Support Questions

Find answers, ask questions, and share your expertise

"User does not have privileges for CREATETABLE" Error

New Contributor

I am trying to create a new table in the hive database using beeline.  I can create a database,  a table without any problem.  But when I try to create a table with "location parameter",  it provides the following error before.  I checked that the directory exists and that the directory is owned by the group that user belongs to. 


CDH Version : 5.1.3

Hive Server 2

Security : Sentry with Kerberos

Sentry : File policy file is used


Any idea on what can cause this issue?



Error Received


2014-10-30 03:36:55,716 ERROR org.apache.hadoop.hive.ql.Driver: FAILED: SemanticException No valid privileges

org.apache.hadoop.hive.ql.parse.SemanticException: No valid privileges

at org.apache.sentry.binding.hive.HiveAuthzBindingHook.postAnalyze(

at org.apache.hadoop.hive.ql.Driver.compile(

at org.apache.hadoop.hive.ql.Driver.compile(

at org.apache.hadoop.hive.ql.Driver.compileInternal(

at org.apache.hadoop.hive.ql.Driver.compileAndRespond(

at org.apache.hive.service.cli.operation.SQLOperation.prepare(


at org.apache.hive.service.cli.session.HiveSessionImpl.runOperationWithLogCapture(

at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementInternal(

at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatement(

at org.apache.hive.service.cli.CLIService.executeStatement(

at org.apache.hive.service.cli.thrift.ThriftCLIService.ExecuteStatement(

at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(

at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(

at org.apache.thrift.ProcessFunction.process(

at org.apache.thrift.TBaseProcessor.process(

at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge20S$Server$TUGIAssumingProcessor.process(

at org.apache.thrift.server.TThreadPoolServer$

at java.util.concurrent.ThreadPoolExecutor.runWorker(

at java.util.concurrent.ThreadPoolExecutor$


Caused by: org.apache.hadoop.hive.ql.metadata.AuthorizationException: User newuser does not have privileges for CREATETABLE

at org.apache.sentry.binding.hive.authz.HiveAuthzBinding.authorize(

at org.apache.sentry.binding.hive.HiveAuthzBindingHook.authorizeWithHiveBindings(

at org.apache.sentry.binding.hive.HiveAuthzBindingHook.postAnalyze(

... 20 more


Expert Contributor

Grant all the permissions using SQL GRANT Syntax on the role of which that user is the part of.

After that you would be able to create the table


Hi All,


We are stuck into same problem. Here are the summary


1. We have configured Sentry Service on Cloudera 5.3 (We have added "Sentry Service" not Policy file approach) . We have followed below reference URL


2. Kerbros Authentication is not enabled on Cluster but as per prerequistee we can move ahead with LDAP Authentication also . 

   LDAP is configured on Cluster


3. After configuration, we go to beeline client and used “!connect jdbc:hive2://” as the connection string and entered “hive” as Username, Password

Here hiveserver2 is configured on thats why we have given this in connection string & 1000 is default port.


After this when it ask to enter username & password so we have given "hive" in both (As per below URL

To initiate top-level permissions for Sentry, an admin must login as a superuser that’s why we logged in as hive)


Now when we try to CREATE TABLE here so we are facing below error in this :-

Required privileges for this query: Server=server1->Db=default->action=*; (state=42000,code=40000)


Also error is coming when we try to give privilege to Groups (Group of LDAP in which LDAP user is member) .




Problem Statement :- As we cant give permissions to LDAP groups and also cant create table  so we are stucked to perform testing in Sentry enable environment.

                                           It looks we are some how doing mistake in loggin with wrong user . We need to login with user who can give permission to other . We thought hive will work as superuser but it looks its not. If you can guide which user we should use to login to create table and GRANT privilege to other users so would be really helpful .


Kindly reply its very critical for us.




I had the same problem. I found out that the table creation succeeds if one specifies the fully qualified hdfs location.


create external table test (a string); // works


create external table test_ext (a string) LOCATION '/warehouse/projects/mypath/public'; fails


create external table test_ext (a string) LOCATION 'hdfs://nameservice1/warehouse/projects/mypath/public'; works fine


Hope this works for you too.




Anyone got this to work? 

with /user/sam/foo/bar instead of hdfs://nameservice1/user/sam/foo/bar



Problem is still there in CDH 5.5.. 

Is there is a JIRA for that?