question Re: Sentry No valid privileges Required privileges for this query in Archives of Support Questions (Read Only)

Sentry No valid privileges Required privileges for this query

Petr — Fri, 16 Sep 2022 10:08:27 GMT

Hi,
I have unsecured cluster (CDH 5.4) and as I want to provide an access to data to more users, I would like to turn on the Sentry, so far without Kerberos (which comes after sucessful launch of Sentry).
As some other people might need Impala at the moment, I decided to set it up in Hive in first stage.

Steps I have taken:
1) I have set up 2 users: hive and tuser
tuser - group test
hive - group hive, zookeeper

group test
indexer.access, about.access, beeswax.access, filebrowser.access, hbase.write, hbase.access, help.access, impala.access, jobbrowser.access,
jobsub.access, metastore.write, metastore.access, oozie.dashboard_jobs_access, oozie.access, pig.access, proxy.access, rdbms.access,
search.access, security.impersonate, security.access, spark.access, sqoop.access, useradmin.access_view:useradmin:edit_user, useradmin.access, zookeeper.access

group hive
beeswax.access

group hive has role admin (the first one with an unlocked lock):
SERVER
server=server1 action=ALL
SERVER
server=server1 action=ALL

group test has role neco
SERVER
server=server1 action=ALL
URI
server=server1 hdfs://...:8020/user/hive/warehouse action=ALL
DATABASE
server=server1 db=default action=ALL

Moreover, the user hive is in both sets sentry.service.admin.group and sentry.service.allow.connect.

2) I have turned on the sentry
- in Hive checked the Sentry Service from "none" to "Sentry"
- in Hive Service Advanced Configuration Snippet (Safety Valve) for sentry-site.xml inserted <property> <name>sentry.hive.testing.mode</name><value>true</value></property>
+ restarted Sentry

Result:
User hive can access anything in Hive. That's what I was expecting.
User tuser can't access anything in Hive (Error while compiling statement: FAILED: SemanticException No valid privileges Required privileges for this query: Server=server1->Db=*->Table=+->action=insert;Server=server1->Db=*->Table=+->action=select;)

What am I missing?

Re: Sentry No valid privileges Required privileges for this query

Petr — Fri, 11 Mar 2016 14:20:00 GMT

Plus:
All in /user/hive/warehouse has owner and group hive + 777.
Moreover, I tried to add tuser into hive group, and added it into groups sentry.service.admin.group and sentry.service.allow.connect, and sentry.metastore.service.users, but the result is the same.

Re: Sentry No valid privileges Required privileges for this query

Petr — Tue, 22 Mar 2016 09:06:52 GMT

Finally I was adviced what was wrong: The Hue groups must be the same as the groups on the Namenode's linux (as the HDFS org.apache.hadoop.security.ShellBasedUnixGroupsMapping is checked). In the case of Impala, all of nodes with Impala Daemons have to have same groups. However, I am going to overtake the groups from LDAP (option org.apache.hadoop.security.LdapGroupsMapping).

Re: Sentry No valid privileges Required privileges for this query

cjervis — Tue, 22 Mar 2016 12:36:19 GMT

@Petr Thanks for sharing the solution in case it can be of assistance to others. 🙂

Unable to create table :

MJoy — Mon, 22 Aug 2016 09:48:09 GMT

Hi,

Im trying to create a table as mentioned below. I have all the read/write/execute permissions for the mentioned users.

CREATE EXTERNAL TABLE stage_rtra_transaction_ext_1(
attemptid string,
trns_sur_key string,
sender_gi string,
payee_gi string,
success_flag string,
atch_que_name string,
transactionstate string,
pay_mtcn_nr string,
swb_zone string,
swb_zone_pay string,
que_name string,
moneyordertype string,
trns_ts string,
ext_seq_no string,
field_name string,
field_value string)
PARTITIONED BY (
year int,
month int,
day int)
ROW FORMAT DELIMITED
FIELDS TERMINATED BY '\u0001'
STORED AS RCFILE
LOCATION 'hdfs://nameservice1/compliance/compliancehadoop/data/stage/rtra/STAGE_RTRA_TRANSACTION_EXT/';

while running in beeline im getting the below error.

Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User compliance does not have privileges for CREATETABLE
The required privileges: Server=server1->URI=hdfs://nameservice1/compliance/compliancehadoop/data/stage/rtra/STAGE_RTRA_TRANSACTION_EXT->action=*; (state=42000,code=40000)

On removing the LOCATION line, the query works fine.

Please anyone help me to sort out this.

Thanks,

Mjoy

Re: Unable to create table :

MJoy — Mon, 29 Aug 2016 07:28:02 GMT

Can i have resolution for this....

All permissions are perfect but still i could not able to create the External table as a specific user.

Re: Sentry No valid privileges Required privileges for this query

DAggarwal — Tue, 06 Sep 2016 16:30:54 GMT

Hi,

I am not sure where to go for configuring roles as you have mentioned in your post.

In the Hue UI, I can see the interface for adding groups/permissions.

Re: Sentry No valid privileges Required privileges for this query

DAggarwal — Tue, 06 Sep 2016 16:32:32 GMT

Hi,

I am not sure where to go for configuring roles. In the Hue UI, I can see interface for adding groups/permissions but not roles. Please advise.

group hive has role admin (the first one with an unlocked lock):
SERVER
server=server1 action=ALL
SERVER
server=server1 action=ALL

group test has role neco
SERVER
server=server1 action=ALL
URI
server=server1 hdfs://...:8020/user/hive/warehouse action=ALL
DATABASE
server=server1 db=default action=ALL

Re: Sentry No valid privileges Required privileges for this query

scratch28 — Fri, 31 Mar 2017 00:03:45 GMT

do you mind expanding on the answer a bit

I have the same problem

is the group setting in CM or on hdfs or os files system?