757_cb16ee23-4bea-42ac-b015-9dbef58d48e3): select city from mobile
INFO : Semantic Analysis Completed
INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:city, type:string, comment:null)], properties:null)
INFO : Completed compiling command(queryId=hive_20161227115757_cb16ee23-4bea-42ac-b015-9dbef58d48e3); Time taken: 0.145 seconds
INFO : Executing command(queryId=hive_20161227115757_cb16ee23-4bea-42ac-b015-9dbef58d48e3): select city from mobile
INFO : Completed executing command(queryId=hive_20161227115757_cb16ee23-4bea-42ac-b015-9dbef58d48e3); Time taken: 0.001 seconds
INFO : OK
+------------+--+
| city |
+------------+--+
| Bangalore |
| Mumbai |
| NewDelhi |
+------------+--+
3 rows selected (0.356 seconds)
0: jdbc:hive2://192.168.11.224:8092/default>

 

 
The session is repeated without show current roles command and found working as expected. 

The same session is repeated when show current roles command is executed in between the select queries and found working as expected.

 

Cheers

Nagaraj C

Posts: 376
Topics: 11
Kudos: 58
Solutions: 32
Registered: ‎09-02-2016

Re: Is this expected ? Sentry configuration changes after show current roles command

@chinumari

 

I am using CDH 5.7.x , I don't have any issue with my beeline after applying show current roles. 

 

Can you try the below commands and share the result?
a. Get out of beeline and type 'klist' in HDFS to get the current user principal. Hope it should be nagaraj. Pls confirm it
b. Type "id nagaraj" to get the group.
c. Now login back to beeline and run the below commands
1. show role grant group <groupname from above command>;
2. show grant role <your role name, hope it is report>
Note: I would recommend you to hide some confidential informations like ip address, etc in public site

Highlighted
Explorer
Posts: 17
Registered: ‎11-03-2016

Re: Is this expected ? Sentry configuration changes after show current roles command

Hi Saranvisa, 

 

We re-installed the cluster for other reasons and I don't see any issues as of now.  Thanks for review the issue. Sure, I will take care of posting specific information in public sites. 

 

 

Announcements