We have setup a cluster by manually installing all the Tarballs
Hive and Impala have been configured to use sentry for authorization.
We have created roles in Sentry using following Hive command
create role admin;
Next we are trying to assign this role to a user:
GRANT ROLE admin to user mayank;
Above command works fine in Hive, however it fails in Impala with the following error:
Now when we try to run the following command from Hive:
show current roles;
We can see the result: admin
However same command in Impala doesn't return any result.
It seems Impala is only recognizing Role entitlements to Group and not to a User unlike Hive.
Please let me know if this is by design or due to configuration Error in our cluster
Hive version: 2.3.2, Senty version: 2.0, Impala version: 2.7
Your suspicion is spot on !!
Note: Sentry only allows you to grant roles to groups that have alphanumeric characters and underscores (_) in the group name.
When Sentry is enabled, you must use Beeline to execute Hive queries. Hive CLI is not supported with Sentry and must be disabled. See Disabling Hive CLI for information on how to disable the Hive CLI.
The GRANT ROLE statement can be used to grant roles to groups and Only Sentry admin users can grant roles to a group.
Create a role
CREATE ROLE datascientist; GRANT ROLE datascientist TO GROUP gurus;
Grant to the database test
GRANT ALL ON DATABASE test TO ROLE datascientist;
Grant to a table lesson in test database
GRANT ALL ON TABLE test.lesson TO ROLE datascientist;
The reason Sentry grants ROLES to GROUPS is logic to simplifies management where you bundle privileges and grant it to a group so if that the only moving part is the user, so the below statement will effectively disable mayankj's grants to do anything privileges the datascientist roles
# gpasswd -d mayankj gurus
Removing user mayankj from group datascientist
Quite simple and effective
Roles are created to group together privileges or other roles. They are a means of facilitating the granting of multiple privileges or roles to groups.
Was your question answered? If so make sure to mark the answer as the accepted solution.
If you find a reply useful, kudos this answer by hitting the thumbs up button.
@Shelton - Thanks for your response.
I am able to grant role to a user in Sentry through beeline.
CREATE ROLE datascientist; GRANT ROLE datascientist TO USER mayank;
Above commands seems to work fine in Beeline, I am also able to view role in users current roles
SHOW CURRENT ROLES; +---------------+ | tab_name | ----------------| | datascientist | -----------------
However when I execute the same command in Impala. I don't see any roles assigned to this user.