Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

"User does not have privileges for CREATETABLE" Error

avatar
author-rank ferdsngo
Explorer

Created on ‎10-30-2014 03:44 AM - edited ‎09-16-2022 02:11 AM

I am trying to create a new table in the hive database using beeline.  I can create a database,  a table without any problem.  But when I try to create a table with "location parameter",  it provides the following error before.  I checked that the directory exists and that the directory is owned by the group that user belongs to. 

 

CDH Version : 5.1.3

Hive Server 2

Security : Sentry with Kerberos

Sentry : File policy file is used

 

Any idea on what can cause this issue?

 

--------------------------------

Error Received

 

2014-10-30 03:36:55,716 ERROR org.apache.hadoop.hive.ql.Driver: FAILED: SemanticException No valid privileges

org.apache.hadoop.hive.ql.parse.SemanticException: No valid privileges

at org.apache.sentry.binding.hive.HiveAuthzBindingHook.postAnalyze(HiveAuthzBindingHook.java:320)

at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:457)

at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:352)

at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:995)

at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:988)

at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:98)

at org.apache.hive.service.cli.operation.SQLOperation.run(SQLOperation.java:163)

at org.apache.hive.service.cli.session.HiveSessionImpl.runOperationWithLogCapture(HiveSessionImpl.java:514)

at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementInternal(HiveSessionImpl.java:222)

at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatement(HiveSessionImpl.java:204)

at org.apache.hive.service.cli.CLIService.executeStatement(CLIService.java:168)

at org.apache.hive.service.cli.thrift.ThriftCLIService.ExecuteStatement(ThriftCLIService.java:316)

at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1373)

at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1358)

at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)

at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)

at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge20S$Server$TUGIAssumingProcessor.process(HadoopThriftAuthBridge20S.java:608)

at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:244)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

at java.lang.Thread.run(Thread.java:745)

Caused by: org.apache.hadoop.hive.ql.metadata.AuthorizationException: User newuser does not have privileges for CREATETABLE

at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.authorize(HiveAuthzBinding.java:317)

at org.apache.sentry.binding.hive.HiveAuthzBindingHook.authorizeWithHiveBindings(HiveAuthzBindingHook.java:502)

at org.apache.sentry.binding.hive.HiveAuthzBindingHook.postAnalyze(HiveAuthzBindingHook.java:312)

... 20 more

47,680 Views
0 Kudos
2
6 REPLIES 6

avatar
author-rank HDFS
Expert Contributor

Created ‎02-03-2015 07:46 AM

Grant all the permissions using SQL GRANT Syntax on the role of which that user is the part of.

After that you would be able to create the table

47,412 Views
0 Kudos

avatar
author-rank All
Explorer

Created ‎08-21-2015 08:02 AM

Hi All,

 

We are stuck into same problem. Here are the summary

 

1. We have configured Sentry Service on Cloudera 5.3 (We have added "Sentry Service" not Policy file approach) . We have followed below reference URL

http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/cm_sg_sentry_service.ht...

 

2. Kerbros Authentication is not enabled on Cluster but as per prerequistee we can move ahead with LDAP Authentication also . 

   LDAP is configured on Cluster

 

3. After configuration, we go to beeline client and used “!connect jdbc:hive2://hadoopslave0.company.in:10000” as the connection string and entered “hive” as Username, Password

Here hiveserver2 is configured on hadoopslave0.company.in:10000 thats why we have given this in connection string & 1000 is default port.

 

After this when it ask to enter username & password so we have given "hive" in both (As per below URL

http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/sg_sentry_overview.html...

To initiate top-level permissions for Sentry, an admin must login as a superuser that’s why we logged in as hive)

 

Now when we try to CREATE TABLE here so we are facing below error in this :-

Required privileges for this query: Server=server1->Db=default->action=*; (state=42000,code=40000)

 

Also error is coming when we try to give privilege to Groups (Group of LDAP in which LDAP user is member) .

GRANT ROLE qa TO GROUP TestGroup;

GRANT ALL ON DATABASE default TO ROLE qa WITH GRANT OPTION;

 

Problem Statement :- As we cant give permissions to LDAP groups and also cant create table  so we are stucked to perform testing in Sentry enable environment.

                                           It looks we are some how doing mistake in loggin with wrong user . We need to login with user who can give permission to other . We thought hive will work as superuser but it looks its not. If you can guide which user we should use to login to create table and GRANT privilege to other users so would be really helpful .

 

Kindly reply its very critical for us.

47,167 Views
0 Kudos

avatar
author-rank DeenarT
Contributor

Created ‎11-06-2015 08:21 AM

Hi

 

I had the same problem. I found out that the table creation succeeds if one specifies the fully qualified hdfs location.

 

create external table test (a string); // works

 

create external table test_ext (a string) LOCATION '/warehouse/projects/mypath/public'; fails

 

create external table test_ext (a string) LOCATION 'hdfs://nameservice1/warehouse/projects/mypath/public'; works fine

 

Hope this works for you too.

 

Deenar

 

46,837 Views

avatar
author-rank Pradeep_Panga
Contributor

Created ‎01-07-2016 10:11 AM

Anyone got this to work? 

with /user/sam/foo/bar instead of hdfs://nameservice1/user/sam/foo/bar

 

46,549 Views
0 Kudos

avatar
author-rank Dautkhanov
Contributor

Created ‎01-13-2016 02:55 PM

Problem is still there in CDH 5.5.. 

Is there is a JIRA for that?

 

46,498 Views
0 Kudos

avatar
author-rank Pradeep_Panga
Contributor

Created ‎02-04-2016 02:34 PM

https://issues.apache.org/jira/browse/SENTRY-1001

46,299 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements