Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

INSERT only permission not working : "does not have privileges for QUERY" , _tmp_table issue ?!?!

Labels:
avatar
author-rank geko
Guru

Created on ‎03-20-2017 08:05 AM - edited ‎09-16-2022 04:17 AM

Hi,

I am playing around with Sentry and want to provide "write-only" permission to a user via

 

grant insert ON default.shipment_test TO ROLE ingester;

But if I connect to hive via beeline and execute an insert statement, I receive the error:

 

 

0: jdbc:hive2://quickstart.cloudera:10000/def> insert into shipment_test values (1,'1111');
Error: Error while compiling statement: FAILED: SemanticException No valid privileges
 User writer does not have privileges for QUERY
 The required privileges: Server=server1->Db=default->Table=values__tmp__table__2->Column=tmp_values_col1->action=select; (state=42000,code=40000)

 

The environment is CDH sandbox 5.8

Linux user 'writer' is member of group 'ingester';

The group 'ingester' is assigned to the proper role in Sentry and was given the INSERT privilege:

grant role sentry_ingester to group ingester;
grant INSERT ON default.shipment_test TO ROLE sentry_ingester;

 

 

Why the statement errors out due to a "select" issue on a tmp table ?!?! 

Do I have to specify some more privileges, or how do you grant "INSERT"-only permissions to a group ?

 

Thanks in advance...

 

 

12,253 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank mathieu.d
Super Collaborator

Created on ‎03-22-2017 09:38 AM - edited ‎03-22-2017 09:40 AM

I have run some tests.

And indeed, the problem seems to be around the temporary table (at least, it is failing here before anything else).

 

The query you make with the "VALUES" part work like this :

- it create a temporary hive table with the line to be inserted

- it query that temporary table for inserting the data into the target table

 

From what I see, the temporary table is created. But the user do not have "select" permission on it.

Surprisingly sentry allow for the creation but not the select.

 

 

I guess that a workaround would be to grant "SELECT" on the database "default" but this could bring some issues for you (since the user will have read permission on all the tables inside "default").

 

Seems like a defect to me.

 

 

View solution in original post

12,140 Views
0 Kudos
11 REPLIES 11

avatar
author-rank geko
Guru

Created ‎03-23-2017 05:01 AM

Hi @mathieu.d ,

do you think this needs to be raised as an issue/bug , or is my case that unusual (I don't think so, honestly 😉 )?

3,063 Views
0 Kudos

avatar
author-rank mathieu.d
Super Collaborator

Created ‎03-24-2017 05:48 AM

I do think this is a defect. Not sure how Cloudera will see it.

 

But to be fair, this particular way of inserting data (with the VALUES syntax) into a table is pretty much limited to small testing.

3,051 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements