Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

after installing sentry I get privilige errors in hive /Impala in hue

avatar
Contributor

Dear community,
Since I have installed sentry (without kerberos so in test mode), in Hive I notice that I get errors to do a select on a table that I used to be able to access before: 'No valid privileges User hdfs does not have privileges for SWITCHDATABASE The required privileges: Server=server1->Db=job->Table=*->Column=*->action=select;Server=server1->Db=job->Table=*->Column=*->action=insert;'.
ALso in Impala I notice that I get error messages related to priviliges.  The user I use,hdfs, has admin priviliges in hue and is a superuser.  After reading up on it, I am a little confused on how it works with users, groups, etc.

 

Thanks!

1 ACCEPTED SOLUTION

avatar
Contributor

Note: I was able to solve this issue. The reason is that I was using hue and not beeline. Through beeline I was able to add the roles described here :https://www.cloudera.com/documentation/enterprise/5-13-x/topics/sg_hive_sql.html and after that I was able to access my table through beeline. THis link  also states that beeline should be used.

It is not clear to me yet why I could not grant the roles through hue.

 

Hopefully this is useful for someone else in the future!

View solution in original post

2 REPLIES 2

avatar
Contributor

Here some extra info on my efforts so far:

1)I log in with the hdfs usr in hue. The hadoop group (/etc/group) consists of users hdfs/mapred/yarn. There is also a group hdfs.
2) I have created a sentry-provider.ini file as decribed in https://www.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_sentry.html#concept_iw1_5dp_w...
As my goal is to just give access rights to everything for the hdfs user, the file looks like this:
[groups]
# Assigns each Hadoop group to its set of roles
hadoop = admin_role
hdfs = admin_role
[roles]
# Implies everything on server1.
admin_role = server=server1
3) I put the file in the directory that corresponds to the parameter Sentry Global Policy File in the hive configuration (/user/hive/sentry/sentry-provider.ini on hdfs) and restarted the cluster.
4) In the hive configuration, the sentry parameters are as follows: Sentry Service = none / Enable Sentry Authorization using Policy Files: checked.  Is this correct? These 2 configurations seem mutually exclusive: I can not enable them both. It seems I need to provide the .ini file to define my roles so this seems the more important parameter that I enabled.

 5) I restarted the whole cluster.

 

WHen I try again accessing a table in hue through hive or impala, I get errors related to priviliges. Does anyone know what I am missing?? 

 

Further I notice one should set grants through Hive QL as described here : https://www.cloudera.com/documentation/enterprise/5-5-x/topics/sg_hive_sql.html . Currently I have no roles. Is this maybe the reason why I only see the default db and not all databases when I execute 'SHOW DATABASES' ?


Thanks!!

avatar
Contributor

Note: I was able to solve this issue. The reason is that I was using hue and not beeline. Through beeline I was able to add the roles described here :https://www.cloudera.com/documentation/enterprise/5-13-x/topics/sg_hive_sql.html and after that I was able to access my table through beeline. THis link  also states that beeline should be used.

It is not clear to me yet why I could not grant the roles through hue.

 

Hopefully this is useful for someone else in the future!