question I installed Sentry on Cluster, now where to start? in Support Questions

I installed Sentry on Cluster, now where to start?

quangbilly79 — Thu, 18 May 2023 04:12:39 GMT

I followed this guide on the Cloudera website, I've finished "Installing and Upgrading the Sentry Service" step. Now what do I do next?

I tried to start Beeline and execute some queries as normal but get a privilege error

kinit -k -t /home/vgdata/vega.keytab vega@BI.VEGA.COM (get tgt for user vega)

beeline -u "jdbc:hive2://data-node01:10000/test;principal=hive/data-node01.vega.com@BI.VEGA.COM" (access beeline with kerberos principal)

select * from test; (execute query)

But I got an error like below

Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User vega does not have privileges for SWITCHDATABASE
The required privileges: Server=server1->Db=*->Table=+->Column=*...

User "vega" is hdfs superuser, and also the main user that we use to connect to all Hadoop services (there is a Kerberos principal "vega" too)

I tried to execute some commands like

create role admin;

grant role ....

But all get an error like "No groups found for user vega"

Now where do I start? Is there a default "admin" user that I can do everything (including grant...)? I want to grant user "vega" the "admin" role, which can do everything. Something like my SQL grant privilege command

GRANT ALL PRIVILEGES ON database.table TO user;

GRANT ALL PRIVILEGES ON *.* TO vega;

Re: I installed Sentry on Cluster, now where to start?

ChethanYM — Thu, 18 May 2023 09:05:26 GMT

Hi,

Use the below commands and see if you find any difference.

CREATE ROLE [role_name];

GRANT <PRIVILEGE> ON <OBJECT> <object_name> TO ROLE <roleName>

GRANT ROLE <role_name> TO GROUP <groupName>;

Examples:

create role testing;

grant all on database <db-name> to role testing;

grant role testing to group <group-name>;

In this case the user should be part of this particular group on all the cluster nodes - user group mapping at OS level is required. You can check the groups of a user using "id <user-name>".

Regards,

Chethan YM

Re: I installed Sentry on Cluster, now where to start?

quangbilly79 — Fri, 19 May 2023 02:56:03 GMT

Thank. The user hasn't existed at OS Level (Centos). I create the user and it's fine. Also, the created user must be in "admin.groups" in Sentry conf to have the privileges on the Grant Commands.

Also, may I ask how Sentry recognize user/group? Does it take the user/group from Hue, or HDFS, or local OS (in the case of using Cloudera Cluster)? At first, I think it was the OS level, but I have some problems related to the user/group, seems like Sentry doesn't recognize properly user/group setting on the OS level.

Or do I have to create the same user/group for all nodes in cluster, not just in the main name-node?

Re: I installed Sentry on Cluster, now where to start?

ChethanYM — Fri, 19 May 2023 09:21:07 GMT

Yes, User group mapping should be across the cluster nodes not only on name-node.