I0620 10:46:08.436385 47131 Frontend.java:818] analyze query show databases I0620 10:46:08.437651 47131 jni-util.cc:177] java.lang.IllegalArgumentException: Value cannot be empty at org.apache.sentry.provider.file.KeyValue.This happens in a cluster with Kerberos and Sentry enabled. To confirm if the issue is the same as mine, follow the steps below:(KeyValue.java:41) at org.apache.sentry.policy.db.DBWildcardPrivilege. (DBWildcardPrivilege.java:62) at org.apache.sentry.policy.db.DBWildcardPrivilege$DBWildcardPrivilegeFactory.createPrivilege(DBWildcardPrivilege.java:167) at org.apache.sentry.provider.common.ResourceAuthorizationProvider$2.apply(ResourceAuthorizationProvider.java:131) at org.apache.sentry.provider.common.ResourceAuthorizationProvider$2.apply(ResourceAuthorizationProvider.java:128) at com.google.common.collect.Iterators$8.next(Iterators.java:812) at org.apache.sentry.provider.common.ResourceAuthorizationProvider.doHasAccess(ResourceAuthorizationProvider.java:107) at org.apache.sentry.provider.common.ResourceAuthorizationProvider.hasAccess(ResourceAuthorizationProvider.java:91) at com.cloudera.impala.authorization.AuthorizationChecker.hasAccess(AuthorizationChecker.java:171) at com.cloudera.impala.service.Frontend.getDbNames(Frontend.java:630) at com.cloudera.impala.service.JniFrontend.getDbNames(JniFrontend.java:272)
- Run “SHOW CURRENT ROLES;” command in impala, and capture the role name
- Log into Sentry’s Database. I am using MySQL, so my example query will be based on MySQL below
- Once logs in, please run the following query:
SELECT r.ROLE_ID, r.ROLE_NAME, PRIVILEGE_SCOPE, SERVER_NAME, DB_NAME, TABLE_NAME, COLUMN_NAME, URI, ACTION FROM SENTRY_ROLE r JOIN SENTRY_ROLE_DB_PRIVILEGE_MAP m ON (r.ROLE_ID = m.ROLE_ID) JOIN SENTRY_DB_PRIVILEGE p ON (m.DB_PRIVILEGE_ID = p.DB_PRIVILEGE_ID) WHERE r.ROLE_NAME = '
'; - My output looks like the following:
+---------+----------------+-----------------+-----------------+-------------+-------------+------------+-------------+--------------------------+--------+ | ROLE_ID | ROLE_NAME | DB_PRIVILEGE_ID | PRIVILEGE_SCOPE | SERVER_NAME | DB_NAME | TABLE_NAME | COLUMN_NAME | URI | ACTION | +---------+----------------+-----------------+-----------------+-------------+-------------+------------+-------------+--------------------------+--------+ | 1 | test_role | 1 | URI | server1 | __NULL__ | __NULL__ | __NULL__ | __NULL__ | all | +---------+----------------+-----------------+-----------------+-------------+-------------+------------+-------------+--------------------------+--------+
And there is only one privilege for this role and scope is URI. Notice that all values for this role are “__NULL__”?
- BACKUP Sentry DB again just before you about to do the change (a must do before you make any changes to any production Database)
- Run the following query against Sentry Database to update the URI value:
UPDATE SENTRY_DB_PRIVILEGE set URI = 'hdfs:///dummy' where DB_PRIVILEGE_ID = 1;
update the DB_PRIVILEGE_ID to match in your own case. - Connect to impala-shell using the user who has admin access to sentry
- Run ‘INVALIDATE METADATA’ to update the metadata we just changed
- Test again using the user who belongs to role “unixadmins”, issue should be resolved
Hi,
How did you manage to write those queries without putting double quotes(“) around the column and table names ?
Steve
Hi Steve,
Did you mean below query:
SELECT‘;
r.ROLE_ID, r.ROLE_NAME, PRIVILEGE_SCOPE, SERVER_NAME,
DB_NAME, TABLE_NAME, COLUMN_NAME, URI, ACTION
FROM SENTRY_ROLE r
JOIN SENTRY_ROLE_DB_PRIVILEGE_MAP m ON (r.ROLE_ID = m.ROLE_ID)
JOIN SENTRY_DB_PRIVILEGE p ON (m.DB_PRIVILEGE_ID = p.DB_PRIVILEGE_ID)
WHERE r.ROLE_NAME = ‘
?
It is in MySQL, you don’t need double quotes, you will need double quotes if you use PostgreSQL.