Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Sentry error in creating roles in beeline

Sentry error in creating roles in beeline

Expert Contributor

Hi,

 

i am testing sentry for POC.

I have not enabled Ldap or kerberos and i am trying to use local groups instead of hadoop groups.

 

After doing configuration changes in Hive,Yarn and impala.

I log into beeline using a hadoop user but it gives me an error like this:-

 

0: jdbc:hive2://itsxxxxx.xxx.com> create role role1;
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. SentryAccessDeniedException: Access denied to 10000 (state=08S01,code=1)

 

 

Also when i login with a hive user in beeline i get an error like:-

 

2014-11-14 12:10:10,102 WARN  [main] thrift.ThriftCLIService (ThriftCLIService.java:ExecuteStatement(384)) - Error executing statement:
org.apache.hive.service.cli.HiveSQLException: Error while compiling statement: FAILED: SemanticException The current builtin authorization in Hive is incomplete and disabled.

 

Anny suggestions?

 

3 REPLIES 3

Re: Sentry error in creating roles in beeline

Hi,

It sounds like you have not correctly configured Sentry.

Assuming you want to use the Sentry Service introduced in CDH5.1, please follow the instructions here:
http://www.cloudera.com/content/cloudera/en/documentation/cloudera-manager/v5-1-x/Cloudera-Manager-M...

Sentry configuration should generally be done in secure environments only. If you want to override this, I believe you have to use the Hive safety valve for either hive-site.xml or sentry-site.xml and set sentry.hive.testing.mode to false (using the proper XML syntax, see http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cm_mc_config_snippet.ht...

Thanks,
Darren

Re: Sentry error in creating roles in beeline

Explorer

Hi Team,

 

 

Even i'm getting same error. It was kerberised cluster.

 

Failing in creating roles in sentry.

Error:

ERROR : Error processing Sentry command: Access denied to hdfs. Server Stacktrace: org.apache.sentry.provider.db.SentryAccessDeniedException: Access denied to hdfs
at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.authorize(SentryPolicyStoreProcessor.java:205)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.create_sentry_role(SentryPolicyStoreProcessor.java:215)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$create_sentry_role.getResult(SentryPolicyService.java:833)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$create_sentry_role.getResult(SentryPolicyService.java:818)
at sentry.org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
at sentry.org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
at org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:48)
at sentry.org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
at sentry.org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:285)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)

Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask. SentryAccessDeniedException: Access denied to hdfs (state=08S01,code=1)

 

 

I followed cloudera provided link:

 

I done all the changes but still not able to set roles for sentry in beeline.

 

 

Please help me out on this.

 

 

Thanks,

Purna.


@dlo wrote:
Hi,

It sounds like you have not correctly configured Sentry.

Assuming you want to use the Sentry Service introduced in CDH5.1, please follow the instructions here:
http://www.cloudera.com/content/cloudera/en/documentation/cloudera-manager/v5-1-x/Cloudera-Manager-M...

Sentry configuration should generally be done in secure environments only. If you want to override this, I believe you have to use the Hive safety valve for either hive-site.xml or sentry-site.xml and set sentry.hive.testing.mode to false (using the proper XML syntax, see http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cm_mc_config_snippet.ht...

Thanks,
Darren

@dlo wrote:
Hi,

It sounds like you have not correctly configured Sentry.

Assuming you want to use the Sentry Service introduced in CDH5.1, please follow the instructions here:
http://www.cloudera.com/content/cloudera/en/documentation/cloudera-manager/v5-1-x/Cloudera-Manager-M...

Sentry configuration should generally be done in secure environments only. If you want to override this, I believe you have to use the Hive safety valve for either hive-site.xml or sentry-site.xml and set sentry.hive.testing.mode to false (using the proper XML syntax, see http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cm_mc_config_snippet.ht...

Thanks,
Darren



 

Re: Sentry error in creating roles in beeline

hdfs isn't normally a Sentry admin. Which groups did you configure as a Sentry admins? See CM configuration "Admin Groups" under the Sentry service.