Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Hive cannot hide default database with Sentry

avatar
author-rank seafrog
Contributor

Created on ‎07-16-2014 11:36 AM - edited ‎09-16-2022 02:02 AM

I use hive server 2 with sentry only let users to access "anon" database, however I still can see and use the "default" database:

 

beeline> !connect jdbc:hive2://192.168.1.123:10000 anon1 anon1

Connecting to jdbc:hive2://192.168.1.123:10000

Connected to: Hive (version 0.10.0)

Driver: Hive (version 0.10.0-cdh4.4.0)

Transaction isolation: TRANSACTION_REPEATABLE_READ

0: jdbc:hive2://192.168.1.123:10000> show databases;

+----------------+

| database_name  |

+----------------+

| anon           |

| default        |

+----------------+

2 rows selected (0.409 seconds)

 

And here is the role and group definition:

 

[groups]
anon_analyst = anon_select_tables_role, anon_insert_tables_role

[roles]
anon_select_tables_role = server=localhost->db=anon->table=*->action=SELECT
anon_insert_tables_role = server=localhost->db=anon->table=*->action=INSERT

 

And the user anon1 is in the unix group. However, Impala cannot access the default database which is the correct behavior. Could anybody knows how to solve the problem for hive? Thanks!

Innovation Never Die
3,568 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank seafrog
Contributor

Created ‎08-21-2014 09:52 PM

Yes, the user group of impala node and hive nodes are the same.

I finally got the answer of my question. If I set "hive.sentry.restrict.defaultDB" to true in sentry-site.xml, the behavior of impala and hive will be the same. Because the default value of "hive.sentry.restrict.defaultDB" is false by default.

Refer line 48 of HiveAuthzConf.java of sentry source code.

 

Innovation Never Die

View solution in original post

3,518 Views
0
2 REPLIES 2

avatar
author-rank Harsh J author-rank
Mentor

Created ‎07-20-2014 07:40 AM

The group lookup for user 'anon1' is done on the HS2 host by default. Can you ensure that the HS2 unix host also has the same groups setup for 'anon1' as the impalad hosts have (which seem to work)?
3,546 Views
0 Kudos

avatar
author-rank seafrog
Contributor

Created ‎08-21-2014 09:52 PM

Yes, the user group of impala node and hive nodes are the same.

I finally got the answer of my question. If I set "hive.sentry.restrict.defaultDB" to true in sentry-site.xml, the behavior of impala and hive will be the same. Because the default value of "hive.sentry.restrict.defaultDB" is false by default.

Refer line 48 of HiveAuthzConf.java of sentry source code.

 

Innovation Never Die
3,519 Views
0
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements