You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@hive.apache.org by Staņislavs Rogozins <st...@gmail.com> on 2016/10/14 11:07:16 UTC

WRITE permissions required for execution of table CREATE and SELECT in 0.14

Apparently, in the hive version that I'm dealing with users are required to
have WRITE permission on table's data directory to CREATE it or SELECT from
it, even if you specify custom LOCATION, or make the table EXTERNAL. Some
examples:

hdfs dfs -mkdir -p /data/test_perm1

CREATE TABLE test_perm1 (col1 STRING) LOCATION '/data/test_perm';

hdfs dfs -chmod 550 /data/test_perm1

performing `SELECT * FROM test_perm1;` yields something like

`Error: Error while compiling statement: FAILED: HiveException
java.security.AccessControlException: Permission denied: .. access=WRITE,
inode="/data/test_perm1"..`

After that, executing

CREATE EXTERNAL TABLE test_perm2 (col1 STRING) LOCATION '/data/test_perm1';

yields a similar error.


Why would a SELECT or a CREATE of EXTERNAL table require WRITE
permissions?(Does the second one have to do with setting the sticky bit?).
Is this intended behaviour? Is this a bug in 0.14? Could some kind of
mis-configuration of Hive be behind this?

Re: WRITE permissions required for execution of table CREATE and SELECT in 0.14

Posted by Staņislavs Rogozins <st...@gmail.com>.

Same user that created it.

On Fri, Oct 14, 2016 at 9:28 PM, Goden Yao <go...@gmail.com> wrote:

> who's the owner of  /data/test_perm1 in your hdfs?
> also wonder why  `SELECT * FROM test_perm1;` would result in a WRITE
> operation on Hive side.
>
> On Fri, Oct 14, 2016 at 11:00 AM Staņislavs Rogozins <
> stanislavs.rogozins@gmail.com> wrote:
>
>> Yep, I executed all commands with the same user and didn't see anything
>> about object privileges.
>>
>> On Fri, Oct 14, 2016 at 7:53 PM, Goden Yao <go...@apache.org> wrote:
>>
>> check: https://cwiki.apache.org/confluence/display/Hive/
>> SQL+Standard+Based+Hive+Authorization#SQLStandardBasedHiveAuthorizat
>> ion-ForHive0.14andNewer
>>
>> Down to the bottom , there's a table of permission check.
>> - CREATE definitely need to check the WRITE permission of the custom
>> location
>> - SELECT - should only check if the user has privilege on viewing the
>> table
>> Did you use the same user to create and select? or it was admin who
>> created the table in the first place?
>>
>> -Goden
>>
>> On Fri, Oct 14, 2016 at 4:08 AM Staņislavs Rogozins <
>> stanislavs.rogozins@gmail.com> wrote:
>>
>> Apparently, in the hive version that I'm dealing with users are required
>> to have WRITE permission on table's data directory to CREATE it or SELECT
>> from it, even if you specify custom LOCATION, or make the table EXTERNAL.
>> Some examples:
>>
>> hdfs dfs -mkdir -p /data/test_perm1
>>
>> CREATE TABLE test_perm1 (col1 STRING) LOCATION '/data/test_perm';
>>
>> hdfs dfs -chmod 550 /data/test_perm1
>>
>> performing `SELECT * FROM test_perm1;` yields something like
>>
>> `Error: Error while compiling statement: FAILED: HiveException
>> java.security.AccessControlException: Permission denied: ..
>> access=WRITE, inode="/data/test_perm1"..`
>>
>> After that, executing
>>
>> CREATE EXTERNAL TABLE test_perm2 (col1 STRING) LOCATION
>> '/data/test_perm1';
>>
>> yields a similar error.
>>
>>
>> Why would a SELECT or a CREATE of EXTERNAL table require WRITE
>> permissions?(Does the second one have to do with setting the sticky bit?).
>> Is this intended behaviour? Is this a bug in 0.14? Could some kind of
>> mis-configuration of Hive be behind this?
>>
>>
>> --
> Goden
>

Re: WRITE permissions required for execution of table CREATE and SELECT in 0.14

Posted by Goden Yao <go...@gmail.com>.

who's the owner of  /data/test_perm1 in your hdfs?
also wonder why  `SELECT * FROM test_perm1;` would result in a WRITE
operation on Hive side.

On Fri, Oct 14, 2016 at 11:00 AM Staņislavs Rogozins <
stanislavs.rogozins@gmail.com> wrote:

