Support Questions

Find answers, ask questions, and share your expertise

GRANT ROLE To a USER in Impala + Sentry

New Contributor


  We have setup a cluster by manually installing all the Tarballs

 Hive and Impala have been configured to use sentry for authorization.


We have created roles in Sentry using following Hive command

create role admin;


Next we are trying to assign this role to a user:

GRANT ROLE admin to user mayank;


Above command works fine in Hive, however it fails in Impala with the following error:


Encountered: IDENTIFIER

Expected: GROUP


Now when we try to run the following command from Hive:

show current roles;


We can see the result: admin


However same command in Impala doesn't return any result. 


It seems Impala is only recognizing Role entitlements to Group and not to a User unlike Hive.

Please let me know if this is by design or due to configuration Error in our cluster


Hive version: 2.3.2, Senty version: 2.0, Impala version: 2.7




Your suspicion is spot on !!


Note: Sentry only allows you to grant roles to groups that have alphanumeric characters and underscores (_) in the group name.

When Sentry is enabled, you must use Beeline to execute Hive queries. Hive CLI is not supported with Sentry and must be disabled. See Disabling Hive CLI for information on how to disable the Hive CLI.


The GRANT ROLE statement can be used to grant roles to groups and Only Sentry admin users can grant roles to a group.


Create a role


CREATE ROLE datascientist;
GRANT ROLE datascientist TO GROUP gurus;


Grant to the database test


GRANT ALL ON DATABASE test TO ROLE datascientist;


Grant to a table lesson in test database


GRANT ALL ON TABLE test.lesson TO ROLE datascientist;


The reason Sentry grants  ROLES to GROUPS is logic to simplifies management where you bundle privileges and grant it to a group so if that the only moving part is the user, so the below statement will effectively  disable mayankj's grants to do anything privileges the datascientist  roles 


# gpasswd -d mayankj gurus


Removing user mayankj from group datascientist

Quite simple and effective

Roles are created to group together privileges or other roles. They are a means of facilitating the granting of multiple privileges or roles to groups.


Was your question answered? If so make sure to mark the answer as the accepted solution.
If you find a reply useful, kudos this answer by hitting the thumbs up button.


New Contributor

@Shelton - Thanks for your response.


I am able to grant role to a user in Sentry through beeline. 

CREATE ROLE datascientist;
GRANT ROLE datascientist TO USER mayank;


Above commands seems to work fine in Beeline, I am also able to view role in users current roles

|  tab_name     |
| datascientist |

 However when I execute the same command in Impala. I don't see any roles assigned to this user.