Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

GRANT ROLE To a USER in Impala + Sentry

avatar
author-rank MayankJ
New Contributor

Created ‎01-05-2021 09:59 AM

Hi,

  We have setup a cluster by manually installing all the Tarballs

 Hive and Impala have been configured to use sentry for authorization.

 

We have created roles in Sentry using following Hive command

create role admin;

 

Next we are trying to assign this role to a user:

GRANT ROLE admin to user mayank;

 

Above command works fine in Hive, however it fails in Impala with the following error:

AnalysisException

Encountered: IDENTIFIER

Expected: GROUP

 

Now when we try to run the following command from Hive:

show current roles;

 

We can see the result: admin

 

However same command in Impala doesn't return any result. 

 

It seems Impala is only recognizing Role entitlements to Group and not to a User unlike Hive.

Please let me know if this is by design or due to configuration Error in our cluster

 

Hive version: 2.3.2, Senty version: 2.0, Impala version: 2.7

3,646 Views
0 Kudos
2 REPLIES 2

avatar
author-rank Shelton
Master Mentor

Created ‎01-05-2021 11:49 AM

@MayankJ 

Your suspicion is spot on !!

 

Note: Sentry only allows you to grant roles to groups that have alphanumeric characters and underscores (_) in the group name.


When Sentry is enabled, you must use Beeline to execute Hive queries. Hive CLI is not supported with Sentry and must be disabled. See Disabling Hive CLI for information on how to disable the Hive CLI.

 

The GRANT ROLE statement can be used to grant roles to groups and Only Sentry admin users can grant roles to a group.

 

Create a role

 

CREATE ROLE datascientist;
GRANT ROLE datascientist TO GROUP gurus;

 

Grant to the database test

 

GRANT ALL ON DATABASE test TO ROLE datascientist;

 

Grant to a table lesson in test database

 

GRANT ALL ON TABLE test.lesson TO ROLE datascientist;

 

The reason Sentry grants  ROLES to GROUPS is logic to simplifies management where you bundle privileges and grant it to a group so if that the only moving part is the user, so the below statement will effectively  disable mayankj's grants to do anything privileges the datascientist  roles 

 

# gpasswd -d mayankj gurus

 

Removing user mayankj from group datascientist

Quite simple and effective

Roles are created to group together privileges or other roles. They are a means of facilitating the granting of multiple privileges or roles to groups.

 

Was your question answered? If so make sure to mark the answer as the accepted solution.
If you find a reply useful, kudos this answer by hitting the thumbs up button.

 

3,620 Views
0 Kudos

avatar
author-rank MayankJ
New Contributor

Created ‎01-05-2021 06:12 PM

@Shelton - Thanks for your response.

 

I am able to grant role to a user in Sentry through beeline. 

CREATE ROLE datascientist;
GRANT ROLE datascientist TO USER mayank;

 

Above commands seems to work fine in Beeline, I am also able to view role in users current roles

SHOW CURRENT ROLES;
+---------------+
|  tab_name     |
----------------|
| datascientist |
-----------------

 However when I execute the same command in Impala. I don't see any roles assigned to this user.

 

3,613 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
View More Announcements