Cloudera Community

Archives of Support Questions (Read Only)

This is an archived board for historical reference. Information and links may no longer be available or relevant
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
This board is archived and read-only for historical reference. To ask a new question, please post a new topic on the appropriate active board.

Who agreed with this topic

Sentry No valid privileges Required privileges for this query

avatar
author-rank Petr
Frequent Visitor

Created on ‎03-11-2016 02:45 AM - edited ‎09-16-2022 03:08 AM

Hi,
I have unsecured cluster (CDH 5.4) and as I want to provide an access to data to more users, I would like to turn on the Sentry, so far without Kerberos (which comes after sucessful launch of Sentry).
As some other people might need Impala at the moment, I decided to set it up in Hive in first stage.

Steps I have taken:
1) I have set up 2 users: hive and tuser
tuser - group test
hive - group hive, zookeeper

group test
indexer.access, about.access, beeswax.access, filebrowser.access, hbase.write, hbase.access, help.access, impala.access, jobbrowser.access,
jobsub.access, metastore.write, metastore.access, oozie.dashboard_jobs_access, oozie.access, pig.access, proxy.access, rdbms.access,
search.access, security.impersonate, security.access, spark.access, sqoop.access, useradmin.access_view:useradmin:edit_user, useradmin.access, zookeeper.access

group hive
beeswax.access

group hive has role admin (the first one with an unlocked lock):
SERVER
server=server1 action=ALL
SERVER
server=server1 action=ALL

group test has role neco
SERVER
server=server1 action=ALL
URI
server=server1 hdfs://...:8020/user/hive/warehouse action=ALL
DATABASE
server=server1 db=default action=ALL

Moreover, the user hive is in both sets sentry.service.admin.group and sentry.service.allow.connect.

2) I have turned on the sentry
- in Hive checked the Sentry Service from "none" to "Sentry"
- in Hive Service Advanced Configuration Snippet (Safety Valve) for sentry-site.xml inserted <property> <name>sentry.hive.testing.mode</name><value>true</value></property>
+ restarted Sentry

Result:
User hive can access anything in Hive. That's what I was expecting.
User tuser can't access anything in Hive (Error while compiling statement: FAILED: SemanticException No valid privileges Required privileges for this query: Server=server1->Db=*->Table=+->action=insert;Server=server1->Db=*->Table=+->action=select;)

What am I missing?

35,440
0 Kudos
1
Who agreed with this topic