Welcome to the Cloudera Community

Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Who agreed with this topic

New databases are not accessible under impala with Sentry enabled

avatar

Environment background, CDH5.9, Isilon OneFS 8, AD integrated and Sentry enabled. SSSD was configured on Cloudera cluster nodes.

 

Brief of the issue, I created one database and granted access permission to two groups. Users in two groups can see the new database in Hive. However they can’t see the database in Impala. Also hive and impala service accounts can’t see the new database.

 

Steps I have run are:

  1. Create a hiveadmin role with ALL permission on server1.
  2. Grant the hiveadmin role to AD group hiveadmin.
  3. Add hive and impala service accounts to AD group hiveadmin.
  4. Create a new database with account ryan which is also in the AD group hiveadmin.
  5. First problem, hive and impala can’t see the new database. After grant all permission on the new database to role hiveadmin, two service accounts still can’t see the database. User ryan can see the new database.
  6. Create two new roles, and grant them to same name AD groups, which are marketing-senior-analysts and marketing-junior-analysts.
  7. Grant ALL permission on the new database to the role marketing-senior-analysts.
  8. Grant SELECT permission on the new database to the role marketing-junior-analysts.
  9. Second problem, users under two AD groups can see new database in Hive, and permissions they got are also correct. Senior users can create tables but junior can’t. But users can’t see the new databases in impala.
  10. Third problem, impala service account can’t invalidate metadata. System replied no permission on the server.

Appreciated if someone can help giving some directions.

Who agreed with this topic