hadoopclouderaapache-sentry

Apache Sentry: SemanticException No valid privileges Required privileges for this query

I have unsecured cluster (CDH 5.4) and as I want to provide an access to data to more users, I would like to turn on the Sentry, so far without Kerberos (which comes after sucessful launch of Sentry). As some other people might need Impala at the moment, I decided to set it up in Hive in first stage.

Steps I have taken: 1) I have set up 2 users: hive and tuser

tuser - group test hive - group hive, zookeeper

group test 

indexer.access, about.access, beeswax.access, filebrowser.access, hbase.write, hbase.access, help.access, impala.access, jobbrowser.access, 
jobsub.access, metastore.write, metastore.access, oozie.dashboard_jobs_access, oozie.access, pig.access, proxy.access, rdbms.access, 
search.access, security.impersonate, security.access, spark.access, sqoop.access, useradmin.access_view:useradmin:edit_user, useradmin.access, zookeeper.access

group hive

beeswax.access

group hive has role admin (the first one with an unlocked lock):

SERVER
server=server1 action=ALL
SERVER
server=server1 action=ALL

group test has role neco

SERVER
server=server1 action=ALL
URI
server=server1 hdfs://...:8020/user/hive/warehouse action=ALL
DATABASE
server=server1 db=default action=ALL

Moreover, the user hive is in both sets sentry.service.admin.group and sentry.service.allow.connect.

2) I have turned on the sentry - in Hive checked the Sentry Service from "none" to "Sentry" - in Hive Service Advanced Configuration Snippet (Safety Valve) for sentry-site.xml inserted <property> <name>sentry.hive.testing.mode</name><value>true</value></property> + restarted Sentry

Result: User hive can access anything in Hive. That's what I was expecting.

User tuser can't access anything in Hive: Error while compiling statement: FAILED: SemanticException No valid privileges Required privileges for this query: Server=server1->Db=*->Table=+->action=insert;Server=server1->Db=*->Table=+->action=select;

What am I missing?

Solution

  • Finally I was adviced what was wrong: The Hue groups must be the same as the groups on the Namenode's linux (as the HDFS org.apache.hadoop.security.ShellBasedUnixGroupsMapping is checked). In the case of Impala, all of nodes with Impala Daemons have to have same groups.

    However, I am going to overtake the groups from LDAP (option org.apache.hadoop.security.LdapGroupsMapping).