Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

I installed Sentry on Cluster, now where to start?

Labels:
avatar
author-rank quangbilly79
Contributor

Created ‎05-17-2023 09:12 PM

I followed this guide on the Cloudera website, I've finished "Installing and Upgrading the Sentry Service" step. Now what do I do next?

I tried to start Beeline and execute some queries as normal but get a privilege error

kinit -k -t /home/vgdata/vega.keytab vega@BI.VEGA.COM  (get tgt for user vega)

beeline -u "jdbc:hive2://data-node01:10000/test;principal=hive/data-node01.vega.com@BI.VEGA.COM" (access beeline with kerberos principal)

select * from test; (execute query)

 

But I got an error like below

Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User vega does not have privileges for SWITCHDATABASE
The required privileges: Server=server1->Db=*->Table=+->Column=*...

User "vega" is hdfs superuser, and also the main user that we use to connect to all Hadoop services (there is a Kerberos principal "vega" too)

I tried to execute some commands like

create role admin;

grant role ....

But all get an error like "No groups found for user vega"

 

Now where do I start? Is there a default "admin" user that I can do everything (including grant...)? I want to grant user "vega" the "admin" role, which can do everything. Something like my SQL grant privilege command

GRANT ALL PRIVILEGES ON database.table TO user;

GRANT ALL PRIVILEGES ON *.* TO vega;

 

1,147 Views
0 Kudos
3 REPLIES 3

avatar
author-rank ChethanYM author-rank
Master Collaborator

Created ‎05-18-2023 02:05 AM

Hi,

 

Use the below commands and see if you find any difference.

 

CREATE ROLE [role_name];

GRANT <PRIVILEGE> ON <OBJECT> <object_name> TO ROLE <roleName>

GRANT ROLE <role_name> TO GROUP <groupName>;

 

Examples:

create role testing;

grant all on database <db-name> to role testing;

grant role testing to group <group-name>;

 

In this case the user should be part of this particular group on all the cluster nodes - user group mapping at OS level is required. You can check the groups of a user using "id <user-name>".

 

Regards,

Chethan YM

 

 

1,128 Views
0 Kudos

avatar
author-rank quangbilly79
Contributor

Created ‎05-18-2023 07:56 PM

Thank. The user hasn't existed at OS Level (Centos). I create the user and it's fine. Also, the created user must be in "admin.groups" in Sentry conf to have the privileges on the Grant Commands.

Also, may I ask how Sentry recognize user/group? Does it take the user/group from Hue, or HDFS, or local OS (in the case of using Cloudera Cluster)? At first, I think it was the OS level, but I have some problems related to the user/group, seems like Sentry doesn't recognize properly user/group setting on the OS level.

Or do I have to create the same user/group for all nodes in cluster, not just in the main name-node?

1,101 Views
0 Kudos

avatar
author-rank ChethanYM author-rank
Master Collaborator

Created ‎05-19-2023 02:21 AM

Yes, User group mapping should be across the cluster nodes not only on name-node.

1,083 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements