01-19-2018 08:32 AM - last edited on 01-19-2018 09:52 AM by cjervis
Since I have installed sentry (without kerberos so in test mode), in Hive I notice that I get errors to do a select on a table that I used to be able to access before: 'No valid privileges User hdfs does not have privileges for SWITCHDATABASE The required privileges: Server=server1->Db=job->Table=*->Column=*->action=select;Server=server1->Db=job->Table=*->Column=*->action=insert;'.
ALso in Impala I notice that I get error messages related to priviliges. The user I use,hdfs, has admin priviliges in hue and is a superuser. After reading up on it, I am a little confused on how it works with users, groups, etc.
01-22-2018 01:15 AM - edited 01-22-2018 01:33 AM
Here some extra info on my efforts so far:
1)I log in with the hdfs usr in hue. The hadoop group (/etc/group) consists of users hdfs/mapred/yarn. There is also a group hdfs.
2) I have created a sentry-provider.ini file as decribed in https://www.cloudera.com/documentation/enterprise/latest/topics/cdh_sg_sentry.html#concept_iw1_5dp_w...
As my goal is to just give access rights to everything for the hdfs user, the file looks like this:
# Assigns each Hadoop group to its set of roles
hadoop = admin_role
hdfs = admin_role
# Implies everything on server1.
admin_role = server=server1
3) I put the file in the directory that corresponds to the parameter Sentry Global Policy File in the hive configuration (/user/hive/sentry/sentry-provider.ini on hdfs) and restarted the cluster.
4) In the hive configuration, the sentry parameters are as follows: Sentry Service = none / Enable Sentry Authorization using Policy Files: checked. Is this correct? These 2 configurations seem mutually exclusive: I can not enable them both. It seems I need to provide the .ini file to define my roles so this seems the more important parameter that I enabled.
5) I restarted the whole cluster.
WHen I try again accessing a table in hue through hive or impala, I get errors related to priviliges. Does anyone know what I am missing??
Further I notice one should set grants through Hive QL as described here : https://www.cloudera.com/documentation/enterprise/5-5-x/topics/sg_hive_sql.html . Currently I have no roles. Is this maybe the reason why I only see the default db and not all databases when I execute 'SHOW DATABASES' ?
01-25-2018 01:29 AM
Note: I was able to solve this issue. The reason is that I was using hue and not beeline. Through beeline I was able to add the roles described here :https://www.cloudera.com/documentation/enterprise/5-13-x/topics/sg_hive_sql.html and after that I was able to access my table through beeline. THis link also states that beeline should be used.
It is not clear to me yet why I could not grant the roles through hue.
Hopefully this is useful for someone else in the future!