0

I am testing sentry to restrict column access for a role to access ssn column in a hive table on mapr cluster.I am unable to revoke access for that specific column.The error message below complains about managers_role does not exist.I verified my policy file the manager role does exist.Please advise if I am missing anything. 

beeline> !connect jdbc:hive2://10.20.30.195:10000 mapr mapr
Connecting to jdbc:hive2://10.20.30.195:10000
Connected to: Apache Hive (version 2.1.1-mapr-1710)
Driver: Hive JDBC (version 2.1.1-mapr-1710)
18/01/28 13:41:31 [main]: WARN jdbc.HiveConnection: Request to set 
autoCommit to false; Hive does not support autoCommit=false.
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://10.20.30.195:10000> REVOKE SELECT(ssn) ON TABLE 
db3.employee FROM ROLE managers_role;
Error: Error while processing statement: FAILED: Execution Error, 
return code 1 from 
org.apache.hadoop.hive.ql.exec.SentryFilterDDLTask. Error when 
sentryClient grant/revoke privilege:Privilege: [ 
server=psnode195.ps.lab,db=db3,table=employee,URI=,action=SELECT] 
doesn't exist.. Server Stacktrace: 
org.apache.sentry.provider.db.SentryNoSuchObjectException: Role: 
managers_role doesn't exist
existatorg.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleRevokePrivilegeCore(SentryStore.java:541)
at org.apache.sentry.provider.db.service.persistent.SentryStore.alterSentryRoleRevokePrivileges(SentryStore.java:519)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyStoreProcessor.alter_sentry_role_revoke_privilege(SentryPolicyStoreProcessor.java:345)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_revoke_privilege.getResult(SentryPolicyService.java:1073)
at org.apache.sentry.provider.db.service.thrift.SentryPolicyService$Processor$alter_sentry_role_revoke_privilege.getResult(SentryPolicyService.java:1058)
at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
at org.apache.sentry.provider.db.service.thrift.SentryProcessorWrapper.process(SentryProcessorWrapper.java:35)
at org.apache.thrift.TMultiplexedProcessor.process(TMultiplexedProcessor.java:123)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:285)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748) (state=08S01,code=1)
OneCricketeer
  • 179,855
  • 19
  • 132
  • 245
srini
  • 39
  • 1
  • 1
  • 7
  • AFAIK, MapR supports Sentry authorization rules in Impala, but not in Hive. In other words, they don't test eveything... And don't care about things that don't work. – Samson Scharfrichter Jan 29 '18 at 18:06
  • I was able to test this – srini Jan 30 '18 at 14:29
  • I had to modify the global-policy file to restrict column level authorization managers_role = server=psnode195.ps.lab->db=db3->table=employee->column=id->action=select,server=psnode195.ps.lab->db=db3->table=employee->column=name->action=select,server=psnode195.ps.lab->db=db3->table=employee->column=address->action=select – srini Jan 30 '18 at 14:30

0 Answers0