I ran kinit superuser who has access to hdfs folders and then I have created various level roles in Hive from beeline on my AD based kerberos cluster.
I can see the roles in Hive and Impala, when I run the command "show current roles".
I have created roles using commands like;
GRANT ROLE cli_selectonly_su to GROUP superuser;
GRANT SELECT ON DATABASE MyDB TO ROLE cli_selectonly_su;
1] Based upon this if I run commands like show tables in hive via beeline it works fine and if I set specific role for that hive session then also, it works fine. In Impala shell, I can see all the roles which I had created in hive shell, but I can not set any specific roles to impala session and it seems to consider all the hive created roles like ReadonlyRole,ReadWriteRole. How to restrict any user in impala to specific permissions?
2] Now, when I connect to system using different kerberos user i.e. kinit anotheruser
and then if I goes to impala-shell -k
and tries to run any command like show tables it gives me below error.
ERROR: AuthorizationException: User 'anotheruser@REALM' does not have privileges to access: dbanem.*
Requesting to help me on the same or correct me If my understanding/implementation is not correct.