My CDH Manager's version is 5.4.0
Precondition:
hive-site.xml config is as follows:
<property>
<name>hive.server2.enable.doAs</name>
<value>false</value>
</property>
<property>
<name>hive.server2.use.SSL</name>
<value>false</value>
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.security.authorization.createtable.owner.grants</name>
<value>ALL</value>
</property>
<property>
<name>hive.security.authorization.task.factory</name>
<value>org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value>
</property>
<property>
<name>hive.semantic.analyzer.hook</name>
<value>com.bigdata.hive.AuthorityControlHook</value> -> just I define for the super admin
</property>
Now
When I execute Hive Client, just as follows:
Logging initialized using configuration in jar:file:/opt/cloudera/parcels/CDH-5.4.0-1.cdh5.4.0.p0.27/jars/hive-common-1.1.0-cdh5.4.0.jar!/hive-log4j.properties
WARNING: Hive CLI is deprecated and migration to Beeline is recommended.
hive (default)> show current roles;
OK
public
Time taken: 2.119 seconds, Fetched: 1 row(s)
hive (default)> create role tmp;
beibei:640
FAILED: SemanticException hdfs can't use ADMIN options, except admin.
hive (default)>
this is expected to me.
But
when I execute the Beeline command, just as follows:
beeline> !connect jdbc:hive2://localhost:10000 org.apache.hive.jdbc.HiveDriver
scan complete in 5ms
Connecting to jdbc:hive2://localhost:10000
Enter password for jdbc:hive2://localhost:10000:
Connected to: Apache Hive (version 1.1.0-cdh5.4.0)
Driver: Hive JDBC (version 1.1.0-cdh5.4.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://localhost:10000> show current roles;
Error: Error while compiling statement: FAILED: SemanticException The current builtin authorization in Hive is incomplete and disabled. (state=42000,code=40000)
0: jdbc:hive2://localhost:10000>
Why?
Then to Google, I find a post, just as follows:
If you have already configured the Sentry Service, make sure that it is associate to the Hive role that you are trying to use.
Look in Hive-> Configuration -> Service-Wide -> Sentry Service.
So I doubt whether my Sentry Service is not installed in the CDH Manager, just as follows in the CDH Manager:
Any help will appreciate it, thank you!!!
------------------ 原始邮件 ------------------
发送时间: 2015年9月22日(星期二) 晚上10:33
主题: Re: HUE ignores Hive authorization layer