Hi Harsh, It works now. Thanks very much for your great suggestion!
On Thu, May 14, 2015 at 4:58 PM, Harsh J <[email protected]> wrote: > By default the 'hive' user is treated as a Sentry admin (i.e. can run > GRANT/REVOKE), but not a HiveServer2 admin (i.e. cannot run > CREATE/etc.). You will need to explicitly self-declare hive user as an > admin role on HS2 via the following style of grants, to be able to > properly act as admin over a HS2. > > CREATE ROLE admin_role; > GRANT ALL ON SERVER server1 TO ROLE admin_role; > GRANT ROLE admin_role TO GROUP hive; > > On Thu, May 14, 2015 at 8:55 AM, Liping Zhang <[email protected]> > wrote: > > Hi Junjie, > > > > I thought "hive" user should be the "admin_role" of beeline, so there is > no > > need to grant command for "hive" user, since in my another cluster, > "hive" > > user has the admin role with all permission in beeline once after I > enabled > > sentry. > > > > Please feel free to correct me if I miss something. Thanks! > > > > On Thu, May 14, 2015 at 9:57 AM, Ma, Junjie <[email protected]> wrote: > >> > >> Hello Michelle, > >> You enable the sentry for hive, do you grant the properly > >> permission to user "hive" to show the tables? > >> > >> Best regards, > >> > >> Colin Ma(Ma Jun Jie) > >> > >> > >> -----Original Message----- > >> From: Liping Zhang [mailto:[email protected]] > >> Sent: Thursday, May 14, 2015 8:35 AM > >> To: [email protected]; [email protected]; [email protected]; > >> [email protected]; [email protected]; > >> [email protected] > >> Subject: Re: "show databases" doesn't return all databases with > >> Kerberos/Sentry enabled > >> > >> Thanks Szehon, Prasad, and TheJas. I added sentry mailing list. > >> > >> Dear Sentry, > >> > >> This is very strange issue. I also tried rolling back the configuration, > >> but it still could not return right databases list with "show > databases". > >> > >> Do you have any idea? Thanks very much for your help in advance! > >> > >> > >> > >> On Thu, May 14, 2015 at 3:05 AM, Szehon Ho <[email protected]> wrote: > >> > >> > Hi Liping > >> > > >> > Do you want to check the Sentry mailing list as well? They might know > >> > more about this scenario. > >> > > >> > Thanks > >> > Szehon > >> > > >> > On Wed, May 13, 2015 at 10:18 AM, Liping Zhang <[email protected] > > > >> > wrote: > >> > > >> >> Dear all, > >> >> > >> >> I installed CDH, kerberos, sentry to enable security for hive > >> >> beeline. I did following commands: > >> >> > >> >> # kinit -k -t hive.keytab hive/ > >> >> [email protected] > >> >> > >> >> # beeline -u > >> >> "jdbc:hive2://ip-172-31-9-84.us-west-2.compute.internal:10000/default > >> >> ;principal=hive/ [email protected] > " > >> >> > >> >> > >> >> and in beeline CLI: > >> >> # show databases > >> >> # show tables > >> >> these 2 "show" commands did work well and return all the databases > >> >> and tables we had. > >> >> > >> >> However, after I changed some configuration and restart hive, and > >> >> rerun above commands with "hive" user, it was strange that in > >> >> beeline CLI, *"show databases" and "show tables" didn't return all > >> >> the databases and tables we had, instead, they only returned one > >> >> "default" database, and no tables > >> >> returned.* > >> > >> >> > >> >> The configuration change I remembered included: > >> >> Adding: > >> >> > >> >> <property> > >> >> <name>hive.server2.authentication</name> > >> >> <value>KERBEROS</value> > >> >> </property> > >> >> To Hive Client Configuration Safety Valve for hive-site.xml (Gateway > >> >> service in CM) properly modified the hive-site.xml for Hue Server. > >> >> > >> >> > >> >> The commands in beeline I remembered after restarting hive, and > >> >> before running "show databases" and "show tables" was: > >> >> # create role role1; > >> >> # show roles; > >> >> # show current roles; > >> >> > >> >> after that, the "hive" user in beeline could only return "default" > >> >> database with no tables for "show databases" and "show tables" > command. > >> >> > >> >> > >> >> And I checked /user/hive/warehouse dir, all the databases and tables > >> >> files did existed. > >> >> > >> >> > >> >> Did anyone met this kind of issue before? Any comments and discussion > >> >> are highly appreciated! > >> >> > >> >> > >> >> -- > >> >> Cheers, > >> >> ----- > >> >> Big Data - Big Wisdom - Big Value > >> >> -------------- > >> >> Michelle Zhang (Liping Zhang) > >> >> > >> > > >> > > >> > >> > >> -- > >> Cheers, > >> ----- > >> Big Data - Big Wisdom - Big Value > >> -------------- > >> Michelle Zhang (Liping Zhang) > > > > > > > > > > -- > > Cheers, > > ----- > > Big Data - Big Wisdom - Big Value > > -------------- > > Michelle Zhang (Liping Zhang) > > > > -- > Harsh J > -- Cheers, *Michelle Zhang(张莉苹)* Senior Software Engineer, PMP *Big Data - Big Wisdom - Big Value* Cloudera | www.cloudera.com Tel: 86-021-62369001 extension 808 Email: [email protected]
