Getting errors when trying to validate expressions - AuthorizationException: User 'xxx' does not have privileges to EXPLAIN this statement

When using logical views there are instances when you hit validation errors complaining about authorization exception. This is usually due to Sentry privileges.

There are two things we want to check:

(1) Sentry authorization checks on Views are different than regular tables.

Here’s an example:

  • If you just have a SELECT query on View, only select auth is checked on Base table
  • But if you have EXPLAIN on View, SELECT auth on both View and Base is checked.

A bit more detail here:
https://www.cloudera.com/documentation/enterprise/5-9-x/topics/cm_sg_sentry_service.html#hive_impala_privilege_model

So what we want to do is provide SELECT privileges on the base table & view via Sentry.

Solution:
Give user SELECT access to the underlying base table via Sentry.


(2) Logical views which contain built-in functions

There’s edge cases are around logical views which contain built-in functions, they will throw authorization exception as discussed here:

https://issues.apache.org/jira/browse/IMPALA-2595

The solution is to use Sentry to grant select on the “_arcadia_builtins” database to the role. You will need to do this through the arcengine as sentry admin . Notice the beeline is done to arcengine on port 31050 and sentry command is run.

Solution:
GRANT select on database _arcadia_builtins to role <role_name>;

Example sequence:

[~]$ beeline -u "jdbc:hive2://awsclusterworker1.com:31050/default;principal=arcadia/_HOST@D.COM;ssl=true" 
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; 
support was removed in 8.0 Java HotSpot(TM) 64-Bit Server VM warning: ignoring option MaxPermSize=512M; 
support was removed in 8.0 scan complete in 3ms 
Connecting to jdbc:hive2://awsclusterworker1.com:31050/default;principal=arcadia/_HOST@D.COM;ssl=true 
Connected to: Arcengine (version arcengine2.9.2) Driver: Hive JDBC (version 1.1.0-cdh5.13.3) 
Transaction isolation: TRANSACTION_REPEATABLE_READ Beeline version 1.1.0-cdh5.13.3 by 
Apache Hive 0: jdbc:hive2://awsclusterworker1.com; 

grant SELECT on DATABASE `_arcadia_builtins` to role_cdh_dev; 

show grant role role_cdh_dev_marketing_read;
1 Like