Support Questions

ferdsngo · ‎10-30-2014

I am trying to create a new table in the hive database using beeline. I can create a database, a table without any problem. But when I try to create a table with "location parameter", it provides the following error before. I checked that the directory exists and that the directory is owned by the group that user belongs to.

CDH Version : 5.1.3

Hive Server 2

Security : Sentry with Kerberos

Sentry : File policy file is used

Any idea on what can cause this issue?

--------------------------------

Error Received

2014-10-30 03:36:55,716 ERROR org.apache.hadoop.hive.ql.Driver: FAILED: SemanticException No valid privileges

org.apache.hadoop.hive.ql.parse.SemanticException: No valid privileges

at org.apache.sentry.binding.hive.HiveAuthzBindingHook.postAnalyze(HiveAuthzBindingHook.java:320)

at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:457)

at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:352)

at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:995)

at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:988)

at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:98)

at org.apache.hive.service.cli.operation.SQLOperation.run(SQLOperation.java:163)

at org.apache.hive.service.cli.session.HiveSessionImpl.runOperationWithLogCapture(HiveSessionImpl.java:514)

at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementInternal(HiveSessionImpl.java:222)

at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatement(HiveSessionImpl.java:204)

at org.apache.hive.service.cli.CLIService.executeStatement(CLIService.java:168)

at org.apache.hive.service.cli.thrift.ThriftCLIService.ExecuteStatement(ThriftCLIService.java:316)

at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1373)

at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1358)

at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)

at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)

at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge20S$Server$TUGIAssumingProcessor.process(HadoopThriftAuthBridge20S.java:608)

at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:244)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

at java.lang.Thread.run(Thread.java:745)

Caused by: org.apache.hadoop.hive.ql.metadata.AuthorizationException: User newuser does not have privileges for CREATETABLE

at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.authorize(HiveAuthzBinding.java:317)

at org.apache.sentry.binding.hive.HiveAuthzBindingHook.authorizeWithHiveBindings(HiveAuthzBindingHook.java:502)

at org.apache.sentry.binding.hive.HiveAuthzBindingHook.postAnalyze(HiveAuthzBindingHook.java:312)

... 20 more

HDFS · ‎02-03-2015

Grant all the permissions using SQL GRANT Syntax on the role of which that user is the part of.

After that you would be able to create the table

All · ‎08-21-2015

Hi All,

We are stuck into same problem. Here are the summary

1. We have configured Sentry Service on Cloudera 5.3 (We have added "Sentry Service" not Policy file approach) . We have followed below reference URL

http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cm_sg_sentry_service.ht...

2. Kerbros Authentication is not enabled on Cluster but as per prerequistee we can move ahead with LDAP Authentication also .

LDAP is configured on Cluster

3. After configuration, we go to beeline client and used “!connect jdbc:hive2://hadoopslave0.company.in:10000” as the connection string and entered “hive” as Username, Password

Here hiveserver2 is configured on hadoopslave0.company.in:10000 thats why we have given this in connection string & 1000 is default port.

After this when it ask to enter username & password so we have given "hive" in both (As per below URL

http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/sg_sentry_overview.html...

To initiate top-level permissions for Sentry, an admin must login as a superuser that’s why we logged in as hive)

Now when we try to CREATE TABLE here so we are facing below error in this :-

Required privileges for this query: Server=server1->Db=default->action=*; (state=42000,code=40000)

Also error is coming when we try to give privilege to Groups (Group of LDAP in which LDAP user is member) .

GRANT ROLE qa TO GROUP TestGroup;

GRANT ALL ON DATABASE default TO ROLE qa WITH GRANT OPTION;

Problem Statement :- As we cant give permissions to LDAP groups and also cant create table so we are stucked to perform testing in Sentry enable environment.

It looks we are some how doing mistake in loggin with wrong user . We need to login with user who can give permission to other . We thought hive will work as superuser but it looks its not. If you can guide which user we should use to login to create table and GRANT privilege to other users so would be really helpful .

Kindly reply its very critical for us.

DeenarT · ‎11-06-2015

Hi

I had the same problem. I found out that the table creation succeeds if one specifies the fully qualified hdfs location.

create external table test (a string); // works

create external table test_ext (a string) LOCATION '/warehouse/projects/mypath/public'; fails

create external table test_ext (a string) LOCATION 'hdfs://nameservice1/warehouse/projects/mypath/public'; works fine

Hope this works for you too.

Deenar

Pradeep_Panga · ‎01-07-2016

Anyone got this to work?

with /user/sam/foo/bar instead of hdfs://nameservice1/user/sam/foo/bar

Dautkhanov · ‎01-13-2016

Problem is still there in CDH 5.5..

Is there is a JIRA for that?

Pradeep_Panga · ‎02-04-2016

https://issues.apache.org/jira/browse/SENTRY-1001

Cloudera Community

Support Questions

"User does not have privileges for CREATETABLE" Error