I have recently setup sentry, all of the role based permissions seem to be working well. However, I noticed that I am unable to create tables from the hive cli now. I receive the following error: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. MetaException(message:User cloudera does not have privileges for CREATETABLE). I can create tables while connected through beeline though as user cloudera.
Does using sentry service restrict access to the hive cli? I have set user "cloudera" with the following: CREATE ROLE super_user. GRANT ALL ON SERVER server1 to ROLE super_user. GRANT ROLE super_user TO GROUP cloudera.
I can still run queries normally and mapreduce jobs through the hive cli as user "cloudera" just lost the ability to create tables.
We are also facing the same problem, in addition to enabling sentry service in CM we also configured Sentry-HDFS ACLs synchronization. Do we need to add particular users to sentry config to enable them to create dbs/tables? Because right now it seems like only sentry admin user has privileges to create tables.
Hi Darren -
we have setup all the privileges but still experience errors when trying to create external tables from Hive CLI. Error is:
FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. MetaException(message:User xyz does not have privileges for CREATETABLE).
It looks like the workaround is to specify the fully qualified location path for the table including the protocol: hdfs//blah/blah
Is this an expected behavior? Is there way to allow relative pathing to work from Hive CLI?
Even if I use short path in grant statement, the problem doesn't go away.
grant all on uri '/foo/bar' to role sam_role;