Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Strange permission Hive issue in accessing DBs

avatar
author-rank snm1523
Expert Contributor

Created on ‎03-23-2021 04:01 AM - edited ‎03-23-2021 04:03 AM

Hello All,

 

We have a around 22 databases and their respective tables which are accessible via Impala in Hue, but not via Hive for 3 newly added users. We get below error which is related to permissions to databases via Sentry, however, this looks strange to me since the permissions are managed at DB level and not specific to service. So if permissions are not correct, we should not have been able to access them via Impala as well.

 

Error message:

Error while compiling statement: FAILED: SemanticException No valid privileges User xxxxxx does not have privileges for SWITCHDATABASE The required privileges: Server=server1->Db=*->Table=+->Column=*->action=select->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=insert->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=alter->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=create->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=drop->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=index->grantOption=false;Server=server1->Db=*->Table=+->Column=*->action=lock->grantOption=false;

 

Query that works fine in Impala but not Hive:

select * from dbname.tablename limit 5;

 

Please suggest what can be checked / done to fix this.

 

Thanks

snm1523

3,713 Views
0 Kudos
0
7 REPLIES 7

avatar
author-rank snm1523
Expert Contributor

Created ‎05-10-2021 07:53 AM

Any suggestions please?

3,668 Views
0 Kudos

avatar
author-rank tusharkathpal author-rank
Expert Contributor

Created ‎05-13-2021 02:59 PM

Hello @snm1523 

 

First and for most thing, ensure the users are synced in all the nodes.

 

for all the newly added users run id -Gn <username> on all the impala and hs2 nodes and ensure that this matches across all the nodes.

 

 

3,646 Views
0 Kudos

avatar
author-rank snm1523
Expert Contributor

Created ‎05-14-2021 04:48 AM

Hello @tusharkathpal,

 

Thank you for the reply.

 

Have verified all the users are in correct groups and same on all nodes.

 

Please suggest what can be checked further.

 

Thanks

snm1523

3,634 Views
0 Kudos

avatar
author-rank vidanimegh
Expert Contributor

Created ‎05-14-2021 06:08 AM

Hi @snm1523 ,

 

What are the permissions these new users have on default database?

 

Thanks,

Megh

3,623 Views
0 Kudos

avatar
author-rank snm1523
Expert Contributor

Created ‎05-14-2021 08:00 AM

Hello @vidanimegh,

We are not changing any permissions to users (including me) on default DB. They are just default (whatever they get once created). We are managing permissions using Sentry on each DB that is created.

 

We have verified permissions are all okay in Sentry as users (including me) are able to see / query tables in Impala via Hue but not in Hive.

 

Thanks

snm1523

3,600 Views
0 Kudos

avatar
author-rank tusharkathpal author-rank
Expert Contributor

Created ‎05-14-2021 06:39 AM

Hello @snm1523 

 

Could you please help me with the below details.

 

Step 1: Connect to any of the edge node and run the below.

 

id -Gn <new username>

kinit <username>

connect to HS2 using the jdbc conn string and then run, select current_user();

run the query select * from tablename which gives error.

 

Step 2: Now from the same edge node, connect to one of the impala node.

 

id -Gn <new username>

kinit <username>

Connect to Impala using the jdbc connection string 

beeline -u "jdbc:hive2://<impala-coordinator-node>:21050/default;principal=impala/<LB FQDN NAME>@REALM_NAME;ssl=true;sslTrustStore=<truststore path>;

 

**Use LB FQDN Name in principal section if you have LB else use the coordinator FQDN hostname above. If you have ssl enabled then use:-->sslTrustStore=<truststore path> else you can remove from connection string.

 

and run , select current_user(); and run the same query here.

 

Step 3:

 

ssh to host running Hue server. If you have multiple host running hue server then ssh to them one by one and repeat the same.

 

id -Gn <username> output

kinit username

connect once to HS2 and Impala each via beeline then run select current_user() and the query.

 

Once done share all the results to validate things.

3,617 Views
0 Kudos

avatar
author-rank snm1523
Expert Contributor

Created ‎05-14-2021 08:01 AM

@tusharkathpal , got hit to another issue, working on that. Will revert with these results by Monday.

3,599 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements