You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hive.apache.org by "Oleksiy Sayankin (Jira)" <ji...@apache.org> on 2020/02/21 12:25:00 UTC

[jira] [Updated] (HIVE-22919) StorageBasedAuthorizationProvider does not allow create databases after changing hive.metastore.warehouse.dir

     [ https://issues.apache.org/jira/browse/HIVE-22919?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Oleksiy Sayankin updated HIVE-22919:
------------------------------------
    Description: 
*ENVIRONMENT:*
Hive-2.3


*STEPS TO REPRODUCE:*

1. Configure Storage Based Authorization:

{code:xml}<property>
  <name>hive.security.authorization.enabled</name>
  <value>true</value>
</property>
<property>
  <name>hive.security.metastore.authorization.manager</name>
  <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
</property>
<property>
  <name>hive.security.authorization.manager</name>
  <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
</property>
<property>
  <name>hive.security.metastore.authenticator.manager</name>
  <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
</property>
<property>
  <name>hive.metastore.pre.event.listeners</name>
  <value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value>
</property>{code}

2. Create a few directories, change owners and permissions to it:

{code:java}hadoop fs -mkdir /tmp/m1
hadoop fs -mkdir /tmp/m2
hadoop fs -mkdir /tmp/m3
hadoop fs -chown testuser1:testuser1 /tmp/m[1,3]
hadoop fs -chmod 700 /tmp/m[1-3]{code}

3. Check permissions:

{code:java}[test@node2 ~]$ hadoop fs -ls /tmp|grep m[1-3]
drwx------   - testuser1 testuser1          0 2020-02-11 10:25 /tmp/m1
drwx------   - test      test               0 2020-02-11 10:25 /tmp/m2
drwx------   - testuser1 testuser1          1 2020-02-11 10:36 /tmp/m3
[test@node2 ~]$
{code}

4. Loggin into Hive CLI using embedded Hive Metastore as *"testuser1"* user, with *"hive.metastore.warehouse.dir"* set to *"/tmp/m1"*:

{code:java}
sudo -u testuser1 hive --hiveconf hive.metastore.uris= --hiveconf hive.metastore.warehouse.dir=/tmp/m1
{code}

5. Perform the next steps:

{code:sql}-- 1. Check "hive.metastore.warehouse.dir" value:
SET hive.metastore.warehouse.dir;
-- 2. Set "hive.metastore.warehouse.dir" to the path, to which "testuser1" user does not have an access:
SET hive.metastore.warehouse.dir=/tmp/m2;
-- 3. Try to create a database:
CREATE DATABASE m2;
-- 4. Set "hive.metastore.warehouse.dir" to the path, to which "testuser1" user has an access:
SET hive.metastore.warehouse.dir=/tmp/m3;
-- 5. Try to create a database:
CREATE DATABASE m3;
{code}

*ACTUAL RESULT:*
Query 5 fails with an exception below. It does not handle "hive.metastore.warehouse.dir" proprty:

{code:java}
hive> -- 5. Try to create a database:
hive> CREATE DATABASE m3;
FAILED: HiveException org.apache.hadoop.security.AccessControlException: User testuser1(user id 5001)  does not have access to hdfs:/tmp/m2/m3.db
hive>
{code}

*EXPECTED RESULT:*
Query 5 creates a database;

  was:
*ENVIRONMENT:*
Hive-2.3


*STEPS TO REPRODUCE:*

1. Configure Storage Based Authorization:

{code:xml}<property>
  <name>hive.security.authorization.enabled</name>
  <value>true</value>
</property>
<property>
  <name>hive.security.metastore.authorization.manager</name>
  <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
</property>
<property>
  <name>hive.security.authorization.manager</name>
  <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
</property>
<property>
  <name>hive.security.metastore.authenticator.manager</name>
  <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
</property>
<property>
  <name>hive.metastore.pre.event.listeners</name>
  <value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value>
</property>{code}

2. Create a few directories, change owners and permissions to it:

{code:java}hadoop fs -mkdir /tmp/m1
hadoop fs -mkdir /tmp/m2
hadoop fs -mkdir /tmp/m3
hadoop fs -chown testuser1:testuser1 /tmp/m[1,3]
hadoop fs -chmod 700 /tmp/m[1-3]{code}

3. Check permissions:

{code:java}[test@node2 ~]$ hadoop fs -ls /tmp|grep m[1-3]
drwx------   - testuser1 testuser1          0 2020-02-11 10:25 /tmp/m1
drwx------   - test      test               0 2020-02-11 10:25 /tmp/m2
drwx------   - testuser1 testuser1          1 2020-02-11 10:36 /tmp/m3
[test@node2 ~]$
{code}

4. Loggin into Hive CLI using embedded Hive Metastore as *"testuser1"* user, with *"hive.metastore.warehouse.dir"* set to *"/tmp/m1"*:

{code:java}
sudo -u testuser1 hive --hiveconf hive.metastore.uris= --hiveconf hive.metastore.warehouse.dir=/tmp/m1
{code}

5. Perform the next steps:

{code:sql
}-- 1. Check "hive.metastore.warehouse.dir" value:
SET hive.metastore.warehouse.dir;
-- 2. Set "hive.metastore.warehouse.dir" to the path, to which "testuser1" user does not have an access:
SET hive.metastore.warehouse.dir=/tmp/m2;
-- 3. Try to create a database:
CREATE DATABASE m2;
-- 4. Set "hive.metastore.warehouse.dir" to the path, to which "testuser1" user has an access:
SET hive.metastore.warehouse.dir=/tmp/m3;
-- 5. Try to create a database:
CREATE DATABASE m3;
{code}

*ACTUAL RESULT:*
Query 5 fails with an exception below. It does not handle "hive.metastore.warehouse.dir" proprty:

{code:java}
hive> -- 5. Try to create a database:
hive> CREATE DATABASE m3;
FAILED: HiveException org.apache.hadoop.security.AccessControlException: User testuser1(user id 5001)  does not have access to hdfs:/tmp/m2/m3.db
hive>
{code}

*EXPECTED RESULT:*
Query 5 creates a database;


> StorageBasedAuthorizationProvider does not allow create databases after changing hive.metastore.warehouse.dir
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-22919
>                 URL: https://issues.apache.org/jira/browse/HIVE-22919
>             Project: Hive
>          Issue Type: Bug
>            Reporter: Oleksiy Sayankin
>            Assignee: Oleksiy Sayankin
>            Priority: Major
>
> *ENVIRONMENT:*
> Hive-2.3
> *STEPS TO REPRODUCE:*
> 1. Configure Storage Based Authorization:
> {code:xml}<property>
>   <name>hive.security.authorization.enabled</name>
>   <value>true</value>
> </property>
> <property>
>   <name>hive.security.metastore.authorization.manager</name>
>   <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
> </property>
> <property>
>   <name>hive.security.authorization.manager</name>
>   <value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
> </property>
> <property>
>   <name>hive.security.metastore.authenticator.manager</name>
>   <value>org.apache.hadoop.hive.ql.security.HadoopDefaultMetastoreAuthenticator</value>
> </property>
> <property>
>   <name>hive.metastore.pre.event.listeners</name>
>   <value>org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener</value>
> </property>{code}
> 2. Create a few directories, change owners and permissions to it:
> {code:java}hadoop fs -mkdir /tmp/m1
> hadoop fs -mkdir /tmp/m2
> hadoop fs -mkdir /tmp/m3
> hadoop fs -chown testuser1:testuser1 /tmp/m[1,3]
> hadoop fs -chmod 700 /tmp/m[1-3]{code}
> 3. Check permissions:
> {code:java}[test@node2 ~]$ hadoop fs -ls /tmp|grep m[1-3]
> drwx------   - testuser1 testuser1          0 2020-02-11 10:25 /tmp/m1
> drwx------   - test      test               0 2020-02-11 10:25 /tmp/m2
> drwx------   - testuser1 testuser1          1 2020-02-11 10:36 /tmp/m3
> [test@node2 ~]$
> {code}
> 4. Loggin into Hive CLI using embedded Hive Metastore as *"testuser1"* user, with *"hive.metastore.warehouse.dir"* set to *"/tmp/m1"*:
> {code:java}
> sudo -u testuser1 hive --hiveconf hive.metastore.uris= --hiveconf hive.metastore.warehouse.dir=/tmp/m1
> {code}
> 5. Perform the next steps:
> {code:sql}-- 1. Check "hive.metastore.warehouse.dir" value:
> SET hive.metastore.warehouse.dir;
> -- 2. Set "hive.metastore.warehouse.dir" to the path, to which "testuser1" user does not have an access:
> SET hive.metastore.warehouse.dir=/tmp/m2;
> -- 3. Try to create a database:
> CREATE DATABASE m2;
> -- 4. Set "hive.metastore.warehouse.dir" to the path, to which "testuser1" user has an access:
> SET hive.metastore.warehouse.dir=/tmp/m3;
> -- 5. Try to create a database:
> CREATE DATABASE m3;
> {code}
> *ACTUAL RESULT:*
> Query 5 fails with an exception below. It does not handle "hive.metastore.warehouse.dir" proprty:
> {code:java}
> hive> -- 5. Try to create a database:
> hive> CREATE DATABASE m3;
> FAILED: HiveException org.apache.hadoop.security.AccessControlException: User testuser1(user id 5001)  does not have access to hdfs:/tmp/m2/m3.db
> hive>
> {code}
> *EXPECTED RESULT:*
> Query 5 creates a database;



--
This message was sent by Atlassian Jira
(v8.3.4#803005)