Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Impala Catalog does not get Hive objects

avatar
New Contributor

Hello!

 

I am having an issue with which I have been cracking my mind for a long time.

My cluster is CDH 12.1 and is configured with Kerberos (Active Directory), SSSD and Apache Sentry for authorization.

 

Situation: I am a Sentry admin and try to access my databases and tables using the Impala-shell, Hue and Beeline.

 

Problem: I have access to my tables through the Beeline and Hive in Hue. However, if I try to see them using impala (neither with the impala-shell nor Hue) I dont get access to them. I have tried using the hive user, impala user, other users and my own user (which is a Sentry admin) but unfortunately, never shows.

 

I tried to see if it is an issue related to roles and happens the following:

 

[<node>:21000] > invalidate metadata;
Query: invalidate metadata

ERROR: AuthorizationException: User 'hive/<node>' does not have privileges to access: server (it does not say server1)

Query submitted at: 2018-12-19 10:38:03 (Coordinator: http://<node>:25000)

[<node>:21000] > create role impala;
Query: create role -> role was created

[<node>:21000] > grant all on server server1 to role impala;
Query: grant all on server server1 to role impala
Query submitted at: 2018-12-19 10:38:50 (Coordinator: http://<node>:25000)
ERROR: AnalysisException: Role 'impala' does not exist.

[<node>:21000] > show roles;
Query: show roles

Fetched 0 row(s) in 0.12s
[<node>:21000] > create role impala;
Query: create role impala
ERROR: CatalogException: Role already exists: impala

 

Also, I found out the following errors in the log:

 

<node> ERROR December 19, 2018 10:37 AM cc:1299
Error deserializing item CATALOG:f1cc55801a0342c6:9c7dbb7738bffaa7: couldn't deserialize thrift msg:
TProtocolException: Invalid data
View Log File
<node> ERROR December 19, 2018 10:37 AM cc:1299
Error deserializing item CATALOG:f1cc55801a0342c6:9c7dbb7738bffaa7: couldn't deserialize thrift msg:
TProtocolException: Invalid data
View Log File
<node> ERROR December 19, 2018 10:37 AM cc:1378
There was an error processing the impalad catalog update. Requesting a full topic update to recover: CatalogException: Detected catalog service ID change. Aborting updateCatalog()
View Log File
<node> ERROR December 19, 2018 10:37 AM cc:1299
Error deserializing item ROLE:tesT: couldn't deserialize thrift msg:
TProtocolException: Invalid data
View Log File

 

I tried to increase the Java Heap Size for Catalog but this didnt help.

 

The log always shows errors processing the roles and permissions with the Catalog. I tried several daemons but didnt work.

 

Notes:

 

1. There are Sentry gateways in all nodes.

2. I tried to re-deploy the Hive client conf and so on. It didnt work.

 

I would be grateful if you could give me a hand with it!! 🙂

 

Thanks so much in advance!

 

 

4 REPLIES 4

avatar
Expert Contributor

Just to confirm, have you enabled Impala to use the Sentry service in Cloudera Manager with the following instructions?

 

https://www.cloudera.com/documentation/enterprise/latest/topics/impala_authorization.html#sentry_cm



Robert Justice, Technical Resolution Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

Learn more about the Cloudera Community:

Terms of Service

avatar
New Contributor

Hello Robert, 

 

Thanks for your reply. 

The Impala service is configured to use the Sentry service for authorization. 

Also, the Hive metastore.

I dont understand why we are having this issue yet..

 

Thanks for your help

avatar
New Contributor
Its not about your privilege or access issue
[<node>:21000] > invalidate metadata;
Query: invalidate metadatam..
Its about You dont have a valid metadata..

avatar
New Contributor

In the Sentry logs, shows this error:

 

mismatch: Client thrift version is: 1 , server thrift version is 2

 

In Impala, it throws this error:

 

org.apache.impala.catalog.AuthorizationException: User 'xxxxx' does not have privileges to access: server

 

I tried to see if there is any mismatch in the cloudera libraries but didnt find anything...

Any clue about it?