Support Questions

Andreyeff · ‎07-19-2018

Hi,

We're strugling with the issue that Impala does not provide access to SHOW CREATE VIEW statement for the owner of the view (as well as owner of underlying table). Sentry based authorization is used.
The documentation (https://www.cloudera.com/documentation/enterprise/5-14-x/topics/impala_show.html#show_create_view) states that the required privileges should be: VIEW_METADATA privilege on the view and SELECT privilege on all underlying views and tables.

In our case the user owns the view and table, therefore, I expect both are fulfilled.

As you could see in the log below, the user has created, selected and dropped the view, but he couldn't see the CREATE statement.

Invalidate metadata was tried too.
Could you kindly help to resolve the issue, so that developers could check the CREATE statements - is there a missing bit or is it a bug?

Environment:
CDH 5.14.2
Impala 2.11.0
LDAP authentication
Sentry file authorization

Here is the log from different aspects:

=== Sentry file ========
[users]
svc.analyticaldata_dq=analytical_data, ...
...
[groups]
analytical_data=analytical_data
...
[roles]
analytical_data=server=server1->db=analytical_data
...

=== Impala CLI =============
[node009:21000] > select version();
Query: select version()
+-------------------------------------------------------------------------------------------+
| version() |
+-------------------------------------------------------------------------------------------+
| impalad version 2.11.0-cdh5.14.2 RELEASE (build ed85dce709da9557aeb28be89e8044947708876c) |
| Built on Tue Mar 27 13:39:48 PDT 2018 |
+-------------------------------------------------------------------------------------------+

[node009:21000] > select user();
Query: select user()
Query submitted at: 2018-07-19 15:30:16 (Coordinator: http://node009:25000)
Query progress can be monitored at: http://node009:25000/query_plan?query_id=1e4cc7a8258b79ff:e58adb9100000000
+-----------------------+
| user() |
+-----------------------+
| svc.analyticaldata_dq |
+-----------------------+
Fetched 1 row(s) in 0.08s

[node009:21000] > use analytical_data;
Query: use analytical_data

[node009:21000] > create view t as select count(*) from system9999.cases;
Query: create view t as select count(*) from system9999.cases
Query submitted at: 2018-07-19 15:24:52 (Coordinator: http://node009:25000)
Query progress can be monitored at: http://node009:25000/query_plan?query_id=304454e5a834396a:c1fbf50a00000000
Fetched 0 row(s) in 0.08s

[node009:21000] > select * from t;
Query: select * from t
Query submitted at: 2018-07-19 15:24:55 (Coordinator: http://node009:25000)
Query progress can be monitored at: http://node009:25000/query_plan?query_id=27459f84b4308766:6ed0235200000000
+---------+
| _c0 |
+---------+
| 6609331 |
+---------+
Fetched 1 row(s) in 4.50s

[node009:21000] > show create view t;
Query: show create view t
ERROR: AuthorizationException: User 'svc.analyticaldata_dq' does not have privileges to see the definition of view 'analytical_data.t'.

[node009:21000] > drop view t;
Query: drop view t
=== Metastore =============
[metastore]> select TBL_ID,TBL_NAME,OWNER,TBL_TYPE from TBLS where DB_ID=374406;

+---------+--------------------------------------------+-----------------------+---------------+
| TBL_ID | TBL_NAME | OWNER | TBL_TYPE |
+---------+--------------------------------------------+-----------------------+---------------+
| 1222804 | t | svc.analyticaldata_dq | VIRTUAL_VIEW |

Andreyeff · ‎07-19-2018

Oh, the issue appeared to be even in functions.
Thanks for fast reply and raising a ticket.

Cloudera Community

Support Questions

SHOW CREATE VIEW fails for owner

This problem has been solved!

This problem has been solved!