You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by Shashank Prabhakara <sh...@infoworks.io> on 2017/12/29 16:02:15 UTC
Permission denied on hive for UDF with full permissions granted
Hi All,
After installing ranger 0.7.1 with hive 2.1.1, I see that most permissions
are working as expected except for UDFs.
I have 3 policies in place for myuser:
1. URI *
2. DB */Table *
3. DB */UDF *
All 3 with delegate admin.
However, the following query(in any db):
CREATE TEMPORARY FUNCTION `someudf` AS 'com.myapp.MyUDF';
Results in the following error stack race seen in hive-server2.log :
ERROR [HiveServer2-Handler-Pool: Thread-40] ql.Driver: FAILED:
HiveAccessControlException Permission denied: user [myuser] does not have
[CREATE] privilege on [someudf]
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
Permission denied: user [myuser] does not have [CREATE] privilege on
[someudf]
at org.apache.ranger.authorization.hive.authorizer.
RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:417)
at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(
Driver.java:910)
at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:697)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:515)
at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.
java:1242)
at org.apache.hadoop.hive.ql.Driver.compileAndRespond(
Driver.java:1229)
at org.apache.hive.service.cli.operation.SQLOperation.
prepare(SQLOperation.java:191)
at org.apache.hive.service.cli.operation.SQLOperation.
runInternal(SQLOperation.java:276)
at org.apache.hive.service.cli.operation.Operation.run(
Operation.java:324)
at org.apache.hive.service.cli.session.HiveSessionImpl.
executeStatementInternal(HiveSessionImpl.java:499)
at org.apache.hive.service.cli.session.HiveSessionImpl.
executeStatementAsync(HiveSessionImpl.java:486)
...
Please let me know about any solutions or workaround.
All help is much appreciated.
Regards,
Shashank
Re: Permission denied on hive for UDF with full permissions granted
Posted by Shashank Prabhakara <sh...@infoworks.io>.
Hi Velmurugan,
Happy new years to everyone.
I tried installing the 1.0.0 version compiled from the master branch - only
the hive-plugin - without change in status quo, temporary functions are
still failing. However we have found our workaround with permanent
functions for now. Thanks everyone.
Regards,
Shashank
On Sat, Dec 30, 2017 at 2:55 AM, Velmurugan Periasamy <ve...@apache.org>
wrote:
> This could be related to RANGER-1631
> <https://issues.apache.org/jira/browse/RANGER-1631>
>
> From: Shashank Prabhakara <sh...@infoworks.io>
> Reply-To: "user@ranger.apache.org" <us...@ranger.apache.org>
> Date: Friday, December 29, 2017 at 2:20 PM
> To: "user@ranger.apache.org" <us...@ranger.apache.org>
> Subject: Re: Permission denied on hive for UDF with full permissions
> granted
>
> Thanks for the response David, but we have ALL access granted to all
> databases and all udfs as well.
>
> Another observation, permanent functions work as expected:
> Beeline version 2.1.1 by Apache Hive
>
> 0: jdbc:hive2://myserver:10000/default> ADD JAR hdfs:///path/to/my.jar;
> No rows affected (0.014 seconds)
> 0: jdbc:hive2://myserver:10000/default> CREATE TEMPORARY FUNCTION someudf
> AS 'com.myapp.MyUDF';
> Error: Error while compiling statement: FAILED: HiveAccessControlException
> Permission denied: user [myuser] does not have [CREATE] privilege on
> [someudf] (state=42000,code=40000)
> 0: jdbc:hive2://myserver:10000/default> CREATE FUNCTION someudf AS
> 'com.myapp.MyUDF';
> No rows affected (0.019 seconds)
> 0: jdbc:hive2://myserver:10000/default> SHOW FUNCTIONS;
> +-------------------------+--+
> | tab_name |
> +-------------------------+--+
> ...
> | default.someudf |
> ...
>
>
>
> Regards,
> Shashank
>
> On Sat, Dec 30, 2017 at 12:35 AM, David Quiroga <qu...@gmail.com>
> wrote:
>
>> I know in our cluster we had to grant our developer group access (select,
>> update, Create, Drop, Alter) to all - database, udf for them to be able
>> create UDF.
