Daniel Goldszmit created SENTRY-1439:
----------------------------------------
Summary: Sentry + UDFs from hive-contrib.jar result in No valid
privileges
Key: SENTRY-1439
URL: https://issues.apache.org/jira/browse/SENTRY-1439
Project: Sentry
Issue Type: Improvement
Reporter: Daniel Goldszmit
Sentry Service is enabled
Hive Auxiliary JARs Directory is configured to point to /opt/ca_hive_udfs
and hive-contrib.jar is a symbolic link for:
/opt/ca_hive_udfs/hive-contrib.jar ->
/opt/cloudera/parcels/CDH/lib/hive/lib/hive-contrib.jar
hive-contrib.jar UDF's are not register as Internal Functions but
hive-contrib.jar is loaded as part of Hive class path:
STARTUP_MSG: classpath =
....../opt/cloudera/parcels/CDH-5.5.2-1.cdh5.5.2.p1399.1233/lib/hive/lib/hive-contrib-1.1.0-cdh5.5.2.jar
Even though granting the hive.aux.jars.path for hive-contrib.jar
hive-contrib.jar on
GRANT ALL ON URI 'file:///opt/ca_hive_udfs/hive-contrib.jar' TO ROLE user_role;
Create temporary function:
>create temporary function row_sequence as
>'org.apache.hadoop.hive.contrib.udf.UDFRowSequence';
It fails with no valid privileges:
2016-07-06 08:34:20,332 INFO
org.apache.sentry.binding.hive.HiveAuthzBindingHook: [HiveServer2-Handler-Pool:
Thread-26]: No valid privileges
Required privileges for this query:
Server=server1->URI=file:///opt/cloudera/parcels/CDH-5.5.2-1.cdh5.5.2.p1399.1233/jars/hive-contrib-1.1.0-cdh5.5.2.jar->action=*;
2016-07-06 08:34:20,344 ERROR org.apache.hadoop.hive.ql.Driver:
[HiveServer2-Handler-Pool: Thread-26]: FAILED: SemanticException No valid
privileges
User user1 does not have privileges for CREATEFUNCTION
org.apache.hadoop.hive.ql.parse.SemanticException: No valid privileges
User user1 does not have privileges for CREATEFUNCTION
In order to make it work it is required to grant as the following URI
GRANT ALL ON URI
'file:///opt/cloudera/parcels/CDH-5.5.2-1.cdh5.5.2.p1399.1233/jars/hive-contrib-1.1.0-cdh5.5.2.jar';
TO ROLE user_role;
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
