Issue with Ranger and UDFs

[Julien Carme <ju...@gmail.com>]

Hello,

I cannot use RHive with Ranger. It is not a RHive specific problem, it is a
UDF issue and it seems to come either from Ranger or from Hive itself. I
can reproduce the bug with beeline:

Connecting to jdbc:hive2://XXX:10000
Enter username for jdbc:hive2://XXX:10000: julien
Enter password for jdbc:hive2://XXX:10000: ********
> !connect jdbc:hive2://XXX:10000
> CREATE TEMPORARY FUNCTION R AS "com.nexr.rhive.hive.udf.RUDF";

Error: org.apache.hive.service.cli.HiveSQLException: Error while compiling
statement: FAILED: HiveAccessControlException Permission denied: user
[julien] does not have [CREATE] privilege on [/r]


> USE DEFAULT;
> CREATE TEMPORARY FUNCTION R AS "com.nexr.rhive.hive.udf.RUDF";

Error: org.apache.hive.service.cli.HiveSQLException: Error while compiling
statement: FAILED: HiveAccessControlException Permission denied: user
[julien] does not have [CREATE] privilege on [/r]

User julien has all UDFs permissions: databases:* / UDFs:* / admin"

Any help would be appreciated.

Regards,

Julien

Re: Issue with Ranger and UDFs

[Madhan Neethiraj <ma...@apache.org>]

Julien,

The properties that need to be modified at runtime should be added to
Œhive.security.authorization.sqlstd.confwhitelist.append¹ in hive-site.xml.

To fix this particular error, please try after adding Œmapred.child.env¹ to
Œhive.security.authorization.sqlstd.confwhitelist.append¹ in hive-site.xml.

Thanks,
Madhan

From:  Julien Carme <ju...@gmail.com>
Reply-To:  "<us...@ranger.incubator.apache.org>"
<us...@ranger.incubator.apache.org>
Date:  Wednesday, April 1, 2015 at 3:36 AM
To:  "<us...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>
Subject:  Re: Issue with Ranger and UDFs

Hello, 

OK it works, thanks, but now I have another issue with RHive. The error
message is pretty explicit:

Error: org.apache.hive.service.cli.HiveSQLException: Error while processing
statement: Cannot modify mapred.child.env at runtime. It is not in list of
params that are allowed to be modified at runtime


Rhive actually tries to modify mapred.child.env, and it does not seem to be
a problem when Ranger is not activated.

Any idea how to solve that?

Regards,

Julien


2015-03-26 17:50 GMT+01:00 Ramesh Mani <rm...@hortonworks.com>:
> Hi Julein, 
> 
> As a work around for the issue please have a specific UDF¹s you wanted to have
> permissions along with  * .
> 
> This should take care of this issue.
> 
> Regards,
> Ramesh
> 
> On Mar 26, 2015, at 3:42 AM, Julien Carme <ju...@gmail.com> wrote:
> 
>> Hello, 
>> 
>> I cannot use RHive with Ranger. It is not a RHive specific problem, it is a
>> UDF issue and it seems to come either from Ranger or from Hive itself. I can
>> reproduce the bug with beeline:
>> 
>> Connecting to jdbc:hive2://XXX:10000
>> Enter username for jdbc:hive2://XXX:10000: julien
>> Enter password for jdbc:hive2://XXX:10000: ********
>>> > !connect jdbc:hive2://XXX:10000
>>> > CREATE TEMPORARY FUNCTION R AS "com.nexr.rhive.hive.udf.RUDF";
>> 
>> Error: org.apache.hive.service.cli.HiveSQLException: Error while compiling
>> statement: FAILED: HiveAccessControlException Permission denied: user
>> [julien] does not have [CREATE] privilege on [/r]
>> 
>> 
>>> > USE DEFAULT;
>>> > CREATE TEMPORARY FUNCTION R AS "com.nexr.rhive.hive.udf.RUDF";
>> 
>> Error: org.apache.hive.service.cli.HiveSQLException: Error while compiling
>> statement: FAILED: HiveAccessControlException Permission denied: user
>> [julien] does not have [CREATE] privilege on [/r]
>> 
>> User julien has all UDFs permissions: databases:* / UDFs:* / admin"
>> 
>> Any help would be appreciated.
>> 
>> Regards,
>> 
>> Julien
> 
> 
> CONFIDENTIALITY NOTICE
> NOTICE: This message is intended for the use of the individual or entity to
> which it is addressed and may contain information that is confidential,
> privileged and exempt from disclosure under applicable law. If the reader of
> this message is not the intended recipient, you are hereby notified that any
> printing, copying, dissemination, distribution, disclosure or forwarding of
> this communication is strictly prohibited. If you have received this
> communication in error, please contact the sender immediately and delete it
> from your system. Thank You.

Re: Issue with Ranger and UDFs

[Julien Carme <ju...@gmail.com>]

Hello,

OK it works, thanks, but now I have another issue with RHive. The error
message is pretty explicit:

Error: org.apache.hive.service.cli.HiveSQLException: Error while
processing statement: Cannot modify mapred.child.env at runtime. It is
not in list of params that are allowed to be modified at runtime



Rhive actually tries to modify mapred.child.env, and it does not seem to be
a problem when Ranger is not activated.

Any idea how to solve that?

Regards,

Julien


2015-03-26 17:50 GMT+01:00 Ramesh Mani <rm...@hortonworks.com>:

> Hi Julein,
>
> As a work around for the issue please have a specific UDF’s you wanted to
> have permissions along with  * .
>
> This should take care of this issue.
>
> Regards,
> Ramesh
>
> On Mar 26, 2015, at 3:42 AM, Julien Carme <ju...@gmail.com> wrote:
>
> Hello,
>
> I cannot use RHive with Ranger. It is not a RHive specific problem, it is
> a UDF issue and it seems to come either from Ranger or from Hive itself. I
> can reproduce the bug with beeline:
>
> Connecting to jdbc:hive2://XXX:10000
> Enter username for jdbc:hive2://XXX:10000: julien
> Enter password for jdbc:hive2://XXX:10000: ********
> > !connect jdbc:hive2://XXX:10000
> > CREATE TEMPORARY FUNCTION R AS "com.nexr.rhive.hive.udf.RUDF";
>
> Error: org.apache.hive.service.cli.HiveSQLException: Error while compiling
> statement: FAILED: HiveAccessControlException Permission denied: user
> [julien] does not have [CREATE] privilege on [/r]
>
>
> > USE DEFAULT;
> > CREATE TEMPORARY FUNCTION R AS "com.nexr.rhive.hive.udf.RUDF";
>
> Error: org.apache.hive.service.cli.HiveSQLException: Error while compiling
> statement: FAILED: HiveAccessControlException Permission denied: user
> [julien] does not have [CREATE] privilege on [/r]
>
> User julien has all UDFs permissions: databases:* / UDFs:* / admin"
>
> Any help would be appreciated.
>
> Regards,
>
> Julien
>
>
>
> CONFIDENTIALITY NOTICE
> NOTICE: This message is intended for the use of the individual or entity
> to which it is addressed and may contain information that is confidential,
> privileged and exempt from disclosure under applicable law. If the reader
> of this message is not the intended recipient, you are hereby notified that
> any printing, copying, dissemination, distribution, disclosure or
> forwarding of this communication is strictly prohibited. If you have
> received this communication in error, please contact the sender immediately
> and delete it from your system. Thank You.

Re: Issue with Ranger and UDFs

[Ramesh Mani <rm...@hortonworks.com>]

Hi Julein,

As a work around for the issue please have a specific UDF’s you wanted to have permissions along with  * .

This should take care of this issue. 

Regards,
Ramesh

On Mar 26, 2015, at 3:42 AM, Julien Carme <ju...@gmail.com> wrote:

> Hello,
> 
> I cannot use RHive with Ranger. It is not a RHive specific problem, it is a UDF issue and it seems to come either from Ranger or from Hive itself. I can reproduce the bug with beeline:
> 
> Connecting to jdbc:hive2://XXX:10000
> Enter username for jdbc:hive2://XXX:10000: julien
> Enter password for jdbc:hive2://XXX:10000: ********
> > !connect jdbc:hive2://XXX:10000
> > CREATE TEMPORARY FUNCTION R AS "com.nexr.rhive.hive.udf.RUDF";
> 
>  Error: org.apache.hive.service.cli.HiveSQLException: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [julien] does not have [CREATE] privilege on [/r] 
> 
> > USE DEFAULT;
> > CREATE TEMPORARY FUNCTION R AS "com.nexr.rhive.hive.udf.RUDF";
> 
>  Error: org.apache.hive.service.cli.HiveSQLException: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [julien] does not have [CREATE] privilege on [/r] 
> 
> User julien has all UDFs permissions: databases:* / UDFs:* / admin"
> 
> Any help would be appreciated.
> 
> Regards,
> 
> Julien


-- 
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to 
which it is addressed and may contain information that is confidential, 
privileged and exempt from disclosure under applicable law. If the reader 
of this message is not the intended recipient, you are hereby notified that 
any printing, copying, dissemination, distribution, disclosure or 
forwarding of this communication is strictly prohibited. If you have 
received this communication in error, please contact the sender immediately 
and delete it from your system. Thank You.