Created on 10-30-2014 03:44 AM - edited 09-16-2022 02:11 AM
I am trying to create a new table in the hive database using beeline. I can create a database, a table without any problem. But when I try to create a table with "location parameter", it provides the following error before. I checked that the directory exists and that the directory is owned by the group that user belongs to.
CDH Version : 5.1.3
Hive Server 2
Security : Sentry with Kerberos
Sentry : File policy file is used
Any idea on what can cause this issue?
--------------------------------
Error Received
2014-10-30 03:36:55,716 ERROR org.apache.hadoop.hive.ql.Driver: FAILED: SemanticException No valid privileges
org.apache.hadoop.hive.ql.parse.SemanticException: No valid privileges
at org.apache.sentry.binding.hive.HiveAuthzBindingHook.postAnalyze(HiveAuthzBindingHook.java:320)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:457)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:352)
at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:995)
at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:988)
at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:98)
at org.apache.hive.service.cli.operation.SQLOperation.run(SQLOperation.java:163)
at org.apache.hive.service.cli.session.HiveSessionImpl.runOperationWithLogCapture(HiveSessionImpl.java:514)
at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementInternal(HiveSessionImpl.java:222)
at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatement(HiveSessionImpl.java:204)
at org.apache.hive.service.cli.CLIService.executeStatement(CLIService.java:168)
at org.apache.hive.service.cli.thrift.ThriftCLIService.ExecuteStatement(ThriftCLIService.java:316)
at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1373)
at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1358)
at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge20S$Server$TUGIAssumingProcessor.process(HadoopThriftAuthBridge20S.java:608)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:244)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.hadoop.hive.ql.metadata.AuthorizationException: User newuser does not have privileges for CREATETABLE
at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.authorize(HiveAuthzBinding.java:317)
at org.apache.sentry.binding.hive.HiveAuthzBindingHook.authorizeWithHiveBindings(HiveAuthzBindingHook.java:502)
at org.apache.sentry.binding.hive.HiveAuthzBindingHook.postAnalyze(HiveAuthzBindingHook.java:312)
... 20 more
Created 02-03-2015 07:46 AM
Grant all the permissions using SQL GRANT Syntax on the role of which that user is the part of.
After that you would be able to create the table
Created 08-21-2015 08:02 AM
Hi All,
We are stuck into same problem. Here are the summary
1. We have configured Sentry Service on Cloudera 5.3 (We have added "Sentry Service" not Policy file approach) . We have followed below reference URL
2. Kerbros Authentication is not enabled on Cluster but as per prerequistee we can move ahead with LDAP Authentication also .
LDAP is configured on Cluster
3. After configuration, we go to beeline client and used “!connect jdbc:hive2://hadoopslave0.company.in:10000” as the connection string and entered “hive” as Username, Password
Here hiveserver2 is configured on hadoopslave0.company.in:10000 thats why we have given this in connection string & 1000 is default port.
After this when it ask to enter username & password so we have given "hive" in both (As per below URL
To initiate top-level permissions for Sentry, an admin must login as a superuser that’s why we logged in as hive)
Now when we try to CREATE TABLE here so we are facing below error in this :-
Required privileges for this query: Server=server1->Db=default->action=*; (state=42000,code=40000)
Also error is coming when we try to give privilege to Groups (Group of LDAP in which LDAP user is member) .
GRANT ROLE qa TO GROUP TestGroup;
GRANT ALL ON DATABASE default TO ROLE qa WITH GRANT OPTION;
Problem Statement :- As we cant give permissions to LDAP groups and also cant create table so we are stucked to perform testing in Sentry enable environment.
It looks we are some how doing mistake in loggin with wrong user . We need to login with user who can give permission to other . We thought hive will work as superuser but it looks its not. If you can guide which user we should use to login to create table and GRANT privilege to other users so would be really helpful .
Kindly reply its very critical for us.
Created 11-06-2015 08:21 AM
Hi
I had the same problem. I found out that the table creation succeeds if one specifies the fully qualified hdfs location.
create external table test (a string); // works
create external table test_ext (a string) LOCATION '/warehouse/projects/mypath/public'; fails
create external table test_ext (a string) LOCATION 'hdfs://nameservice1/warehouse/projects/mypath/public'; works fine
Hope this works for you too.
Deenar
Created 01-07-2016 10:11 AM
Anyone got this to work?
with /user/sam/foo/bar instead of hdfs://nameservice1/user/sam/foo/bar
Created 01-13-2016 02:55 PM
Problem is still there in CDH 5.5..
Is there is a JIRA for that?
Created 02-04-2016 02:34 PM