[jira] [Commented] (HIVE-2554) Hive authorization with remote metastore does not work

[Alex Holmes (Commented) (JIRA)]

    [ 
https://issues.apache.org/jira/browse/HIVE-2554?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13145230#comment-13145230
 ] 

Alex Holmes commented on HIVE-2554:
-----------------------------------

It's worth noting that things work fine when running with the local metastore.  
Merely changing {{hive.metastore.local}} to true results in this exception.
                
> Hive authorization with remote metastore does not work
> ------------------------------------------------------
>
>                 Key: HIVE-2554
>                 URL: https://issues.apache.org/jira/browse/HIVE-2554
>             Project: Hive
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 0.7.1
>         Environment: CentOS release 5.7
> Hadoop 0.20.2 (pseudo-distributed mode)
>            Reporter: Alex Holmes
>
> *Install Hadoop 0.20.2*
> #  Explode Hadoop 0.20.2 tarball
> #  Configure for pseudo-distributed mode from [Hadoop 
> site|http://hadoop.apache.org/common/docs/r0.20.2/quickstart.html#PseudoDistributed]
> #  Create user "hadoop"
> #  Start all Hadoop daemons as user hadoop
> *Install Hive 0.7.1*
> #  Explode Hive 0.7.1 tarball
> #  Create user "hive"
> #  Configure Hive to run with remote metastore, and with authentication.  
> Contents of hive-site.xml are:
> {code}
> <configuration>
> <property>
>   <name>hive.metastore.local</name>
>   <value>false</value>
> </property>
> <property>
>   <name>hive.metastore.uris</name>
>   <value>thrift://localhost:9083</value>
> </property>
> <property>
>  <name>hive.security.authorization.enabled</name>
>  <value>true</value>
> </property>
> </configuration>
> {code}
> # Create and open-up the Hive-related directories in HDFS
> hadoop fs -mkdir /user/hive/warehouse
> hadoop fs -chmod -R 777 /user/hive/warehouse
> hadoop fs -mkdir /tmp
> hadoop fs -chmod -R 777 /tmp
> *Run the metastore*
> ./hive --service metastore
> *Run the hive client*
> The exception below is thrown regardless of which user is running the 
> metastore and client (tried as both the hive and hadoop users, and 
> combinations thereof).
> {code}
> ./hive
> hive> set hive.security.authorization.enabled=false;
> hive> CREATE TABLE pokes (foo INT, bar STRING) ROW FORMAT DELIMITED FIELDS 
> TERMINATED BY '-' STORED AS TEXTFILE;
> OK
> hive> LOAD DATA LOCAL INPATH '/tmp/foobar.txt' OVERWRITE INTO TABLE pokes;
> Copying data from file:/tmp/foobar.txt
> Copying file: file:/tmp/foobar.txt
> Loading data to table default.pokes
> Deleted hdfs://localhost:9000/user/hive/warehouse/pokes
> OK
> Time taken: 0.443 seconds
> hive> grant select on table pokes to user hive;
> OK
> Time taken: 0.191 seconds
> hive> set hive.security.authorization.enabled=true;
> hive> show grant user hive on table pokes;
> OK
> database      default 
> table pokes   
> principalName hive    
> principalType USER    
> privilege     Select  
> grantTime     1320642081      
> grantor       hadoop  
> Time taken: 0.084 seconds
> hive> select * from pokes;
> FAILED: Hive Internal Error: 
> org.apache.hadoop.hive.ql.metadata.HiveException(org.apache.thrift.TApplicationException:
>  get_privilege_set failed: unknown result)
> org.apache.hadoop.hive.ql.metadata.HiveException: 
> org.apache.thrift.TApplicationException: get_privilege_set failed: unknown 
> result
>       at 
> org.apache.hadoop.hive.ql.metadata.Hive.get_privilege_set(Hive.java:1617)
>       at 
> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserPriv(DefaultHiveAuthorizationProvider.java:201)
>       at 
> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserAndDBPriv(DefaultHiveAuthorizationProvider.java:226)
>       at 
> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserDBAndTable(DefaultHiveAuthorizationProvider.java:259)
>       at 
> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorize(DefaultHiveAuthorizationProvider.java:159)
>       at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:531)
>       at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:393)
>       at org.apache.hadoop.hive.ql.Driver.run(Driver.java:736)
>       at org.apache.hadoop.hive.cli.CliDriver.processCmd(CliDriver.java:164)
>       at org.apache.hadoop.hive.cli.CliDriver.processLine(CliDriver.java:241)
>       at org.apache.hadoop.hive.cli.CliDriver.main(CliDriver.java:456)
>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>       at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>       at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>       at java.lang.reflect.Method.invoke(Method.java:597)
>       at org.apache.hadoop.util.RunJar.main(RunJar.java:156)
> Caused by: org.apache.thrift.TApplicationException: get_privilege_set failed: 
> unknown result
>       at 
> org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.recv_get_privilege_set(ThriftHiveMetastore.java:2414)
>       at 
> org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.get_privilege_set(ThriftHiveMetastore.java:2379)
>       at 
> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.get_privilege_set(HiveMetaStoreClient.java:1042)
>       at 
> org.apache.hadoop.hive.ql.metadata.Hive.get_privilege_set(Hive.java:1615)
>       ... 15 more
> {code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira