Support Questions

Find answers, ask questions, and share your expertise

How to create a role admin user / priviledge

avatar
Contributor

Even though user has ALL priviledges with grant option set to true, can not create /show roles.

How to create a role/ assign priviledge to create/show roles to a user/group ?

 

My set up CDH 5.12. Impala with Sentry (service) enabled.

[myserver.com:21000] > version;

Shell version: Impala Shell v2.9.0-cdh5.12.0 (03c6ddb) built on Thu Jun 29 04:17:31 PDT 2017
Server version: impalad version 2.9.0-cdh5.12.0 RELEASE (build 03c6ddbdcec39238be4f5b14a300d5c4f576097e)

 

Roles and users set up

[myserver.com:21000] > show grant role admin;
Query: show grant role admin
+--------+----------+-------+--------+-----+-----------+--------------+-------------------------------+
| scope  | database | table | column | uri | privilege | grant_option | create_time                   |
+--------+----------+-------+--------+-----+-----------+--------------+-------------------------------+
| SERVER |          |       |        |     | ALL       | true         | Fri, Aug 11 2017 05:55:28.694 |
+--------+----------+-------+--------+-----+-----------+--------------+-------------------------------+
Fetched 1 row(s) in 0.01s

[myserver.com:21000] > show current roles;
Query: show current roles
+--------------+
| role_name    |
+--------------+
| admin        |
+--------------+
Fetched 1 row(s) in 0.01s

 

 Exception when user tries to run show roles or create roles.

[myserver.com:21000] >show roles;
Query: show roles
ERROR: AuthorizationException: User 'sunil' does not have privileges to access the requested policy metadata or Sentry Service is unavailable.
1 ACCEPTED SOLUTION

avatar
Contributor

Using cloudera manager goto Sentry->Configurations

Add users/groups to following property to allow them create/show roles. Smaller fonts are property name in the configuration file while regular fonts are display name of the property in the CM.

 
Admin Groups
sentry.service.admin.group
 
Allowed Connecting Users
sentry.service.allow.connect
 

View solution in original post

4 REPLIES 4

avatar
Contributor

We're blocked here. Is there a way to make any other users besides Impala, Hive role admin ? i.e. grant access to  show and create roles ?

avatar
Champion

1 . Check the policy file 

2 . Check if the user "sunil " is in Impala group .

if nothing helps 

 to dig more use the safety valve to enable log4j root logger 

and share the logs if you can 

 

log4j.logger.org.apache.sentry=DEBUG

 

 

 

avatar
Contributor

I'm using Sentry service using Cloudera manager. I just realized that I can other users / groups to sentry config in cloudera manager and allow them to run Grant / Create role commands.

avatar
Contributor

Using cloudera manager goto Sentry->Configurations

Add users/groups to following property to allow them create/show roles. Smaller fonts are property name in the configuration file while regular fonts are display name of the property in the CM.

 
Admin Groups
sentry.service.admin.group
 
Allowed Connecting Users
sentry.service.allow.connect