>>
>> Where all -database, udf policy is
>> Hive Database: *
>> udf *
>>
>> Sorry I don't have further documentation but out investigation reveled
>> this was required.
>>
>> On Fri, Dec 29, 2017 at 10:02 AM, Shashank Prabhakara <
>> shashank@infoworks.io> wrote:
>>
>>> Hi All,
>>>
>>> After installing ranger 0.7.1 with hive 2.1.1, I see that most
>>> permissions are working as expected except for UDFs.
>>>
>>> I have 3 policies in place for myuser:
>>> 1. URI *
>>> 2. DB */Table *
>>> 3. DB */UDF *
>>> All 3 with delegate admin.
>>>
>>> However, the following query(in any db):
>>>
>>> CREATE TEMPORARY FUNCTION `someudf` AS 'com.myapp.MyUDF';
>>>
>>> Results in the following error stack race seen in hive-server2.log :
>>>
>>>
>>> ERROR [HiveServer2-Handler-Pool: Thread-40] ql.Driver: FAILED:
>>> HiveAccessControlException Permission denied: user [myuser] does not have
>>> [CREATE] privilege on [someudf]
>>> org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
>>> Permission denied: user [myuser] does not have [CREATE] privilege on
>>> [someudf]
>>> at org.apache.ranger.authorization.hive.authorizer.RangerHiveAu
>>> thorizer.checkPrivileges(RangerHiveAuthorizer.java:417)
>>> at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.ja
>>> va:910)
>>> at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java
>>> :697)
>>> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:515)
>>> at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java
>>> :1242)
>>> at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.ja
>>> va:1229)
>>> at org.apache.hive.service.cli.operation.SQLOperation.prepare(S
>>> QLOperation.java:191)
>>> at org.apache.hive.service.cli.operation.SQLOperation.runIntern
>>> al(SQLOperation.java:276)
>>> at org.apache.hive.service.cli.operation.Operation.run(Operatio
>>> n.java:324)
>>> at org.apache.hive.service.cli.session.HiveSessionImpl.executeS
>>> tatementInternal(HiveSessionImpl.java:499)
>>> at org.apache.hive.service.cli.session.HiveSessionImpl.executeS
>>> tatementAsync(HiveSessionImpl.java:486)
>>> ...
>>>
>>>
>>> Please let me know about any solutions or workaround.
>>> All help is much appreciated.
>>>
>>> Regards,
>>> Shashank
>>>
>>
>>
>
Re: Permission denied on hive for UDF with full permissions granted
Posted by Velmurugan Periasamy <ve...@apache.org>.
This could be related to RANGER-1631
<https://issues.apache.org/jira/browse/RANGER-1631>
From: Shashank Prabhakara <sh...@infoworks.io>
Reply-To: "user@ranger.apache.org" <us...@ranger.apache.org>
Date: Friday, December 29, 2017 at 2:20 PM
To: "user@ranger.apache.org" <us...@ranger.apache.org>
Subject: Re: Permission denied on hive for UDF with full permissions
granted
Thanks for the response David, but we have ALL access granted to all
databases and all udfs as well.
Another observation, permanent functions work as expected:
Beeline version 2.1.1 by Apache Hive
0: jdbc:hive2://myserver:10000/default> ADD JAR hdfs:///path/to/my.jar;
No rows affected (0.014 seconds)
0: jdbc:hive2://myserver:10000/default> CREATE TEMPORARY FUNCTION someudf AS
'com.myapp.MyUDF';
Error: Error while compiling statement: FAILED: HiveAccessControlException
Permission denied: user [myuser] does not have [CREATE] privilege on
[someudf] (state=42000,code=40000)
0: jdbc:hive2://myserver:10000/default> CREATE FUNCTION someudf AS
'com.myapp.MyUDF';
No rows affected (0.019 seconds)
0: jdbc:hive2://myserver:10000/default> SHOW FUNCTIONS;
+-------------------------+--+
| tab_name |
+-------------------------+--+
...
| default.someudf |
...
Regards,
Shashank
On Sat, Dec 30, 2017 at 12:35 AM, David Quiroga <qu...@gmail.com>
wrote:
> I know in our cluster we had to grant our developer group access (select,
> update, Create, Drop, Alter) to all - database, udf for them to be able create
> UDF.
>
> Where all -database, udf policy is
> Hive Database: *
> udf *
>
> Sorry I don't have further documentation but out investigation reveled this
> was required.
>
> On Fri, Dec 29, 2017 at 10:02 AM, Shashank Prabhakara <sh...@infoworks.io>
> wrote:
>> Hi All,
>>
>> After installing ranger 0.7.1 with hive 2.1.1, I see that most permissions
>> are working as expected except for UDFs.
>>
>> I have 3 policies in place for myuser:
>> 1. URI *
>> 2. DB */Table *
>> 3. DB */UDF *
>> All 3 with delegate admin.
>>
>> However, the following query(in any db):
>>
>> CREATE TEMPORARY FUNCTION `someudf` AS 'com.myapp.MyUDF';
>>
>> Results in the following error stack race seen in hive-server2.log :
>>
>>
>> ERROR [HiveServer2-Handler-Pool: Thread-40] ql.Driver: FAILED:
>> HiveAccessControlException Permission denied: user [myuser] does not have
>> [CREATE] privilege on [someudf]
>> org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlExce
>> ption: Permission denied: user [myuser] does not have [CREATE] privilege on
>> [someudf]
>> at
>> org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPri
>> vileges(RangerHiveAuthorizer.java:417)
>> at
>> org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.java:910)
>> at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:697)
>> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:515)
>> at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1242)
>> at
>> org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1229)
>> at
>> org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:
>> 191)
>> at
>> org.apache.hive.service.cli.operation.SQLOperation.runInternal(SQLOperation.j
>> ava:276)
>> at
>> org.apache.hive.service.cli.operation.Operation.run(Operation.java:324)
>> at org.apache.hive.service.cli.se
>> <http://org.apache.hive.service.cli.se>
>> ssion.HiveSessionImpl.executeStatementInternal(HiveSessionImpl.java:499)
>> at org.apache.hive.service.cli.se
>> <http://org.apache.hive.service.cli.se>
>> ssion.HiveSessionImpl.executeStatementAsync(HiveSessionImpl.java:486)
>> ...
>>
>>
>> Please let me know about any solutions or workaround.
>> All help is much appreciated.
>>
>> Regards,
>> Shashank
>
Re: Permission denied on hive for UDF with full permissions granted
Posted by Shashank Prabhakara <sh...@infoworks.io>.
Thanks for the response David, but we have ALL access granted to all
databases and all udfs as well.
Another observation, permanent functions work as expected:
Beeline version 2.1.1 by Apache Hive
0: jdbc:hive2://myserver:10000/default> ADD JAR hdfs:///path/to/my.jar;
No rows affected (0.014 seconds)
0: jdbc:hive2://myserver:10000/default> CREATE TEMPORARY FUNCTION someudf
AS 'com.myapp.MyUDF';
Error: Error while compiling statement: FAILED: HiveAccessControlException
Permission denied: user [myuser] does not have [CREATE] privilege on
[someudf] (state=42000,code=40000)
0: jdbc:hive2://myserver:10000/default> CREATE FUNCTION someudf AS
'com.myapp.MyUDF';
No rows affected (0.019 seconds)
0: jdbc:hive2://myserver:10000/default> SHOW FUNCTIONS;
+-------------------------+--+
| tab_name |
+-------------------------+--+
...
| default.someudf |
...
Regards,
Shashank
On Sat, Dec 30, 2017 at 12:35 AM, David Quiroga <qu...@gmail.com>
wrote:
> I know in our cluster we had to grant our developer group access (select,
> update, Create, Drop, Alter) to all - database, udf for them to be able
> create UDF.
>
> Where all -database, udf policy is
> Hive Database: *
> udf *
>
> Sorry I don't have further documentation but out investigation reveled
> this was required.
>
> On Fri, Dec 29, 2017 at 10:02 AM, Shashank Prabhakara <
> shashank@infoworks.io> wrote:
>
>> Hi All,
>>
>> After installing ranger 0.7.1 with hive 2.1.1, I see that most
>> permissions are working as expected except for UDFs.
