Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here. Want to know more about what has changed? Check out the Community News blog.

implement hive authorization with sentry service

implement hive authorization with sentry service

Contributor

hi  i'm facing error when deploying hive authorization with sentry service.  i have configured sentry and hive service following this document http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/sg_sentry_service_confi...

and finally when i started to test, i logon hiveserver2 with hive via beeline, and ran command 'create role admin', it showed the error java.sql.SQLException: Can't create table 'sentry.#sql-12c8_384' (errno: 150). even when i "show database" or 'show tables', there's only default database showed while there should be more db and tables.

 

is it a hive permission issue? i checked sentry.service.admin.group, the vaule is 'hive,hue,impala'.

 

could anyone help to figure it out?

 

thanks!

 

John.

5 REPLIES 5

Re: implement hive authorization with sentry service

Explorer

Hi jjiang,

 

It is really hard to get Kerberos+Sentry+Hive working well. But let's check couple steps:

1) Have you logged using beeline with a user created in kerberos ?

 EX.: kinit user@HADOOP.COM

 

2) Did you connect to beeline with the following command ?

 Ex.: !connect jdbc:hive2://IP_HIVESERVER2:10000/default;principal=hive/NAME_HIVESERVER2@REALM_KERBEROS;

 

3) Just to remenber, you MUST be logged with a hive user to perform administrative purposes;

 

Let us know what's going on to help on your issue !!!

 

Dino

 

Re: implement hive authorization with sentry service

Contributor

hi dinoamaral,

 

actually i didnt configure to use kerberos. and already set the sentry.hive.testing.mode to true. 

 

and i logon beeline with command " !connect jdbc:hive2://IP_HIVESERVER2:10000/default hive password".

 

and surely hive is the only user in hive group, which is administrator.

 

but the situation looks like hive didnt get the right permission, and i configured mysql on backend for sentry service.

Re: implement hive authorization with sentry service

Explorer

To get Sentry running in your Cloudera cluster, it is necessary to have a Kerberos Server to authenticate the users.

Here are some usefull links that may help you to get Sentry "up and running"

 

Enable Kerberos Authrntication Using Cloudera Manager:

http://www.cloudera.com/content/cloudera/en/documentation/cloudera-manager/v5-1-x/Configuring-Hadoop...

 

How-to: QIckly Configure Kerberos for Your Apache Hadoop Cluster

http://blog.cloudera.com/blog/2015/03/how-to-quickly-configure-kerberos-for-your-apache-hadoop-clust...

 

Sentry Policy File Authorization:

http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cdh_sg_sentry.html

 

Feel free to contact us !!!

Re: implement hive authorization with sentry service

Contributor

thanks in advance. in our environment, we designed to use ldap server as the authenticate server. its already working with hive.

 

so for my case, is it possibly to get hive with sentry working in the testing mode? or is there anything more you need for throubleshooting?

 

thanks

 

John

Re: implement hive authorization with sentry service

Contributor

i just noticed there are errors in hadoop-cmf-sentry-SENTRY_SERVER.log.out:

 

ERROR DataNucleus.Datastore: An exception was thrown while adding/validating class(es) : Specified key was too long; max key length is 767 bytes
com.mysql.jdbc.exceptions.jdbc4.MySQLSyntaxErrorException: Specified key was too long; max key length is 767 bytes

 

ERROR DataNucleus.Datastore: An exception was thrown while adding/validating class(es) : Can't create table 'sentry.#sql-5d35_a' (errno: 150)

 

seems it was an mysql error? does anybody know how to fix the problem?