Support Questions

sunilosunil · ‎08-10-2017

Even though user has ALL priviledges with grant option set to true, can not create /show roles.

How to create a role/ assign priviledge to create/show roles to a user/group ?

My set up CDH 5.12. Impala with Sentry (service) enabled.

[myserver.com:21000] > version;

Shell version: Impala Shell v2.9.0-cdh5.12.0 (03c6ddb) built on Thu Jun 29 04:17:31 PDT 2017
Server version: impalad version 2.9.0-cdh5.12.0 RELEASE (build 03c6ddbdcec39238be4f5b14a300d5c4f576097e)

Roles and users set up

[myserver.com:21000] > show grant role admin;
Query: show grant role admin
+--------+----------+-------+--------+-----+-----------+--------------+-------------------------------+
| scope  | database | table | column | uri | privilege | grant_option | create_time                   |
+--------+----------+-------+--------+-----+-----------+--------------+-------------------------------+
| SERVER |          |       |        |     | ALL       | true         | Fri, Aug 11 2017 05:55:28.694 |
+--------+----------+-------+--------+-----+-----------+--------------+-------------------------------+
Fetched 1 row(s) in 0.01s

[myserver.com:21000] > show current roles;
Query: show current roles
+--------------+
| role_name    |
+--------------+
| admin        |
+--------------+
Fetched 1 row(s) in 0.01s

Exception when user tries to run show roles or create roles.

[myserver.com:21000] >show roles;
Query: show roles
ERROR: AuthorizationException: User 'sunil' does not have privileges to access the requested policy metadata or Sentry Service is unavailable.

sunilosunil · ‎08-24-2017

Using cloudera manager goto Sentry->Configurations

Add users/groups to following property to allow them create/show roles. Smaller fonts are property name in the configuration file while regular fonts are display name of the property in the CM.

Admin Groups

sentry.service.admin.group

Allowed Connecting Users

sentry.service.allow.connect

View solution in original post

sunilosunil · ‎08-11-2017

We're blocked here. Is there a way to make any other users besides Impala, Hive role admin ? i.e. grant access to show and create roles ?

csguna · ‎08-12-2017

1 . Check the policy file

2 . Check if the user "sunil " is in Impala group .

if nothing helps

to dig more use the safety valve to enable log4j root logger

and share the logs if you can

log4j.logger.org.apache.sentry=DEBUG

sunilosunil · ‎08-18-2017

I'm using Sentry service using Cloudera manager. I just realized that I can other users / groups to sentry config in cloudera manager and allow them to run Grant / Create role commands.

sunilosunil · ‎08-24-2017