Hari Sekhon created HIVE-12408:
----------------------------------
Summary: SQLStdAuthorizer expects external table creator to be
owner of directory, does not respect rwx group permission. Only one user could
ever create an external table definition to dir!
Key: HIVE-12408
URL: https://issues.apache.org/jira/browse/HIVE-12408
Project: Hive
Issue Type: Bug
Components: Authorization, Security, SQLStandardAuthorization
Affects Versions: 0.14.0
Environment: HDP 2.2 + Kerberos
Reporter: Hari Sekhon
Assignee: Thejas M Nair
Priority: Critical
When trying to create an external table via beeline in Hive using the
SQLStdAuthorizer it expects the table creator to be the owner of the directory
path and ignores the group rwx permission that is granted to the user.
{code}Error: Error while compiling statement: FAILED:
HiveAccessControlException Permission denied: Principal [name=hari, type=USER]
does not have following privileges for operation CREATETABLE [[INSERT, DELETE,
OBJECT OWNERSHIP] on Object [type=DFS_URI, name=/etl/path/to/hdfs/dir]]
(state=42000,code=40000){code}
All it should be checking is read access to that directory.
The directory owner requirement breaks the ability of more than one user to
create external table definitions to a given location. For example this is a
flume landing directory with json data, and the /etl tree is owned by the flume
user. Even chowning the tree to another user would still break access to other
users who are able to read the directory in hdfs but would still unable to
create external tables on top of it.
This looks like a remnant of the owner only access model in SQLStdAuth and is a
separate issue to HIVE-11864 / HIVE-12324.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
