[RS-144] Can't get correct sentry privileges in CDH5.7.0 kerberos cluster - Cloudera Open Source

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 0.3.0
Fix Version/s: 0.3.0
Component/s: None
Labels:
None

Description

From the log, the sentry config for RecordService is correct.

I0322 17:05:17.281074 11675 JniFrontend.java:167] Authorization is 'ENABLED' with server name: server1, config file: /var/run/cloudera-scm-agent/process/214-record_service-RECORD_SERVICE_PW/sentry-site.xml, using Sentry Policy Service, with PolicyProviderClass: org.apache.sentry.provider.common.HadoopGroupResourceAuthorizationProvider.

...
I0322 17:07:26.222415 11938 AnalysisContext.java:449] authzChecker check impala/${instance}@${REALM}
I0322 17:07:26.222703 11938 AuthorizationChecker.java:186] Authorization hasAccess impala
I0322 17:07:26.222885 11938 AuthorizationChecker.java:188] get 2 groups for impala
I0322 17:07:26.224508 11938 AuthorizationChecker.java:191] listPrivilegesForGroup hive: 0
I0322 17:07:26.224612 11938 AuthorizationChecker.java:191] listPrivilegesForGroup impala: 0
I0322 17:07:26.231683 11938 AuthorizationChecker.java:186] Authorization hasAccess impala
I0322 17:07:26.231825 11938 AuthorizationChecker.java:188] get 2 groups for impala
I0322 17:07:26.231946 11938 AuthorizationChecker.java:191] listPrivilegesForGroup hive: 0
I0322 17:07:26.232059 11938 AuthorizationChecker.java:191] listPrivilegesForGroup impala: 0
I0322 17:07:26.232923 11938 jni-util.cc:177] com.cloudera.impala.catalog.AuthorizationException: User 'impala/${instance}@${REALM}' does not have privileges to execute 'SELECT' on: default.sample_07
	at com.cloudera.impala.analysis.AnalysisContext.authorizeTableAccess(AnalysisContext.java:486)
	at com.cloudera.impala.analysis.AnalysisContext.authorize(AnalysisContext.java:413)
	at com.cloudera.impala.service.Frontend.analyzeStmt(Frontend.java:829)
	at com.cloudera.impala.service.Frontend.createExecRequest(Frontend.java:908)
	at com.cloudera.impala.service.Frontend.createRecordServiceExecRequest(Frontend.java:854)
	at com.cloudera.impala.service.JniFrontend.createRecordServiceExecRequest(JniFrontend.java:260)
I0322 17:07:26.320742 11938 status.cc:112] AuthorizationException: User 'impala/${instance}@${REALM}' does not have privileges to execute 'SELECT' on: default.sample_07
    @           0x82aed9  impala::Status::Status()
    @           0xb8e920  impala::JniUtil::GetJniExceptionMsg()
    @           0xa7f8a3  impala::JniUtil::CallJniMethod<>()
    @           0xa767e0  impala::Frontend::GetRecordServiceExecRequest()
    @           0xaee103  impala::ImpalaServer::PlanRecordServiceRequest()
    @           0xaf34f3  impala::ImpalaServer::PlanRequest()
    @           0xe0d6d2  recordservice::RecordServicePlannerProcessor::process_PlanRequest()
    @           0xe09dd4  recordservice::RecordServicePlannerProcessor::dispatchCall()
    @           0xaa4b5c  apache::thrift::TDispatchProcessor::process()
    @          0x179d7cb  apache::thrift::server::TThreadPoolServer::Task::run()
    @          0x17855e9  apache::thrift::concurrency::ThreadManager::Worker::run()
    @           0x9ff0e9  impala::ThriftThread::RunRunnable()
    @           0x9ffbf2  boost::detail::function::void_function_obj_invoker0<>::invoke()
    @           0xbe9c0f  impala::Thread::SuperviseThread()
    @           0xbeab54  boost::detail::thread_data<>::run()
    @           0xe5b22a  thread_proxy
    @     0x7f540ba5aaa1  start_thread
    @     0x7f540acbd93d  clone

Attachments

Activity

People

Assignee:

Li Li

Reporter:

Li Li

Votes:

0 Vote for this issue

Watchers:

3 Start watching this issue

Dates

Created:

23/Mar/16 12:17 AM

Updated:

25/Mar/16 1:32 AM

Resolved:

25/Mar/16 1:30 AM