> Yep, I executed all commands with the same user and didn't see anything
> about object privileges.
>
> On Fri, Oct 14, 2016 at 7:53 PM, Goden Yao <go...@apache.org> wrote:
>
> check:
> https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization#SQLStandardBasedHiveAuthorization-ForHive0.14andNewer
>
> Down to the bottom , there's a table of permission check.
> - CREATE definitely need to check the WRITE permission of the custom
> location
> - SELECT - should only check if the user has privilege on viewing the
> table
> Did you use the same user to create and select? or it was admin who
> created the table in the first place?
>
> -Goden
>
> On Fri, Oct 14, 2016 at 4:08 AM Staņislavs Rogozins <
> stanislavs.rogozins@gmail.com> wrote:
>
> Apparently, in the hive version that I'm dealing with users are required
> to have WRITE permission on table's data directory to CREATE it or SELECT
> from it, even if you specify custom LOCATION, or make the table EXTERNAL.
> Some examples:
>
> hdfs dfs -mkdir -p /data/test_perm1
>
> CREATE TABLE test_perm1 (col1 STRING) LOCATION '/data/test_perm';
>
> hdfs dfs -chmod 550 /data/test_perm1
>
> performing `SELECT * FROM test_perm1;` yields something like
>
> `Error: Error while compiling statement: FAILED: HiveException
> java.security.AccessControlException: Permission denied: .. access=WRITE,
> inode="/data/test_perm1"..`
>
> After that, executing
>
> CREATE EXTERNAL TABLE test_perm2 (col1 STRING) LOCATION '/data/test_perm1';
>
> yields a similar error.
>
>
> Why would a SELECT or a CREATE of EXTERNAL table require WRITE
> permissions?(Does the second one have to do with setting the sticky bit?).
> Is this intended behaviour? Is this a bug in 0.14? Could some kind of
> mis-configuration of Hive be behind this?
>
>
> --
Goden

Re: WRITE permissions required for execution of table CREATE and SELECT in 0.14

Posted by Staņislavs Rogozins <st...@gmail.com>.

Yep, I executed all commands with the same user and didn't see anything
about object privileges.

On Fri, Oct 14, 2016 at 7:53 PM, Goden Yao <go...@apache.org> wrote:

> check: https://cwiki.apache.org/confluence/display/Hive/
> SQL+Standard+Based+Hive+Authorization#SQLStandardBasedHiveAuthorizat
> ion-ForHive0.14andNewer
>
> Down to the bottom , there's a table of permission check.
> - CREATE definitely need to check the WRITE permission of the custom
> location
> - SELECT - should only check if the user has privilege on viewing the
> table
> Did you use the same user to create and select? or it was admin who
> created the table in the first place?
>
> -Goden
>
> On Fri, Oct 14, 2016 at 4:08 AM Staņislavs Rogozins <
> stanislavs.rogozins@gmail.com> wrote:
>
>> Apparently, in the hive version that I'm dealing with users are required
>> to have WRITE permission on table's data directory to CREATE it or SELECT
>> from it, even if you specify custom LOCATION, or make the table EXTERNAL.
>> Some examples:
>>
>> hdfs dfs -mkdir -p /data/test_perm1
>>
>> CREATE TABLE test_perm1 (col1 STRING) LOCATION '/data/test_perm';
>>
>> hdfs dfs -chmod 550 /data/test_perm1
>>
>> performing `SELECT * FROM test_perm1;` yields something like
>>
>> `Error: Error while compiling statement: FAILED: HiveException
>> java.security.AccessControlException: Permission denied: ..
>> access=WRITE, inode="/data/test_perm1"..`
>>
>> After that, executing
>>
>> CREATE EXTERNAL TABLE test_perm2 (col1 STRING) LOCATION
>> '/data/test_perm1';
>>
>> yields a similar error.
>>
>>
>> Why would a SELECT or a CREATE of EXTERNAL table require WRITE
>> permissions?(Does the second one have to do with setting the sticky bit?).
>> Is this intended behaviour? Is this a bug in 0.14? Could some kind of
>> mis-configuration of Hive be behind this?
>>
>>

Re: WRITE permissions required for execution of table CREATE and SELECT in 0.14

Posted by Goden Yao <go...@apache.org>.

check:
https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization#SQLStandardBasedHiveAuthorization-ForHive0.14andNewer

Down to the bottom , there's a table of permission check.
- CREATE definitely need to check the WRITE permission of the custom
location
- SELECT - should only check if the user has privilege on viewing the table
Did you use the same user to create and select? or it was admin who created
the table in the first place?

-Goden

On Fri, Oct 14, 2016 at 4:08 AM Staņislavs Rogozins <
stanislavs.rogozins@gmail.com> wrote:

> Apparently, in the hive version that I'm dealing with users are required
> to have WRITE permission on table's data directory to CREATE it or SELECT
> from it, even if you specify custom LOCATION, or make the table EXTERNAL.
> Some examples:
>
> hdfs dfs -mkdir -p /data/test_perm1
>
> CREATE TABLE test_perm1 (col1 STRING) LOCATION '/data/test_perm';
>
> hdfs dfs -chmod 550 /data/test_perm1
>
> performing `SELECT * FROM test_perm1;` yields something like
>
> `Error: Error while compiling statement: FAILED: HiveException
> java.security.AccessControlException: Permission denied: .. access=WRITE,
> inode="/data/test_perm1"..`
>
> After that, executing
>
> CREATE EXTERNAL TABLE test_perm2 (col1 STRING) LOCATION '/data/test_perm1';
>
> yields a similar error.
>
>
> Why would a SELECT or a CREATE of EXTERNAL table require WRITE
> permissions?(Does the second one have to do with setting the sticky bit?).
> Is this intended behaviour? Is this a bug in 0.14? Could some kind of
> mis-configuration of Hive be behind this?
>
>