You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@hive.apache.org by Thejas Nair <th...@hortonworks.com> on 2014/06/16 09:04:42 UTC

Re: Questions about hive authorization under hdfs permissions.

I hope you don't mind me cc'ing user-group so that this q&a is
available for others as well.

The grant/revoke based authorization models (including the new
sql-standards based authorization in hive 0.13) does not automatically
ensure that the user has necessary privileges on hdfs dirs and files.
To have this model work with hdfs, the usual strategy is to have all
users go through hiveserver2. HiveServer2 is configured with
hive.server2.doAs=false, and then you give permissions on hdfs to the
user hiveserver2 is running as.




On Sun, Jun 15, 2014 at 8:27 PM, Apple Wang <ap...@gmail.com> wrote:
> Hi, Thejas
>
> I'm a user of Hive and I'm confused with Hive authorization under hdfs
> permission. I know you are an expert of it. Could you please help me with
> the following problems?
>
> I have enabled hive authorization in my testing cluster(Hive 0.12). I use
> the user hive to create database hivedb and grant create privilege on hivedb
> to user root.
>
> But I come across the following problem that root can not create table in
> hivedb even it has the create privilege.
>
> FAILED: Execution Error, return code 1 from
> org.apache.hadoop.hive.ql.exec.DDLTask. MetaException(message:Got exception:
> org.apache.hadoop.security.AccessControlException Permission denied:
> user=root, access=WRITE,
> inode="/tmp/user/hive/warehouse/hivedb.db":hive:hadoop:drwxr-xr-x
>         at
> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:234)
>         at
> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:214)
>         at
> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:158)
>         at
> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPermission(FSNamesystem.java:5499)
>         at
> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPermission(FSNamesystem.java:5481)
>         at
> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkAncestorAccess(FSNamesystem.java:5455)
>         at
> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.mkdirsInternal(FSNamesystem.java:3455)
>         at
> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.mkdirsInt(FSNamesystem.java:3425)
>         at
> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.mkdirs(FSNamesystem.java:3397)
>         at
> org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.mkdirs(NameNodeRpcServer.java:724)
>         at
> org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.mkdirs(ClientNamenodeProtocolServerSideTranslatorPB.java:502)
>         at
> org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java:48089)
>         at
> org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:585)
>         at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:928)
>         at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2048)
>         at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2044)
>         at java.security.AccessController.doPrivileged(Native Method)
>         at javax.security.auth.Subject.doAs(Subject.java:396)
>         at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1491)
>         at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2042)
>
>
> It is obviously that the hivedb.db directory in HDFS are not allowed to be
> written by other user. So how does hive authorization work under the HDFS
> permissions?
>
> PS. if I create a table by user hive and grant update privilege to user
> root. The same ERROR will come across if I load data into the table by root.
>
> Looking forward to your reply!
>
> Thanks

-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.