Support Questions

Find answers, ask questions, and share your expertise

refresh function privileges

avatar
Explorer

When using impala under CDH 5.15, refreshing functions under specifc databases by some user will got an error like "AuthorizationException : user aaa does not have privileges to access: server" .

 

The system is centry enabled with kerberos.

 

What privileges shall we grant to the user ?

6 REPLIES 6

avatar
Super Guru
You will need at least write access to the table that user need to refresh. Have you tried to run:

GRANT ALL ON {db}.{table} TO ROLE {rolename}?

where {rolename} should be assigned to the user/group.

avatar
Explorer

The user has already got ALL rights on database where the function is built

 

 

Syntax:

REFRESH FUNCTIONS db_name

avatar
Super Guru
I believe REFRESH only works for tables, not on functions or DB.

Can you try to run REFRESH {tablename} to confirm?

To update other metadata, INVALIDATE METADATA is needed, which will need server level privilege.

avatar
Explorer

UDF considerations:

In CDH 5.12 / Impala 2.9 and higher, you can refresh the user-defined functions (UDFs) that Impala recognizes, at the database level, by running the REFRESH FUNCTIONS statement with the database name as an argument. Java-based UDFs can be added to the metastore database through Hive CREATE FUNCTION statements, and made visible to Impala by subsequently running REFRESH FUNCTIONS. For example:
CREATE DATABASE shared_udfs;
USE shared_udfs;
...use CREATE FUNCTION statements in Hive to create some Java-based UDFs
   that Impala is not initially aware of...
REFRESH FUNCTIONS shared_udfs;
SELECT udf_created_by_hive(c1) FROM ...

avatar
Super Guru
All right, so it works on functions, but your query:

REFRESH FUNCTIONS db_name

Seems like against DB, shouldn't it be:

REFRESH FUNCTIONS db_name.function_name

you will firstly need access to db_name to be able to run refresh.

avatar
Explorer

It seems that only db_name is needed according to 

https://www.cloudera.com/documentation/enterprise/5-15-x/topics/impala_refresh_functions.html

Syntax:

REFRESH FUNCTIONS db_name

 

And in 2.X version of impala the only way is to grant all on server to the role, while in  Impala 3.0 and higher  the minimum level of privileges required by refresh functions is to grant refresh on database to the role.

SQL StatementPrivilegesScope
REFRESH FUNCTIONSREFRESHDATABASE


https://impala.apache.org/docs/build/html/topics/impala_grant.html