Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Hive cannot hide default database with Sentry

avatar
author-rank seafrog
Contributor

Created on ‎07-16-2014 11:36 AM - edited ‎09-16-2022 02:02 AM

I use hive server 2 with sentry only let users to access "anon" database, however I still can see and use the "default" database:

 

beeline> !connect jdbc:hive2://192.168.1.123:10000 anon1 anon1

Connecting to jdbc:hive2://192.168.1.123:10000

Connected to: Hive (version 0.10.0)

Driver: Hive (version 0.10.0-cdh4.4.0)

Transaction isolation: TRANSACTION_REPEATABLE_READ

0: jdbc:hive2://192.168.1.123:10000> show databases;

+----------------+

| database_name  |

+----------------+

| anon           |

| default        |

+----------------+

2 rows selected (0.409 seconds)

 

And here is the role and group definition:

 

[groups]
anon_analyst = anon_select_tables_role, anon_insert_tables_role

[roles]
anon_select_tables_role = server=localhost->db=anon->table=*->action=SELECT
anon_insert_tables_role = server=localhost->db=anon->table=*->action=INSERT

 

And the user anon1 is in the unix group. However, Impala cannot access the default database which is the correct behavior. Could anybody knows how to solve the problem for hive? Thanks!

Innovation Never Die
3,409 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank seafrog
Contributor

Created ‎08-21-2014 09:52 PM

Yes, the user group of impala node and hive nodes are the same.

I finally got the answer of my question. If I set "hive.sentry.restrict.defaultDB" to true in sentry-site.xml, the behavior of impala and hive will be the same. Because the default value of "hive.sentry.restrict.defaultDB" is false by default.

Refer line 48 of HiveAuthzConf.java of sentry source code.

 

Innovation Never Die

View solution in original post

3,359 Views
2 REPLIES 2

avatar
author-rank Harsh J author-rank
Mentor

Created ‎07-20-2014 07:40 AM

The group lookup for user 'anon1' is done on the HS2 host by default. Can you ensure that the HS2 unix host also has the same groups setup for 'anon1' as the impalad hosts have (which seem to work)?
3,387 Views
0 Kudos

avatar
author-rank seafrog
Contributor

Created ‎08-21-2014 09:52 PM

Yes, the user group of impala node and hive nodes are the same.

I finally got the answer of my question. If I set "hive.sentry.restrict.defaultDB" to true in sentry-site.xml, the behavior of impala and hive will be the same. Because the default value of "hive.sentry.restrict.defaultDB" is false by default.

Refer line 48 of HiveAuthzConf.java of sentry source code.

 

Innovation Never Die
3,360 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements