Reply
Explorer
Posts: 7
Registered: ‎12-27-2018

refresh function privileges

[ Edited ]

When using impala under CDH 5.15, refreshing functions under specifc databases by some user will got an error like "AuthorizationException : user aaa does not have privileges to access: server" .

 

The system is centry enabled with kerberos.

 

What privileges shall we grant to the user ?

Cloudera Employee
Posts: 585
Registered: ‎03-23-2015

Re: refresh function privileges

You will need at least write access to the table that user need to refresh. Have you tried to run:

GRANT ALL ON {db}.{table} TO ROLE {rolename}?

where {rolename} should be assigned to the user/group.
Explorer
Posts: 7
Registered: ‎12-27-2018

Re: refresh function privileges

The user has already got ALL rights on database where the function is built

 

 

Syntax:

REFRESH FUNCTIONS db_name

Cloudera Employee
Posts: 585
Registered: ‎03-23-2015

Re: refresh function privileges

I believe REFRESH only works for tables, not on functions or DB.

Can you try to run REFRESH {tablename} to confirm?

To update other metadata, INVALIDATE METADATA is needed, which will need server level privilege.
Explorer
Posts: 7
Registered: ‎12-27-2018

Re: refresh function privileges

UDF considerations:

In CDH 5.12 / Impala 2.9 and higher, you can refresh the user-defined functions (UDFs) that Impala recognizes, at the database level, by running the REFRESH FUNCTIONS statement with the database name as an argument. Java-based UDFs can be added to the metastore database through Hive CREATE FUNCTION statements, and made visible to Impala by subsequently running REFRESH FUNCTIONS. For example:
CREATE DATABASE shared_udfs;
USE shared_udfs;
...use CREATE FUNCTION statements in Hive to create some Java-based UDFs
   that Impala is not initially aware of...
REFRESH FUNCTIONS shared_udfs;
SELECT udf_created_by_hive(c1) FROM ...
Highlighted
Cloudera Employee
Posts: 585
Registered: ‎03-23-2015

Re: refresh function privileges

All right, so it works on functions, but your query:

REFRESH FUNCTIONS db_name

Seems like against DB, shouldn't it be:

REFRESH FUNCTIONS db_name.function_name

you will firstly need access to db_name to be able to run refresh.
Explorer
Posts: 7
Registered: ‎12-27-2018

Re: refresh function privileges

It seems that only db_name is needed according to 

https://www.cloudera.com/documentation/enterprise/5-15-x/topics/impala_refresh_functions.html

Syntax:

REFRESH FUNCTIONS db_name

 

And in 2.X version of impala the only way is to grant all on server to the role, while in  Impala 3.0 and higher  the minimum level of privileges required by refresh functions is to grant refresh on database to the role.

SQL StatementPrivilegesScope
REFRESH FUNCTIONSREFRESHDATABASE


https://impala.apache.org/docs/build/html/topics/impala_grant.html

Announcements