Member since
03-11-2016
3
Posts
0
Kudos Received
1
Solution
My Accepted Solutions
Title | Views | Posted |
---|---|---|
32483 | 03-22-2016 02:06 AM |
03-22-2016
02:06 AM
Finally I was adviced what was wrong: The Hue groups must be the same as the groups on the Namenode's linux (as the HDFS org.apache.hadoop.security.ShellBasedUnixGroupsMapping is checked). In the case of Impala, all of nodes with Impala Daemons have to have same groups. However, I am going to overtake the groups from LDAP (option org.apache.hadoop.security.LdapGroupsMapping).
... View more
03-11-2016
06:20 AM
Plus: All in /user/hive/warehouse has owner and group hive + 777. Moreover, I tried to add tuser into hive group, and added it into groups sentry.service.admin.group and sentry.service.allow.connect, and sentry.metastore.service.users, but the result is the same.
... View more
03-11-2016
02:45 AM
Hi, I have unsecured cluster (CDH 5.4) and as I want to provide an access to data to more users, I would like to turn on the Sentry, so far without Kerberos (which comes after sucessful launch of Sentry). As some other people might need Impala at the moment, I decided to set it up in Hive in first stage. Steps I have taken: 1) I have set up 2 users: hive and tuser tuser - group test hive - group hive, zookeeper group test indexer.access, about.access, beeswax.access, filebrowser.access, hbase.write, hbase.access, help.access, impala.access, jobbrowser.access, jobsub.access, metastore.write, metastore.access, oozie.dashboard_jobs_access, oozie.access, pig.access, proxy.access, rdbms.access, search.access, security.impersonate, security.access, spark.access, sqoop.access, useradmin.access_view:useradmin:edit_user, useradmin.access, zookeeper.access group hive beeswax.access group hive has role admin (the first one with an unlocked lock): SERVER server=server1 action=ALL SERVER server=server1 action=ALL group test has role neco SERVER server=server1 action=ALL URI server=server1 hdfs://...:8020/user/hive/warehouse action=ALL DATABASE server=server1 db=default action=ALL Moreover, the user hive is in both sets sentry.service.admin.group and sentry.service.allow.connect. 2) I have turned on the sentry - in Hive checked the Sentry Service from "none" to "Sentry" - in Hive Service Advanced Configuration Snippet (Safety Valve) for sentry-site.xml inserted <property> <name>sentry.hive.testing.mode</name><value>true</value></property> + restarted Sentry Result: User hive can access anything in Hive. That's what I was expecting. User tuser can't access anything in Hive (Error while compiling statement: FAILED: SemanticException No valid privileges Required privileges for this query: Server=server1->Db=*->Table=+->action=insert;Server=server1->Db=*->Table=+->action=select;) What am I missing?
... View more