Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Granted permissions of tables to user but still table is not listing + Sentry

avatar
author-rank All
Explorer

Created on ‎09-15-2015 12:47 AM - edited ‎09-16-2022 02:40 AM

Hi All

 

This post is regarding Sentry Authorization

I am able to Create/Grant/Revoke role now...

 

I would be thankfull if you can do a last help .

I logged in as Hive and granted permission to access table to an user but when logged with that user so those tables are not appearing to that user..

 

Please refer below scenario :-

 

> Logged on the machine from impadmin user

> Added user "impadmin" in "hadoop" group.

> Went to beeline client and passed below connection string

!connect jdbc:hive2://hadoopslave0.company.co.in:10000/default

 

Pass username = hive and password = *******

This hive user is a LDAP user

SET ROLE Manager;

> Created a new role named "developer" by using below command

CREATE ROLE developer;

 

> After that Granted this role to group hadoop

GRANT ROLE developer TO GROUP hadoop

 

> Created two tables named newtable_1 and newtable_2 in default DB and created one table named newtable_3 in a newly added DB kyvostestingdb

 

> GRANT SELECT ON DATABASE default TO ROLE developer;

 

As we have granted ROLE developer with SELECT privilege on DATABASE “default”, so all the groups belonging to this ROLE should have rights to VIEW tables inside this DB and can Query from tables.

 

> Now exit from beeline client

> Went to beeline client and passed below connection string

!connect jdbc:hive2://hadoopslave0.company.co.in:10000/default

username :- impadmin

password :- ******

 

> SET ROLE developer;

 

> After that execute command SHOW TABLES;

No results are coming after execution of this command. This user belongs to ROLE developer so all tables inside default DB should be appear..

Do u think i have done any thing wrong..?

I would be thankfull if u can do this last help

39,768 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank Harsh J author-rank
Mentor

Created ‎09-20-2015 06:28 AM

Given you want 'engineering' group members to have access to a role 'developer', your grant should be:

GRANT ROLE developer TO GROUP engineering

Not,

GRANT ROLE developer TO GROUP hadoop

--

Or was this already done? The response is unclear about this.

View solution in original post

39,681 Views
0 Kudos
0
8 REPLIES 8

avatar
author-rank Harsh J author-rank
Mentor

Created ‎09-15-2015 04:31 PM

Do both of these assert the right values you've set?

SHOW CURRENT ROLES;
SHOW GRANT ROLE developer;

If yes, then the issue can likely be that HS2 and Sentry aren't really seeing the user 'impadmin' within the group 'hadoop'. On the HS2 and Sentry Service hosts, please check/pass the output of "id -Gn impadmin" Linux command.
39,752 Views
0 Kudos

avatar
author-rank All
Explorer

Created on ‎09-16-2015 01:18 AM - edited ‎09-16-2015 01:31 AM

Hi Harsh J

 

Thanks for reply..

Just before giving answers of your questions . I want to make things more clear.

 

I have set Sentry User to Group Mapping Class to org.apache.sentry.provider.file.LocalGroupResourceAuthorizationProvider

in Hive service thats why i have changed group of user impadmin from hadoop to an local group named engineering

 

Also Hadoop User Group Mapping Implementation is set org.apache.hadoop.security.ShellBasedUnixGroupsMapping in HDFS service on our cluster

 

Do u think any other setting will be required to use local user group ? As per my R&D these are only one

 

SHOW CURRENT ROLES;
SHOW GRANT ROLE developer;

 

While running above as a hive user so its giving proper results ....

 

I have also ran "id -Gn impadmin" Linux command on HS2 and Sentry Service hosts.. 

Its giving below response 

impadmin engineering

 

 

I added user in group using below command

 

usermod -G impadmin ,engineering impadmin

 

Just to add more details :-

 

Our hive database name is metastore and sentry service database name is  sentry .. Both are mysql

I went to mysql and use metastore and show tables

so i can see an table named ROLES..

When query this table i can see below results

 

+---------+-------------+------------+-----------+
| ROLE_ID | CREATE_TIME | OWNER_NAME | ROLE_NAME |
+---------+-------------+------------+-----------+
| 1 | 1431503404 | admin | admin |
| 2 | 1431503404 | public | public |
+---------+-------------+------------+-----------+

 

....

Do u think we need to add role named developer in this table as well.. sorry just asking..may be its ilogical..

 

 

39,745 Views
0 Kudos

avatar
author-rank Harsh J author-rank
Mentor

Created ‎09-20-2015 06:28 AM

Given you want 'engineering' group members to have access to a role 'developer', your grant should be:

GRANT ROLE developer TO GROUP engineering

Not,

GRANT ROLE developer TO GROUP hadoop

--

Or was this already done? The response is unclear about this.
39,682 Views
0 Kudos
0

avatar
author-rank All
Explorer

Created ‎09-24-2015 04:10 AM

Thanks Harsh J

 

My Sentry configuration is working fine now..

Thank you very much for all of your help

39,665 Views
0 Kudos

avatar
author-rank Maroofuddinkhan
New Contributor

Created ‎11-27-2018 02:17 AM

I create maroof user on operating system with group maroof. then from hue browser i login from impala user which is sentry admin user. i create role named "readonly" and grant privileges of select on hive database default. now from hive CLI when i login from maroof OS user it allow me to select tables in hive default database. i also created user in hue browser with same name maroof when i select hive default tables then it throw error.

 

"AuthorizationException: User 'maroof' does not have privileges to execute 'SELECT' on: default.test101 "

 

but same select working fine from hive CLI and from hue browser it not allow me to select. what will be the issue?

your help is required on this please.

31,304 Views
0 Kudos

avatar
author-rank Vhodnoylogin
Explorer

Created ‎02-12-2019 05:37 AM

"Do both of these assert the right values you've set?

SHOW CURRENT ROLES;
SHOW GRANT ROLE developer;"

 

And if i set role to group tezd_group. Create new user tezd_user, assign tezd_user to tezd_group. And see "SHOW CURRENT ROLES;" -> 0 rows?

So, it looks like user have no groups, or something like this... Where's the problem?

28,631 Views
0 Kudos

avatar
author-rank nandakumar
New Contributor

Created ‎04-10-2018 06:32 PM

I have a similar problem where some AD group members are unable to access any objects in Hive. They lost all privileges. Whereas some users in the same AD group are able to access the objects without any issues.

 

Not understanding where to start troubleshooting. 

 

The "id -Gn <user_name> " results are showing appropriate AD groups assoicated with users. It is with Hive/Sentry the problem exists..

 

Please provide your suggestions.

36,970 Views
0 Kudos

avatar
author-rank FrankyFlowB
Contributor

Created ‎04-30-2019 06:44 AM

In some cases, when a Daemon has troubles with AD connection protocol, from that server it´s impossible to retrieve user-group assignation information.

 

If your work casually is launched from that server, you obtain an error, but if the work is launched from another server without that problems, you look as the launch was fine.

 

It´s strange, but a possibility...

26,061 Views
0 Kudos
Announcements
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements