You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Thejas M Nair (JIRA)" <ji...@apache.org> on 2015/08/06 00:42:04 UTC
[jira] [Comment Edited] (HIVE-8954)
StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT
SQL request
[ https://issues.apache.org/jira/browse/HIVE-8954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14649546#comment-14649546 ]
Thejas M Nair edited comment on HIVE-8954 at 8/5/15 10:42 PM:
--------------------------------------------------------------
[~Alexandre LINTE]
Do you also have following set ? (either via hive-site.xml or hiveserver2-site.xml )
{code}
<property>
<name>hive.security.authorization.enabled</name>
<value>true</value>
</property>
<property>
<name>hive.security.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
</property>
{code}
Looks like this happens only when StorageBasedAuthorization is enabled at compile time.
The recommended place for enabling StorageBasedAuthorization is in hive metastore. [see SBA metastore instructions|https://cwiki.apache.org/confluence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server]
Setting this for compile time is redundant and not something I would recommend.
I would recommend compile time authorization being enabled only if you want to use fine grained authorization such as SQL Standards based authorization or Apache Ranger.
was (Author: thejas):
[~Alexandre LINTE]
Do you also have following set ? (either via hive-site.xml or hiveserver2-site.xml )
{code}
<property>
<name>hive.security.authorization.enabled</name>
<value>false</value>
</property>
<property>
<name>hive.security.authorization.manager</name>
<value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
</property>
{code}
Looks like this happens only when StorageBasedAuthorization is enabled at compile time.
The recommended place for enabling StorageBasedAuthorization is in hive metastore. [see SBA metastore instructions|https://cwiki.apache.org/confluence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server]
Setting this for compile time is redundant and not something I would recommend.
I would recommend compile time authorization being enabled only if you want to use fine grained authorization such as SQL Standards based authorization or Apache Ranger.
> StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT SQL request
> --------------------------------------------------------------------------------------
>
> Key: HIVE-8954
> URL: https://issues.apache.org/jira/browse/HIVE-8954
> Project: Hive
> Issue Type: Bug
> Components: Authorization
> Affects Versions: 0.14.0
> Environment: centos 6.5
> Reporter: LINTE
>
> With hive.security.metastore.authorization.manager set to org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.
> It seem that on a read request, write permissions are check on the HDFS by the metastore.
> sample :
> bash# hive
> hive (default)> use database;
> OK
> Time taken: 0.747 seconds
> hive (database)> SELECT * FROM table LIMIT 10;
> FAILED: HiveException java.security.AccessControlException: action WRITE not permitted on path hdfs://cluster/hive_warehouse/database.db/table for user myuser
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)