Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

HUE created roles not applying to users in HUE

HUE created roles not applying to users in HUE

Contributor

So after 5 days of following 

https://www.cloudera.com/documentation/enterprise/latest/topics/cm_sg_sentry_service.html

http://gethue.com/apache-sentry-made-easy-with-the-new-hue-security-app/#howto

 

testing out with policy files and not policy files, hdfs ownership, and finally after followinghttp://www.yourtechchick.com/hadoop/no-databases-available-permissions-missing-error-hive-sentry/  I  can create roles in HUE - I can see them, manage them and I see the Sentry logs updating something 

Admin users can see query and work with everything. And error messages are no longer comming in on HUE; small victories

 

After applying roles to groups to limit access to certain db (the only thing I needed Sentry to do) 

The users belonging to the limited set cannot see any database 

and hive is throwing the following 

 

 

 

2017-03-30 22:48:09,619 ERROR org.apache.hadoop.hive.ql.Driver: FAILED: SemanticException No valid privileges
 Required privileges for this query: Server=server1->Db=*->Table=+->action=insert;Server=server1->Db=*->Table=+->action=select;
org.apache.hadoop.hive.ql.parse.SemanticException: No valid privileges
 Required privileges for this query: Server=server1->Db=*->Table=+->action=insert;Server=server1->Db=*->Table=+->action=select;
	at org.apache.sentry.binding.hive.HiveAuthzBindingHook.postAnalyze(HiveAuthzBindingHook.java:356)
	at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:436)
	at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:306)
	at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1120)
	at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1113)
	at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:99)
	at org.apache.hive.service.cli.operation.SQLOperation.runInternal(SQLOperation.java:170)
	at org.apache.hive.service.cli.operation.Operation.run(Operation.java:257)
	at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementInternal(HiveSessionImpl.java:398)
	at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatement(HiveSessionImpl.java:379)
	at org.apache.hive.service.cli.CLIService.executeStatement(CLIService.java:245)
	at org.apache.hive.service.cli.thrift.ThriftCLIService.ExecuteStatement(ThriftCLIService.java:487)
	at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1313)
	at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1298)
	at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
	at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
	at org.apache.hive.service.auth.TSetIpAddressProcessor.process(TSetIpAddressProcessor.java:56)
	at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:285)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.hadoop.hive.ql.metadata.AuthorizationException: User vchetty does not have privileges for SWITCHDATABASE
	at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.authorize(HiveAuthzBinding.java:320)
	at org.apache.sentry.binding.hive.HiveAuthzBindingHook.authorizeWithHiveBindings(HiveAuthzBindingHook.java:540)
	at org.apache.sentry.binding.hive.HiveAuthzBindingHook.postAnalyze(HiveAuthzBindingHook.java:346)
	... 20 more

 

Technically my goal is to have sentry manage users in HUE on what they can see via Impala and BeesWax(hive) 

 

versions
Cloudera Express 5.4.7
Hue™ 3.7.0

Sentry installed correctly and running on same server as HUE

 

config

LDAP and Kerberos not enabled  

 

On Hive 

Hive sentry is enabled 

sentry-site.xml has  <property>  <name>sentry.hive.testing.mode</name>  <value>true</value></property> 

 

hive.server2.enable.impersonation, hive.server2.enable.doAs is off

 

On HUE 

Hue sentry is enabled

user_augmentor desktop.auth.backend.DefaultUserAugmentor

desktop.auth.backend.AllowFirstUserDjangoBackend

sentry-site.xml has  <property>  <name>sentry.hive.testing.mode</name>  <value>true</value></property> 

 

beeline CLI shows the roles and I can show a specific role on which databases it can use

the user is mapped to that specific role in HUE

 

Haven't tried any settings on Impala, I hope it just adopts hive settings once enabled

Any ideas on what I may be missing ??

 

LDAP and kerberos is not something I am willing to deal with at this time

 

 

 

1 REPLY 1

Re: HUE created roles not applying to users in HUE

Contributor

Additional information

if at all possible - I would like to only use the users in HUE and not build the users on the local server, or activate LDAP.  Unless absolutely required

Don't have an account?
Coming from Hortonworks? Activate your account here