I got CDH 5.16 and a cluster with Impala / Hive / Sentry (database-backed) set up.
In Impala, I got different databases and want to define policies so that a group / role can access all databases read-only.
I tried this Grant but it does not work:
"GRANT SELECT ON DATABASE ALL TO ROLE my_role;"
How can I define SELECT-permissions for all databases in Sentry?
Quite strangely, the same GRANT Query seems to work when running through HiveServer2 (e.g. using beeline). Is this an Impala Bug?
are you using the same user from Impala and Hive?
if your cluster is not kerberized and from Impala-shell you run as 'impala' user and from beeline as 'hive' user, it´s possible that your user 'impala' doesn´t belongs to sentry´s admins groups.
You can check those groups in property "sentry.service.admin.group" in Sentry service.
It could be a possibility...
I am using the same user for the access both from Hive and Impala. Besides, both users are in the Sentry admin group list.
in that case, it could be possible that you have not enabled the Sentry Service from Impala?
If you have a similar message like this:
"Authorization is not enabled. To enable authorization restart Impala with the --server_name=<name> flag."
In Cloudera Manager the property "Sentry Service" might be to none and you can execute Sentry admin commands until you configure it and restart Impala.
Nope Sentry is set up and all other grants work. It is only the SELECT GRANT that makes problems and does not work in Impala.
Sorry, I thought your problem could be about configuration.
But you´re right, it looks like impala-shell doesn´t support the the clausule ALL (neither *) to refer to "ALL DATABASES".
You can specify "default" DATABASE or a particular DATABASE, but not all at one time:
ERROR: AnalysisException: Syntax error in line 1: GRANT ALL ON TABLE ALL TO ROLE rol_auditors ^ Encountered: ALL Expected: DEFAULT, IDENTIFIER CAUSED BY: Exception: Syntax error
and from beeline it works fine.
In my opinion, I think it doesn´t a bug, only that they have not implemented this option from impala-shell.
I'm sorry I could not help you.