Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

hive cli unable to create tables after setting up sentry

hive cli unable to create tables after setting up sentry

Explorer

Hi,

 

I have recently setup sentry, all of the role based permissions seem to be working well. However, I noticed that I am unable to create tables from the hive cli now. I receive the following error: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. MetaException(message:User cloudera does not have privileges for CREATETABLE). I can create tables while connected through beeline though as user cloudera.

 

Does using sentry service restrict access to the hive cli? I have set user "cloudera" with the following: CREATE ROLE super_user. GRANT ALL ON SERVER server1 to ROLE super_user. GRANT ROLE super_user TO GROUP cloudera.

 

I can still run queries normally and mapreduce jobs through the hive cli as user "cloudera" just lost the ability to create tables.

 

Thanks

7 REPLIES 7

Re: hive cli unable to create tables after setting up sentry

We are also facing the same problem, in addition to enabling sentry service in CM we also configured Sentry-HDFS ACLs synchronization. Do we need to add particular users to sentry config to enable them to create dbs/tables? Because right now it seems like only sentry admin user has privileges to create tables.

 

 

Re: hive cli unable to create tables after setting up sentry

When you configure sentry, by default nobody has permissions to do anything. You should follow the documentation to set up the appropriate permissions for your users. Until you do so, sentry will enforce your current policy, which is to deny basically everybody from doing anything.

When properly configured, you can get Sentry to restrict access via the hive CLI as well as HS2, Impala, or hcatalog.

http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cm_sg_sentry_service.ht...

Re: hive cli unable to create tables after setting up sentry

New Contributor

Hi Darren -

 

we have setup all the privileges but still experience errors when trying to create external tables from Hive CLI. Error is:

 

FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. MetaException(message:User xyz does not have privileges for CREATETABLE).

 

It looks like the workaround is to specify the fully qualified location path for the table including the protocol: hdfs//blah/blah

 

Is this an expected behavior? Is there way to allow relative pathing to work from Hive CLI?

Re: hive cli unable to create tables after setting up sentry

Anyone got this to work?

Re: hive cli unable to create tables after setting up sentry

You should not have to use the full path when creating external tables (specifying the "external" keyword). If you specify a path to a table, you will need URI privileges on that path. Unfortunately, URI privileges are do need to match exactly so they need to use the the same path in the URI privilege and the path - that is, the scheme/authority is not automatically filled in. https://issues.apache.org/jira/browse/SENTRY-1001 tracks improving this behavior.
Highlighted

Re: hive cli unable to create tables after setting up sentry

Even if I use short path in grant statement, the problem doesn't go away.

Example:

grant all on uri '/foo/bar' to role sam_role;

 

Thanks,

Panga

Re: hive cli unable to create tables after setting up sentry

Did you specify the URI privileges?