0

I have unsecured cluster (CDH 5.4) and as I want to provide an access to data to more users, I would like to turn on the Sentry, so far without Kerberos (which comes after sucessful launch of Sentry). As some other people might need Impala at the moment, I decided to set it up in Hive in first stage.

Steps I have taken: 1) I have set up 2 users: hive and tuser

tuser - group test hive - group hive, zookeeper

group test 

indexer.access, about.access, beeswax.access, filebrowser.access, hbase.write, hbase.access, help.access, impala.access, jobbrowser.access, 
jobsub.access, metastore.write, metastore.access, oozie.dashboard_jobs_access, oozie.access, pig.access, proxy.access, rdbms.access, 
search.access, security.impersonate, security.access, spark.access, sqoop.access, useradmin.access_view:useradmin:edit_user, useradmin.access, zookeeper.access

group hive

beeswax.access

group hive has role admin (the first one with an unlocked lock):

SERVER
server=server1 action=ALL
SERVER
server=server1 action=ALL

group test has role neco

SERVER
server=server1 action=ALL
URI
server=server1 hdfs://...:8020/user/hive/warehouse action=ALL
DATABASE
server=server1 db=default action=ALL

Moreover, the user hive is in both sets sentry.service.admin.group and sentry.service.allow.connect.

2) I have turned on the sentry - in Hive checked the Sentry Service from "none" to "Sentry" - in Hive Service Advanced Configuration Snippet (Safety Valve) for sentry-site.xml inserted <property> <name>sentry.hive.testing.mode</name><value>true</value></property> + restarted Sentry

Result: User hive can access anything in Hive. That's what I was expecting.

User tuser can't access anything in Hive: Error while compiling statement: FAILED: SemanticException No valid privileges Required privileges for this query: Server=server1->Db=*->Table=+->action=insert;Server=server1->Db=*->Table=+->action=select;

What am I missing?

Mr Lister
  • 45,515
  • 15
  • 108
  • 150
Bechyňák Petr
  • 805
  • 9
  • 14
  • All in /user/hive/warehouse has owner and group hive + 777. – Bechyňák Petr Mar 11 '16 at 10:56
  • Moreover, I tried to add tuser into hive group, and added it into groups sentry.service.admin.group and sentry.service.allow.connect, and sentry.metastore.service.users, but the result is the same. – Bechyňák Petr Mar 11 '16 at 14:17
  • Loged as hive: `show grant user tuser on all`: Error while compiling statement: FAILED: SemanticException Sentry does not allow privileges to be granted/revoked to/from: USER, `SHOW PRINCIPALS tuser`: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryGrantRevokeTask – Bechyňák Petr Mar 14 '16 at 08:04
  • Loged as tuser: both `show grant user tuser on all` and `SHOW PRINCIPALS tuser`: Error while compiling statement: FAILED: SemanticException No valid privileges Required privileges for this query: Server=server1->Db=*->Table=+->action=insert;Server=server1->Db=*->Table=+->action=select; – Bechyňák Petr Mar 14 '16 at 08:07
  • And with Impala shell? – Samson Scharfrichter Mar 14 '16 at 13:26
  • I finally digged some old audit script that I used before migrating CDH 5.4 to 5.5 >> `show roles` plus `show grant role \`SomeRole\`` plus `show role grant group \`SomeGroup\`` >> worked in Beeline *(trapped by Sentry somehow)* – Samson Scharfrichter Mar 14 '16 at 13:36

1 Answers1

0

Finally I was adviced what was wrong: The Hue groups must be the same as the groups on the Namenode's linux (as the HDFS org.apache.hadoop.security.ShellBasedUnixGroupsMapping is checked). In the case of Impala, all of nodes with Impala Daemons have to have same groups.

However, I am going to overtake the groups from LDAP (option org.apache.hadoop.security.LdapGroupsMapping).

Bechyňák Petr
  • 805
  • 9
  • 14