You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Pradeep Agrawal (Jira)" <ji...@apache.org> on 2020/08/31 04:21:00 UTC
[jira] [Comment Edited] (RANGER-2976) User can not create external
table in Hive Plugin
[ https://issues.apache.org/jira/browse/RANGER-2976?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17187420#comment-17187420 ]
Pradeep Agrawal edited comment on RANGER-2976 at 8/31/20, 4:20 AM:
-------------------------------------------------------------------
[~Symious]: If would able to let you know only after testing this patch. It may take time to get the env. and test. If possible please raise the review request.
was (Author: pradeep.agrawal):
[~Symious]: If would able to let you know only after testing this patch. It may take time to get the env. and test.
> User can not create external table in Hive Plugin
> -------------------------------------------------
>
> Key: RANGER-2976
> URL: https://issues.apache.org/jira/browse/RANGER-2976
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 2.0.0
> Reporter: Janus Chow
> Priority: Major
> Attachments: RANGER-2976.patch
>
>
> A user "userA" want's to create an external table on "hdfs://test/testDir" via Hive Metastore installed Ranger Hive plugin. Permission information is as follows.
> {code:java}
> # id userA
> uid=3044(userA) gid=3044(userA) groups=992(supergroup)
> # hadoop fs -ls hdfs://test
> drwxrwxr-x - userB supergroup 0 2019-01-01 00:00 hdfs://test/testDir
> # hadoop fs -ls hdfs://test/testDir
> -rw-rw-r-- 3 userB supergroup 1000000 2019-01-01 00:00 hdfs://test/testDir/part-00000-db98bf17-bda6-4da9-9ea4-d7c75e8d995e-c000.snappy.parquet{code}
> When "userA" is trying to create an external table on "hdfs://test/testDir" with the following command,
> {code:java}
> spark.sql("create table userA_test USING org.apache.spark.sql.parquet OPTIONS ( path = 'hdfs://test/testDir')")
> {code}
> Ranger denied the operation with the following error message.
> {code:java}
> org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:Permission denied: user [userA] does not have [ALL] privilege on [hdfs://test/testDir])
> {code}
> The reason is when Ranger is checking URI permission, it will check if the user has FSAction.ALL on the URI if "userA" is not the owner of the HDFS path, but HDFS file will not set the execution permission by default, so the Ranger permission check will return false.
> I think in the getURIAccessType function in RangerHiveAuthorizer, we should return FSAction.READ_WRITE instead of FSAction.ALL. For HDFS directory, Hadoop will help us to add FSAction.EXECUTE when we are trying to do the permission check, we can skip FSAction.EXECUTE here to work well with HDFS files.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)