[jira] [Created] (RANGER-820) RangerHiveAuthorizer Ignores HDFS Policies for Creation of Objects

["Henning Kropp (JIRA)" <ji...@apache.org>]

Henning Kropp created RANGER-820:
------------------------------------

             Summary: RangerHiveAuthorizer Ignores HDFS Policies for Creation of Objects
                 Key: RANGER-820
                 URL: https://issues.apache.org/jira/browse/RANGER-820
             Project: Ranger
          Issue Type: Bug
          Components: plugins
    Affects Versions: ranger
         Environment: HiveServer2
            Reporter: Henning Kropp


RangerHiveAuthorizer uses method {{isURIAccessAllowed}} during the creation of new objects ({{.isEmpty(inputHObjs)}}) which relies solely on {{FileUtil}} and {{FileStatus}} to check whether the user has the required FS in the hierarchy rights or not.

If following best practices a folder is for example owned by hdfs and only the hdfs user is given RWX access it is impossible for any user to create an external table in that folder through HS2, even if given access privileges by Ranger policies.

Resulting exception:
{{Caused by: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Permission denied: user [user] does not have [READ] privilege on [hdfs://path/...]
at org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:249)
at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.java:779)
at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:574)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:468)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:308)
at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1122)
at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1116)
at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:110)
... 15 more}}

Workaround: Use Hive CLI



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)