02-11-2019 06:13 AM - last edited on 02-11-2019 01:58 PM by cjervis
I got CDH 5.16 and a cluster with Impala / Hive / Sentry (database-backed) set up.
In Impala, I got different databases and want to define policies so that a group / role can access all databases read-only.
I tried this Grant but it does not work:
"GRANT SELECT ON DATABASE ALL TO ROLE my_role;"
How can I define SELECT-permissions for all databases in Sentry?
04-25-2019 11:35 PM
are you using the same user from Impala and Hive?
if your cluster is not kerberized and from Impala-shell you run as 'impala' user and from beeline as 'hive' user, it´s possible that your user 'impala' doesn´t belongs to sentry´s admins groups.
You can check those groups in property "sentry.service.admin.group" in Sentry service.
It could be a possibility...
04-30-2019 06:36 AM
in that case, it could be possible that you have not enabled the Sentry Service from Impala?
If you have a similar message like this:
"Authorization is not enabled. To enable authorization restart Impala with the --server_name=<name> flag."
In Cloudera Manager the property "Sentry Service" might be to none and you can execute Sentry admin commands until you configure it and restart Impala.
04-30-2019 07:27 AM
Sorry, I thought your problem could be about configuration.
But you´re right, it looks like impala-shell doesn´t support the the clausule ALL (neither *) to refer to "ALL DATABASES".
You can specify "default" DATABASE or a particular DATABASE, but not all at one time:
ERROR: AnalysisException: Syntax error in line 1: GRANT ALL ON TABLE ALL TO ROLE rol_auditors ^ Encountered: ALL Expected: DEFAULT, IDENTIFIER CAUSED BY: Exception: Syntax error
and from beeline it works fine.
In my opinion, I think it doesn´t a bug, only that they have not implemented this option from impala-shell.
I'm sorry I could not help you.