Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Sentry No valid privileges Required privileges for this query

avatar
author-rank Petr
New Contributor

Created on ‎03-11-2016 02:45 AM - edited ‎09-16-2022 03:08 AM

Hi,
I have unsecured cluster (CDH 5.4) and as I want to provide an access to data to more users, I would like to turn on the Sentry, so far without Kerberos (which comes after sucessful launch of Sentry).
As some other people might need Impala at the moment, I decided to set it up in Hive in first stage.

Steps I have taken:
1) I have set up 2 users: hive and tuser
tuser - group test
hive - group hive, zookeeper

group test
indexer.access, about.access, beeswax.access, filebrowser.access, hbase.write, hbase.access, help.access, impala.access, jobbrowser.access,
jobsub.access, metastore.write, metastore.access, oozie.dashboard_jobs_access, oozie.access, pig.access, proxy.access, rdbms.access,
search.access, security.impersonate, security.access, spark.access, sqoop.access, useradmin.access_view:useradmin:edit_user, useradmin.access, zookeeper.access

group hive
beeswax.access

group hive has role admin (the first one with an unlocked lock):
SERVER
server=server1 action=ALL
SERVER
server=server1 action=ALL

group test has role neco
SERVER
server=server1 action=ALL
URI
server=server1 hdfs://...:8020/user/hive/warehouse action=ALL
DATABASE
server=server1 db=default action=ALL

Moreover, the user hive is in both sets sentry.service.admin.group and sentry.service.allow.connect.

2) I have turned on the sentry
- in Hive checked the Sentry Service from "none" to "Sentry"
- in Hive Service Advanced Configuration Snippet (Safety Valve) for sentry-site.xml inserted <property> <name>sentry.hive.testing.mode</name><value>true</value></property>
+ restarted Sentry

Result:
User hive can access anything in Hive. That's what I was expecting.
User tuser can't access anything in Hive (Error while compiling statement: FAILED: SemanticException No valid privileges Required privileges for this query: Server=server1->Db=*->Table=+->action=insert;Server=server1->Db=*->Table=+->action=select;)

What am I missing?

32,356 Views
0 Kudos
1
1 ACCEPTED SOLUTION

avatar
author-rank Petr
New Contributor

Created ‎03-22-2016 02:06 AM

Finally I was adviced what was wrong: The Hue groups must be the same as the groups on the Namenode's linux (as the HDFS org.apache.hadoop.security.ShellBasedUnixGroupsMapping is checked). In the case of Impala, all of nodes with Impala Daemons have to have same groups. However, I am going to overtake the groups from LDAP (option org.apache.hadoop.security.LdapGroupsMapping).

View solution in original post

32,354 Views
0 Kudos
2
8 REPLIES 8

avatar
author-rank Petr
New Contributor

Created ‎03-11-2016 06:20 AM

Plus:
All in /user/hive/warehouse has owner and group hive + 777.
Moreover, I tried to add tuser into hive group, and added it into groups sentry.service.admin.group and sentry.service.allow.connect, and sentry.metastore.service.users, but the result is the same.
32,207 Views
0 Kudos

avatar
author-rank Petr
New Contributor

Created ‎03-22-2016 02:06 AM

Finally I was adviced what was wrong: The Hue groups must be the same as the groups on the Namenode's linux (as the HDFS org.apache.hadoop.security.ShellBasedUnixGroupsMapping is checked). In the case of Impala, all of nodes with Impala Daemons have to have same groups. However, I am going to overtake the groups from LDAP (option org.apache.hadoop.security.LdapGroupsMapping).

32,355 Views
0 Kudos
2

avatar
author-rank cjervis author-rank
Community Manager

Created ‎03-22-2016 05:36 AM

@Petr Thanks for sharing the solution in case it can be of assistance to others. 🙂


Cy Jervis, Manager, Community Program
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
32,121 Views
0 Kudos

avatar
author-rank MJoy
Explorer

Created ‎08-22-2016 02:48 AM

Hi,

 

Im trying to create a table as mentioned below. I have all the read/write/execute permissions for the mentioned users.

 

CREATE EXTERNAL TABLE stage_rtra_transaction_ext_1(
attemptid string,
trns_sur_key string,
sender_gi string,
payee_gi string,
success_flag string,
atch_que_name string,
transactionstate string,
pay_mtcn_nr string,
swb_zone string,
swb_zone_pay string,
que_name string,
moneyordertype string,
trns_ts string,
ext_seq_no string,
field_name string,
field_value string)
PARTITIONED BY (
year int,
month int,
day int)
ROW FORMAT DELIMITED
FIELDS TERMINATED BY '\u0001'
STORED AS RCFILE
LOCATION 'hdfs://nameservice1/compliance/compliancehadoop/data/stage/rtra/STAGE_RTRA_TRANSACTION_EXT/';

 

while running in beeline im getting the below error.

 

Error: Error while compiling statement: FAILED: SemanticException No valid privileges
User compliance does not have privileges for CREATETABLE
The required privileges: Server=server1->URI=hdfs://nameservice1/compliance/compliancehadoop/data/stage/rtra/STAGE_RTRA_TRANSACTION_EXT->action=*; (state=42000,code=40000)

 

On removing the LOCATION line, the query works fine.

 

Please anyone help me to sort out this.

 

Thanks,

Mjoy

31,560 Views
0 Kudos

avatar
author-rank MJoy
Explorer

Created ‎08-29-2016 12:28 AM

Can i have resolution for this....

 

All permissions are perfect but still i could not able to create the External table as a specific user.

 

31,488 Views
0 Kudos

avatar
author-rank scratch28
Contributor

Created ‎03-30-2017 05:03 PM

do you mind expanding on the answer a bit

I have the same problem 

is the group setting in CM or on hdfs or os files system?

 

28,619 Views

avatar
author-rank DAggarwal
New Contributor

Created ‎09-06-2016 09:30 AM

Hi,

 

I am not sure where to go for configuring roles as you have mentioned in your post.

In the Hue UI, I can see the interface for adding groups/permissions.

31,369 Views
0 Kudos

avatar
author-rank DAggarwal
New Contributor

Created ‎09-06-2016 09:32 AM

Hi,

 

I am not sure where to go for configuring roles. In the Hue UI, I can see interface for adding groups/permissions but not roles. Please advise.

 

group hive has role admin (the first one with an unlocked lock):
SERVER
server=server1 action=ALL
SERVER
server=server1 action=ALL

group test has role neco
SERVER
server=server1 action=ALL
URI
server=server1 hdfs://...:8020/user/hive/warehouse action=ALL
DATABASE
server=server1 db=default action=ALL

 

 

31,368 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements