Support Questions

Find answers, ask questions, and share your expertise

"User does not have privileges for CREATETABLE" Error

avatar
Explorer

I am trying to create a new table in the hive database using beeline.  I can create a database,  a table without any problem.  But when I try to create a table with "location parameter",  it provides the following error before.  I checked that the directory exists and that the directory is owned by the group that user belongs to. 

 

CDH Version : 5.1.3

Hive Server 2

Security : Sentry with Kerberos

Sentry : File policy file is used

 

Any idea on what can cause this issue?

 

--------------------------------

Error Received

 

2014-10-30 03:36:55,716 ERROR org.apache.hadoop.hive.ql.Driver: FAILED: SemanticException No valid privileges

org.apache.hadoop.hive.ql.parse.SemanticException: No valid privileges

at org.apache.sentry.binding.hive.HiveAuthzBindingHook.postAnalyze(HiveAuthzBindingHook.java:320)

at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:457)

at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:352)

at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:995)

at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:988)

at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:98)

at org.apache.hive.service.cli.operation.SQLOperation.run(SQLOperation.java:163)

at org.apache.hive.service.cli.session.HiveSessionImpl.runOperationWithLogCapture(HiveSessionImpl.java:514)

at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementInternal(HiveSessionImpl.java:222)

at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatement(HiveSessionImpl.java:204)

at org.apache.hive.service.cli.CLIService.executeStatement(CLIService.java:168)

at org.apache.hive.service.cli.thrift.ThriftCLIService.ExecuteStatement(ThriftCLIService.java:316)

at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1373)

at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1358)

at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)

at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)

at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge20S$Server$TUGIAssumingProcessor.process(HadoopThriftAuthBridge20S.java:608)

at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:244)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

at java.lang.Thread.run(Thread.java:745)

Caused by: org.apache.hadoop.hive.ql.metadata.AuthorizationException: User newuser does not have privileges for CREATETABLE

at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.authorize(HiveAuthzBinding.java:317)

at org.apache.sentry.binding.hive.HiveAuthzBindingHook.authorizeWithHiveBindings(HiveAuthzBindingHook.java:502)

at org.apache.sentry.binding.hive.HiveAuthzBindingHook.postAnalyze(HiveAuthzBindingHook.java:312)

... 20 more

6 REPLIES 6

avatar
Expert Contributor

Grant all the permissions using SQL GRANT Syntax on the role of which that user is the part of.

After that you would be able to create the table

avatar
Explorer

Hi All,

 

We are stuck into same problem. Here are the summary

 

1. We have configured Sentry Service on Cloudera 5.3 (We have added "Sentry Service" not Policy file approach) . We have followed below reference URL

http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cm_sg_sentry_service.ht...

 

2. Kerbros Authentication is not enabled on Cluster but as per prerequistee we can move ahead with LDAP Authentication also . 

   LDAP is configured on Cluster

 

3. After configuration, we go to beeline client and used “!connect jdbc:hive2://hadoopslave0.company.in:10000” as the connection string and entered “hive” as Username, Password

Here hiveserver2 is configured on hadoopslave0.company.in:10000 thats why we have given this in connection string & 1000 is default port.

 

After this when it ask to enter username & password so we have given "hive" in both (As per below URL

http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/sg_sentry_overview.html...

To initiate top-level permissions for Sentry, an admin must login as a superuser that’s why we logged in as hive)

 

Now when we try to CREATE TABLE here so we are facing below error in this :-

Required privileges for this query: Server=server1->Db=default->action=*; (state=42000,code=40000)

 

Also error is coming when we try to give privilege to Groups (Group of LDAP in which LDAP user is member) .

GRANT ROLE qa TO GROUP TestGroup;

GRANT ALL ON DATABASE default TO ROLE qa WITH GRANT OPTION;

 

Problem Statement :- As we cant give permissions to LDAP groups and also cant create table  so we are stucked to perform testing in Sentry enable environment.

                                           It looks we are some how doing mistake in loggin with wrong user . We need to login with user who can give permission to other . We thought hive will work as superuser but it looks its not. If you can guide which user we should use to login to create table and GRANT privilege to other users so would be really helpful .

 

Kindly reply its very critical for us.

avatar
Contributor

Hi

 

I had the same problem. I found out that the table creation succeeds if one specifies the fully qualified hdfs location.

 

create external table test (a string); // works

 

create external table test_ext (a string) LOCATION '/warehouse/projects/mypath/public'; fails

 

create external table test_ext (a string) LOCATION 'hdfs://nameservice1/warehouse/projects/mypath/public'; works fine

 

Hope this works for you too.

 

Deenar

 

avatar
Contributor

Anyone got this to work? 

with /user/sam/foo/bar instead of hdfs://nameservice1/user/sam/foo/bar

 

avatar
Contributor

Problem is still there in CDH 5.5.. 

Is there is a JIRA for that?

 

avatar
Contributor