Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Hive cannot hide default database with Sentry

SOLVED Go to solution

Hive cannot hide default database with Sentry

Explorer

I use hive server 2 with sentry only let users to access "anon" database, however I still can see and use the "default" database:

 

beeline> !connect jdbc:hive2://192.168.1.123:10000 anon1 anon1

Connecting to jdbc:hive2://192.168.1.123:10000

Connected to: Hive (version 0.10.0)

Driver: Hive (version 0.10.0-cdh4.4.0)

Transaction isolation: TRANSACTION_REPEATABLE_READ

0: jdbc:hive2://192.168.1.123:10000> show databases;

+----------------+

| database_name  |

+----------------+

| anon           |

| default        |

+----------------+

2 rows selected (0.409 seconds)

 

And here is the role and group definition:

 

[groups]
anon_analyst = anon_select_tables_role, anon_insert_tables_role

[roles]
anon_select_tables_role = server=localhost->db=anon->table=*->action=SELECT
anon_insert_tables_role = server=localhost->db=anon->table=*->action=INSERT

 

And the user anon1 is in the unix group. However, Impala cannot access the default database which is the correct behavior. Could anybody knows how to solve the problem for hive? Thanks!

Innovation Never Die
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Hive cannot hide default database with Sentry

Explorer

Yes, the user group of impala node and hive nodes are the same.

I finally got the answer of my question. If I set "hive.sentry.restrict.defaultDB" to true in sentry-site.xml, the behavior of impala and hive will be the same. Because the default value of "hive.sentry.restrict.defaultDB" is false by default.

Refer line 48 of HiveAuthzConf.java of sentry source code.

 

Innovation Never Die
2 REPLIES 2

Re: Hive cannot hide default database with Sentry

Master Guru
The group lookup for user 'anon1' is done on the HS2 host by default. Can you ensure that the HS2 unix host also has the same groups setup for 'anon1' as the impalad hosts have (which seem to work)?
Highlighted

Re: Hive cannot hide default database with Sentry

Explorer

Yes, the user group of impala node and hive nodes are the same.

I finally got the answer of my question. If I set "hive.sentry.restrict.defaultDB" to true in sentry-site.xml, the behavior of impala and hive will be the same. Because the default value of "hive.sentry.restrict.defaultDB" is false by default.

Refer line 48 of HiveAuthzConf.java of sentry source code.

 

Innovation Never Die