You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@ranger.apache.org by Hanish Bansal <ha...@impetus.co.in> on 2015/06/11 08:19:32 UTC

Hive Update privilege behavior

Hi All,


I am using Ranger (version-0.4.0) hive authorization.

I am facing an issue: For update privileges to a user I have to give Select AND Update both privilege. Otherwise update privileges don't work.

Steps I followed:

1. Create a table "test?" in hive.

2. Give privilege of only update to a user, e.g. john.
3. Make connection in hive with the same user. Run update query on "test" table - "Update test? SET first_name='pr' where id=124;"

Expected- It should update the table
Actual- Getting exception- "FAILED: HiveAccessControlException Permission denied: user [john] does not have [SELECT] privilege on [default/test/id] (state=42000,code=40000)
"

Once providing both privileges 'select' and 'update' to user "john" then it's working fine.

Please let me know the expected behavior.


-------
Thanks & Regards,
Hanish Bansal

________________________________






NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.

RE: Hive Update privilege behavior

Posted by Hanish Bansal <ha...@impetus.co.in>.

Hi Madhan,


I have verified the same without where clause also and getting the same behavior.


I filed a JIRA for this @ https://issues.apache.org/jira/browse/RANGER-547


-------
Thanks & Regards,
Hanish Bansal
________________________________
From: Madhan Neethiraj <mn...@hortonworks.com> on behalf of Madhan Neethiraj <ma...@apache.org>
Sent: Thursday, June 11, 2015 1:04 PM
To: user@ranger.incubator.apache.org
Subject: Re: Hive Update privilege behavior

Hanish,

I think this might be due to "where id=124" in the query - which would require select permission for column "id".  Can you try without using a where clause?

Thanks,
Madhan

From: Don Bosco Durai <bo...@apache.org>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Wednesday, June 10, 2015 at 11:44 PM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Re: Hive Update privilege behavior

Interesting observation.

Madhan, do we need to add implied permission for update?

Hanish, if you don't mind, can you create a JIRA for this? We can try to resolve this in the next release.

Thanks

Bosco

From: Hanish Bansal <ha...@impetus.co.in>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Wednesday, June 10, 2015 at 11:19 PM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Hive Update privilege behavior


Hi All,


I am using Ranger (version-0.4.0) hive authorization.

I am facing an issue: For update privileges to a user I have to give Select AND Update both privilege. Otherwise update privileges don't work.

Steps I followed:

1. Create a table "test?" in hive.

2. Give privilege of only update to a user, e.g. john.
3. Make connection in hive with the same user. Run update query on "test" table - "Update test? SET first_name='pr' where id=124;"

Expected- It should update the table
Actual- Getting exception- "FAILED: HiveAccessControlException Permission denied: user [john] does not have [SELECT] privilege on [default/test/id] (state=42000,code=40000)
"

Once providing both privileges 'select' and 'update' to user "john" then it's working fine.

Please let me know the expected behavior.


-------
Thanks & Regards,
Hanish Bansal

________________________________






NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.

________________________________






NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.

Re: Hive Update privilege behavior

Posted by Madhan Neethiraj <ma...@apache.org>.

Hanish,

I think this might be due to “where id=124” in the query - which would
require select permission for column “id”.  Can you try without using a
where clause?

Thanks,
Madhan

From:  Don Bosco Durai <bo...@apache.org>
Reply-To:  "user@ranger.incubator.apache.org"
<us...@ranger.incubator.apache.org>
Date:  Wednesday, June 10, 2015 at 11:44 PM
To:  "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject:  Re: Hive Update privilege behavior

Interesting observation.

Madhan, do we need to add implied permission for update?

Hanish, if you don’t mind, can you create a JIRA for this? We can try to
resolve this in the next release.

Thanks

Bosco

From: Hanish Bansal <ha...@impetus.co.in>
Reply-To: "user@ranger.incubator.apache.org"
<us...@ranger.incubator.apache.org>
Date: Wednesday, June 10, 2015 at 11:19 PM
To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject: Hive Update privilege behavior

> Hi All,
> 
> 
> 
> I am using Ranger (version-0.4.0) hive authorization.
> 
> I am facing an issue: For update privileges to a user I have to give Select
> AND Update both privilege. Otherwise update privileges don't work.
> 
> Steps I followed:
> 1. Create a table "test" in hive.
> 2. Give privilege of only update to a user, e.g. john.
> 3. Make connection in hive with the same user. Run update query on "test"
> table - "Update test SET first_name='pr' where id=124;"
> 
> Expected- It should update the table
> Actual- Getting exception- "FAILED: HiveAccessControlException Permission
> denied: user [john] does not have [SELECT] privilege on [default/test/id]
> (state=42000,code=40000)
> "
> 
> Once providing both privileges 'select' and 'update' to user "john" then it's
> working fine.
> 
> Please let me know the expected behavior.
> 
> -------
> Thanks & Regards,
> Hanish Bansal
> 
> 
> 
> 
> 
> 
> 
> 
> NOTE: This message may contain information that is confidential, proprietary,
> privileged or otherwise protected by law. The message is intended solely for
> the named addressee. If received in error, please destroy and notify the
> sender. Any use of this email is prohibited when received in error. Impetus
> does not represent, warrant and/or guarantee, that the integrity of this
> communication has been maintained nor that the communication is free of
> errors, virus, interception or interference.

Re: Hive Update privilege behavior

Posted by Don Bosco Durai <bo...@apache.org>.

Interesting observation.

Madhan, do we need to add implied permission for update?

Hanish, if you don’t mind, can you create a JIRA for this? We can try to
resolve this in the next release.

Thanks

Bosco

From:  Hanish Bansal <ha...@impetus.co.in>
Reply-To:  "user@ranger.incubator.apache.org"
<us...@ranger.incubator.apache.org>
Date:  Wednesday, June 10, 2015 at 11:19 PM
To:  "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject:  Hive Update privilege behavior

> Hi All,
> 
> 
> 
> I am using Ranger (version-0.4.0) hive authorization.
> 
> I am facing an issue: For update privileges to a user I have to give Select
> AND Update both privilege. Otherwise update privileges don't work.
> 
> Steps I followed:
> 1. Create a table "test" in hive.
> 2. Give privilege of only update to a user, e.g. john.
> 3. Make connection in hive with the same user. Run update query on "test"
> table - "Update test SET first_name='pr' where id=124;"
> 
> Expected- It should update the table
> Actual- Getting exception- "FAILED: HiveAccessControlException Permission
> denied: user [john] does not have [SELECT] privilege on [default/test/id]
> (state=42000,code=40000)
> "
> 
> Once providing both privileges 'select' and 'update' to user "john" then it's
> working fine.
> 
> Please let me know the expected behavior.
> 
> -------
> Thanks & Regards,
> Hanish Bansal
> 
> 
> 
> 
> 
> 
> 
> 
> NOTE: This message may contain information that is confidential, proprietary,
> privileged or otherwise protected by law. The message is intended solely for
> the named addressee. If received in error, please destroy and notify the
> sender. Any use of this email is prohibited when received in error. Impetus
> does not represent, warrant and/or guarantee, that the integrity of this
> communication has been maintained nor that the communication is free of
> errors, virus, interception or interference.