Hi, I have unsecured cluster (CDH 5.4) and as I want to provide an access to data to more users, I would like to turn on the Sentry, so far without Kerberos (which comes after sucessful launch of Sentry). As some other people might need Impala at the moment, I decided to set it up in Hive in first stage. Steps I have taken: 1) I have set up 2 users: hive and tuser tuser - group test hive - group hive, zookeeper group test indexer.access, about.access, beeswax.access, filebrowser.access, hbase.write, hbase.access, help.access, impala.access, jobbrowser.access, jobsub.access, metastore.write, metastore.access, oozie.dashboard_jobs_access, oozie.access, pig.access, proxy.access, rdbms.access, search.access, security.impersonate, security.access, spark.access, sqoop.access, useradmin.access_view:useradmin:edit_user, useradmin.access, zookeeper.access group hive beeswax.access group hive has role admin (the first one with an unlocked lock): SERVER server=server1 action=ALL SERVER server=server1 action=ALL group test has role neco SERVER server=server1 action=ALL URI server=server1 hdfs://...:8020/user/hive/warehouse action=ALL DATABASE server=server1 db=default action=ALL Moreover, the user hive is in both sets sentry.service.admin.group and sentry.service.allow.connect. 2) I have turned on the sentry - in Hive checked the Sentry Service from "none" to "Sentry" - in Hive Service Advanced Configuration Snippet (Safety Valve) for sentry-site.xml inserted <property> <name>sentry.hive.testing.mode</name><value>true</value></property> + restarted Sentry Result: User hive can access anything in Hive. That's what I was expecting. User tuser can't access anything in Hive (Error while compiling statement: FAILED: SemanticException No valid privileges Required privileges for this query: Server=server1->Db=*->Table=+->action=insert;Server=server1->Db=*->Table=+->action=select;) What am I missing? ... View more