Reply
Highlighted
New Contributor
Posts: 3
Registered: ‎07-21-2017

Sentry in VM: Issue with creating new Roles, Groups and Permission

Dear Community Members,

 

I am new to Cloudera. I am currently exploring role based authorization provided by db backed Sentry in Cloudera VM version 5.10.x..

I want to see how Sentry manages multiple roles and permission regarding Hive tables, Impala & HDFS files. However till now I am not able to achieve it, by following documentation provided by Cloudera (link) and by referring some community topics (link 1, link2, link3).

I am following below steps to enable multiple roles –

  1. Installed Cloudera VM version 5.10.x
  2. Create new hive database ‘my_retail’ using Hive CLI.
  3. Using Sqoop command to import all tables from mysql to Hive new db

sqoop import-all-tables \

--num-mappers 2 \

--connect "jdbc:mysql://quickstart.cloudera:3306/retail_db" \

--username=root \

--password=cloudera \

--hive-import \

--hive-overwrite \

--create-hive-table \

--outdir java_files \

--hive-database my_retail

4. Verified that Hive has new tables using Hive CLI & Hue (U=Cloudera/P=Cloudera)

5. Go to Hue, created new users ‘test1’ , group ‘default’. Verified that using Hue, user ‘test1’can access & query Hive tables.

6. Set permission level in HDFS, using below commands

$ sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse

$ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse

7. Unchecked HiveServer2 Enable Impersonation checkbox.

8. To override Kerbores prerequisite,added the following property to the HiveServer2 sentry-site.xml

<property>  <name>sentry.hive.testing.mode</name>

  <value>true</value>

</property>

9. Go to CM, Add service Sentry. Use existing mysql DB sentry, U=root, P=cloudera

10. Restarted all the Services

11. Enabled the Sentry Service for Hive by following these steps .Go to the Hive service. Click the Configuration tab. Select Scope > Hive (Service-Wide). Select Category > Main. Locate the Sentry Service property and select Sentry. Click Save Changes to commit the changes. Restart the Hive service.

12. Now refreshed Hue using admin user 'cloudera'. Hive DB, 'my_retail' disappeared.

13.Tried to run a Hive query. getting following error-

Error while compiling statement: FAILED: SemanticException No valid privileges User hive does not have privileges for SWITCHDATABASE The required privileges: Server=server1->Db=*->Table=+->Column=*->action=insert;Server=server1->Db=*->Table=+->Column=*->action=select

14. Tried to run the Hive query using other User 'test1' in Hue. Got same error message.

15. I know that by default every permission is REVOKED in Sentry. But couldn’t get from where I need to GRANT those permissions. Tried Beeline, but it says ‘ No Connection’.

16. Tried to run command like 'show databases' in Hive CLI. Got error.

17 Go to Hue-> Security -> Hive tables. Can't see user 'test1' there.

18. I explored whole Hue, but couldn't enable multiple roles for achieving column level permissions.

 

In other VM Instance, I enabled Kerbores and then installed Sentry. Again no success regarding Sentry permission setup. I have verified that 'sentry' db in mysql db, contains the required tables.

 

Please let me know what steps I am missing here to enable multiple roles & groups for setting up column level permissions in Hive tables. I also want to achieve that for HDFS file system & in Impala.

 

I also worked on Cloudera VM version 5.4.x earlier, which provides different security (Sentry Tables tab) UI in Hue. But unfortunately I had similar experience there too.

New Contributor
Posts: 3
Registered: ‎07-21-2017

Re: Sentry in VM: Issue with creating new Roles, Groups and Permission

Let me know if anybody explored this scenario so far.

Posts: 394
Topics: 11
Kudos: 60
Solutions: 35
Registered: ‎09-02-2016

Re: Sentry in VM: Issue with creating new Roles, Groups and Permission

@ClouderaNaive

 

Pls create the required role and group and grant access as follows 

 

1. make sure the user 'test1' and the corresponding group is matching between linux and hue. If user not belongs to any group, cretae a group (ex: grp_admin) and assign to user in both linux and hue
2. hue -> security -> create a role. ex: role_admin
3. hue -> security -> by default it shows the server name as 'server1'. grant 'all' on server server1 to role role_admin
4. grant role_admin to grp_admin

 

then try again to query the table from hive/beeline

New Contributor
Posts: 3
Registered: ‎07-21-2017

Re: Sentry in VM: Issue with creating new Roles, Groups and Permission

Hi saranvisa,


Based on your input, here are some steps that I have changed from earlier described scenario-

Repeated step 1-4

5A. Added Group 'grp_admin' & its new user 'test1' on Linux Machine.Changed user password.
5A. Go to Hue, created new group 'grp_admin’, added its new user 'test1'.
5C. Verified that using Hue, user ‘test1’ can access & query Hive tables.

6A. Set permission level in HDFS, using below commands
$ sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse
$ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse

6B. Now I can see that Hue user 'test1' not having access to Hive tables any longer. Query giving following error

Bad status for request TFetchResultsReq(fetchType=0, operationHandle=TOperationHandle(hasResultSet=True, modifiedRowCount=None, operationType=0, operationId=THandleIdentifier(secret='O\x0b\xfc\x8bB\xb1I\x82\x83\ny\x89\x7f\xcc\xbbW', guid='\x13P\x02\xef\xbd\x18K:\x82\xe2!u\xa8\xc5Z\xc9')), orientation=4, maxRows=100): TFetchResultsResp(status=TStatus(errorCode=0, errorMessage='java.io.IOException: org.apache.hadoop.security.AccessControlException: Permission denied: user=test1, access=READ_EXECUTE, inode="/user/hive/warehouse/my_retail.db/departments":hive:hive:drwxrwx--x\n\tat


Repeated step 7-11
12. Observed same scenario as described on above step 12.
13. Error on Hue Hive query editor -

Error while compiling statement: FAILED: SemanticException No valid privileges User test1 does not have privileges for SWITCHDATABASE The required privileges: Server=server1->Db=my_retail->Table=*->Column=*->action=select;Server=server1->Db=my_retail->Table=*->Column=*->action=insert;

14. open Hue using admin user 'cloudera'. Security tab in not visible.
15. Restarted all services of CM. Logged in Hue. Security tab appeared.
16. Go to Hue Security. Not able to create any role in Hive tables.
17. Even after altering directoty pemission, by making test1 as owener of 'Hive' directory
$ sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse
$ sudo -u hdfs hdfs dfs -chown -R test1:grp_admin /user/hive/warehouse
, still not able to create any role in Hue.

VM2.jpg
18. Verified that database 'my_retail' not appearing in Hive tables (hue securityVM.jpg).

Posts: 394
Topics: 11
Kudos: 60
Solutions: 35
Registered: ‎09-02-2016

Re: Sentry in VM: Issue with creating new Roles, Groups and Permission

@ClouderaNaive

 

you have to login into hue as admin user to create roles and grant access to your test user

 

So in your sentry configuration setup the admin users as follows and restart sentry service

<property>
<name>sentry.service.admin.group</name>
<value>hive,impala,hue</value>
</property>

 

 

then login as hue user in hue and try the steps that i've mentioned earlier

 

also I never tried Sentry without kerberos. so if you have kerberos then

1. make sure hive & impala are enabled with Kerbeors. Ex: CM -> hive -> configuration -> enable kerberos

2. add the required kerberos principals

 

Announcements