01-07-2015 05:05 PM
I have recently setup sentry, all of the role based permissions seem to be working well. However, I noticed that I am unable to create tables from the hive cli now. I receive the following error: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. MetaException(message:User cloudera does not have privileges for CREATETABLE). I can create tables while connected through beeline though as user cloudera.
Does using sentry service restrict access to the hive cli? I have set user "cloudera" with the following: CREATE ROLE super_user. GRANT ALL ON SERVER server1 to ROLE super_user. GRANT ROLE super_user TO GROUP cloudera.
I can still run queries normally and mapreduce jobs through the hive cli as user "cloudera" just lost the ability to create tables.
03-05-2015 07:55 AM
We are also facing the same problem, in addition to enabling sentry service in CM we also configured Sentry-HDFS ACLs synchronization. Do we need to add particular users to sentry config to enable them to create dbs/tables? Because right now it seems like only sentry admin user has privileges to create tables.
03-05-2015 11:34 AM
01-07-2016 09:10 AM
Hi Darren -
we have setup all the privileges but still experience errors when trying to create external tables from Hive CLI. Error is:
FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. MetaException(message:User xyz does not have privileges for CREATETABLE).
It looks like the workaround is to specify the fully qualified location path for the table including the protocol: hdfs//blah/blah
Is this an expected behavior? Is there way to allow relative pathing to work from Hive CLI?
01-07-2016 11:20 AM