Member since
07-21-2017
3
Posts
1
Kudos Received
0
Solutions
07-24-2017
03:33 AM
1 Kudo
Hi saranvisa, Based on your input, here are some steps that I have changed from earlier described scenario- Repeated step 1-4 5A. Added Group 'grp_admin' & its new user 'test1' on Linux Machine.Changed user password. 5A. Go to Hue, created new group 'grp_admin’, added its new user 'test1'. 5C. Verified that using Hue, user ‘test1’ can access & query Hive tables. 6A. Set permission level in HDFS, using below commands $ sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse $ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse 6B. Now I can see that Hue user 'test1' not having access to Hive tables any longer. Query giving following error Bad status for request TFetchResultsReq(fetchType=0, operationHandle=TOperationHandle(hasResultSet=True, modifiedRowCount=None, operationType=0, operationId=THandleIdentifier(secret='O\x0b\xfc\x8bB\xb1I\x82\x83\ny\x89\x7f\xcc\xbbW', guid='\x13P\x02\xef\xbd\x18K:\x82\xe2!u\xa8\xc5Z\xc9')), orientation=4, maxRows=100): TFetchResultsResp(status=TStatus(errorCode=0, errorMessage='java.io.IOException: org.apache.hadoop.security.AccessControlException: Permission denied: user=test1, access=READ_EXECUTE, inode="/user/hive/warehouse/my_retail.db/departments":hive:hive:drwxrwx--x\n\tat Repeated step 7-11 12. Observed same scenario as described on above step 12. 13. Error on Hue Hive query editor - Error while compiling statement: FAILED: SemanticException No valid privileges User test1 does not have privileges for SWITCHDATABASE The required privileges: Server=server1->Db=my_retail->Table=*->Column=*->action=select;Server=server1->Db=my_retail->Table=*->Column=*->action=insert; 14. open Hue using admin user 'cloudera'. Security tab in not visible. 15. Restarted all services of CM. Logged in Hue. Security tab appeared. 16. Go to Hue Security. Not able to create any role in Hive tables. 17. Even after altering directoty pemission, by making test1 as owener of 'Hive' directory $ sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse $ sudo -u hdfs hdfs dfs -chown -R test1:grp_admin /user/hive/warehouse , still not able to create any role in Hue. 18. Verified that database 'my_retail' not appearing in Hive tables (hue security ).
... View more
07-22-2017
05:45 PM
Let me know if anybody explored this scenario so far.
... View more
07-21-2017
01:25 AM
Dear Community Members, I am new to Cloudera. I am currently exploring role based authorization provided by db backed Sentry in Cloudera VM version 5.10.x.. I want to see how Sentry manages multiple roles and permission regarding Hive tables, Impala & HDFS files. However till now I am not able to achieve it, by following documentation provided by Cloudera (link) and by referring some community topics (link 1, link2, link3). I am following below steps to enable multiple roles – Installed Cloudera VM version 5.10.x Create new hive database ‘my_retail’ using Hive CLI. Using Sqoop command to import all tables from mysql to Hive new db sqoop import-all-tables \ --num-mappers 2 \ --connect "jdbc:mysql://quickstart.cloudera:3306/retail_db" \ --username=root \ --password=cloudera \ --hive-import \ --hive-overwrite \ --create-hive-table \ --outdir java_files \ --hive-database my_retail 4. Verified that Hive has new tables using Hive CLI & Hue (U=Cloudera/P=Cloudera) 5. Go to Hue, created new users ‘test1’ , group ‘default’. Verified that using Hue, user ‘test1’can access & query Hive tables. 6. Set permission level in HDFS, using below commands $ sudo -u hdfs hdfs dfs -chmod -R 771 /user/hive/warehouse $ sudo -u hdfs hdfs dfs -chown -R hive:hive /user/hive/warehouse 7. Unchecked HiveServer2 Enable Impersonation checkbox. 8. To override Kerbores prerequisite,added the following property to the HiveServer2 sentry-site.xml <property> <name>sentry.hive.testing.mode</name> <value>true</value> </property> 9. Go to CM, Add service Sentry. Use existing mysql DB sentry, U=root, P=cloudera 10. Restarted all the Services 11. Enabled the Sentry Service for Hive by following these steps .Go to the Hive service. Click the Configuration tab. Select Scope > Hive (Service-Wide). Select Category > Main. Locate the Sentry Service property and select Sentry. Click Save Changes to commit the changes. Restart the Hive service. 12. Now refreshed Hue using admin user 'cloudera'. Hive DB, 'my_retail' disappeared. 13.Tried to run a Hive query. getting following error- Error while compiling statement: FAILED: SemanticException No valid privileges User hive does not have privileges for SWITCHDATABASE The required privileges: Server=server1->Db=*->Table=+->Column=*->action=insert;Server=server1->Db=*->Table=+->Column=*->action=select 14. Tried to run the Hive query using other User 'test1' in Hue. Got same error message. 15. I know that by default every permission is REVOKED in Sentry. But couldn’t get from where I need to GRANT those permissions. Tried Beeline, but it says ‘ No Connection’. 16. Tried to run command like 'show databases' in Hive CLI. Got error. 17 Go to Hue-> Security -> Hive tables. Can't see user 'test1' there. 18. I explored whole Hue, but couldn't enable multiple roles for achieving column level permissions. In other VM Instance, I enabled Kerbores and then installed Sentry. Again no success regarding Sentry permission setup. I have verified that 'sentry' db in mysql db, contains the required tables. Please let me know what steps I am missing here to enable multiple roles & groups for setting up column level permissions in Hive tables. I also want to achieve that for HDFS file system & in Impala. I also worked on Cloudera VM version 5.4.x earlier, which provides different security (Sentry Tables tab) UI in Hue. But unfortunately I had similar experience there too.
... View more
Labels:
- Labels:
-
Apache Sentry
