[hue-user] does oozie hive action support sentry ?

we have kerberos enabled cdh5.3 and use sentry for authorization , 

from the blog, I found only hcal credential can work with kerberos,

but it's skip the sentry.. 

then how to make it work with sentry ? 



I would think that you don't need any credentials, you can issue CREATE PRIVILEGES ... etc directly from the SQL script of Hive or just do your SELECT * FROM SENTRY_PROTECTED_TABLES?



without credentials, hive action will fail with such error:

....
Failing Oozie Launcher, Main class [org.apache.oozie.action.hadoop.HiveMain], main() threw exception, java.lang.RuntimeException:
Unable to instantiate org.apache.hadoop.hive.metastore.HiveMetaStoreClient
  java.lang.RuntimeException: java.lang.RuntimeException: Unable to instantiate
org.apache.hadoop.hive.metastore.HiveMetaStoreClient
...
  Caused by: MetaException(message:Could not connect to meta store usingany of the URIs provided. Most recent failure:
org.apache.thrift.transport.TTransportException: GSS initiate failed

and by hcat credential checked, it's ok to connect to metasotre, but will failed with no permission error:

Caused by: org.apache.hadoop.security.AccessControlException: Permissiondenied: user=ops1, access=EXECUTE,
inode="/user/hive/warehouse":hive:hive:drwxrwx--T

we use sentry for hive,  only hive user can access the warehouse,  so user ops1 will failed in hive action workflow.

any help ?