>>
>> I have 3 policies in place for myuser:
>> 1. URI *
>> 2. DB */Table *
>> 3. DB */UDF *
>> All 3 with delegate admin.
>>
>> However, the following query(in any db):
>>
>> CREATE TEMPORARY FUNCTION `someudf` AS 'com.myapp.MyUDF';
>>
>> Results in the following error stack race seen in hive-server2.log :
>>
>>
>> ERROR [HiveServer2-Handler-Pool: Thread-40] ql.Driver: FAILED:
>> HiveAccessControlException Permission denied: user [myuser] does not have
>> [CREATE] privilege on [someudf]
>> org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
>> Permission denied: user [myuser] does not have [CREATE] privilege on
>> [someudf]
>> at org.apache.ranger.authorization.hive.authorizer.RangerHiveAu
>> thorizer.checkPrivileges(RangerHiveAuthorizer.java:417)
>> at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.ja
>> va:910)
>> at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java
>> :697)
>> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:515)
>> at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java
>> :1242)
>> at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.ja
>> va:1229)
>> at org.apache.hive.service.cli.operation.SQLOperation.prepare(S
>> QLOperation.java:191)
>> at org.apache.hive.service.cli.operation.SQLOperation.runIntern
>> al(SQLOperation.java:276)
>> at org.apache.hive.service.cli.operation.Operation.run(Operatio
>> n.java:324)
>> at org.apache.hive.service.cli.session.HiveSessionImpl.executeS
>> tatementInternal(HiveSessionImpl.java:499)
>> at org.apache.hive.service.cli.session.HiveSessionImpl.executeS
>> tatementAsync(HiveSessionImpl.java:486)
>> ...
>>
>>
>> Please let me know about any solutions or workaround.
>> All help is much appreciated.
>>
>> Regards,
>> Shashank
>>
>
>
Re: Permission denied on hive for UDF with full permissions granted
Posted by David Quiroga <qu...@gmail.com>.
I know in our cluster we had to grant our developer group access (select,
update, Create, Drop, Alter) to all - database, udf for them to be able
create UDF.
Where all -database, udf policy is
Hive Database: *
udf *
Sorry I don't have further documentation but out investigation reveled this
was required.
On Fri, Dec 29, 2017 at 10:02 AM, Shashank Prabhakara <shashank@infoworks.io
> wrote:
> Hi All,
>
> After installing ranger 0.7.1 with hive 2.1.1, I see that most permissions
> are working as expected except for UDFs.
>
> I have 3 policies in place for myuser:
> 1. URI *
> 2. DB */Table *
> 3. DB */UDF *
> All 3 with delegate admin.
>
> However, the following query(in any db):
>
> CREATE TEMPORARY FUNCTION `someudf` AS 'com.myapp.MyUDF';
>
> Results in the following error stack race seen in hive-server2.log :
>
>
> ERROR [HiveServer2-Handler-Pool: Thread-40] ql.Driver: FAILED:
> HiveAccessControlException Permission denied: user [myuser] does not have
> [CREATE] privilege on [someudf]
> org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
> Permission denied: user [myuser] does not have [CREATE] privilege on
> [someudf]
> at org.apache.ranger.authorization.hive.authorizer.RangerHiveAu
> thorizer.checkPrivileges(RangerHiveAuthorizer.java:417)
> at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.
> java:910)
> at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java
> :697)
> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:515)
> at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java
> :1242)
> at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.
> java:1229)
> at org.apache.hive.service.cli.operation.SQLOperation.prepare(
> SQLOperation.java:191)
> at org.apache.hive.service.cli.operation.SQLOperation.runIntern
> al(SQLOperation.java:276)
> at org.apache.hive.service.cli.operation.Operation.run(Operatio
> n.java:324)
> at org.apache.hive.service.cli.session.HiveSessionImpl.executeS
> tatementInternal(HiveSessionImpl.java:499)
> at org.apache.hive.service.cli.session.HiveSessionImpl.executeS
> tatementAsync(HiveSessionImpl.java:486)
> ...
>
>
> Please let me know about any solutions or workaround.
> All help is much appreciated.
>
> Regards,
> Shashank
>