Problem: Job is failing with Access errors
Symptom
User attempts to execute a DDL with Okera API end point with curl. Note the user has been granted the necessary permissions on a given dataset in Okera.
curl -k -H "Content-Type: application/json" -H 'Authorization: Bearer <TOKEN>' -X POST -d '{"query":"CREATE DATABASE IF NOT EXISTS <DBNAME> LOCATION '\''s3:<LOCATIONS>/'\''"}' <OKERACLUSTER>/api/hive-ddl
- The user receives an error message as the response
"message": "Invalid or expired token."
- But the planner logs shows :-
AuthorizationException: User '<USER>' does not have privileges to access: <S3 LOCATION>n\n","user":"<USER>"
Solution
This error is related to user not having the required permission to access the underlying data. The solution is to grant the user access to the URI location of the underlying data.
SHOW GRANT USER <USERNAME> gives the user details, including the role they belong to and the data they can access.
From the output, determine the groups the user is in, the roles for that group, and the access assigned to the dataset. For example,
if user lacks permission to the dataset that is been queried , grant access to the dataset:
GRANT <ALL/SHOW/CREATE> ON URI <S3://PATH> TO ROLE <DESIGNATEDROLE>
The command above instructs Okera to allow access for the user who is not an Admin to the specified data path.
Comments
0 comments
Please sign in to leave a comment.