[
https://issues.apache.org/jira/browse/HIVE-5542?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sushanth Sowmyan updated HIVE-5542:
-----------------------------------
Description:
When switching client-side authorization from the now deprecated
HdfsAuthorizationProvider to SBAP, we noticed an issue while testing.
Basically, if, say webhcat were running as user "hcat" on a secure cluster, and
we run the following:
{noformat}
$ kinit -kt /homes/hrt_qa/hadoopqa/keytabs/hrt_qa.headless.keytab hrt_qa
$ curl -u : --negotiate -X PUT -H "Content-Type: application/json" -d
"{\"comment\":\"Hello there\", \"properties\":{\"a\":\"b\"}}"
http://webhcat.abc.blahblah.net:50111/templeton/v1/ddl/database/hcatperms_a
{noformat}
{noformat}
{"errorDetail":"org.apache.hadoop.hive.ql.metadata.AuthorizationException:
java.security.AccessControlException: action WRITE not permitted on path
hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat
at
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorizationException(StorageBasedAuthorizationProvider.java:375)
at
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:273)
at
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:135)
at
org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.authorize(HCatSemanticAnalyzerBase.java:139)
at
org.apache.hive.hcatalog.cli.SemanticAnalysis.CreateDatabaseHook.authorizeDDLWork(CreateDatabaseHook.java:93)
at
org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.authorizeDDL(HCatSemanticAnalyzerBase.java:105)
at
org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.postAnalyze(HCatSemanticAnalyzerBase.java:63)
at
org.apache.hive.hcatalog.cli.SemanticAnalysis.CreateDatabaseHook.postAnalyze(CreateDatabaseHook.java:83)
at
org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzer.postAnalyze(HCatSemanticAnalyzer.java:243)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:444)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:342)
at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:977)
at org.apache.hadoop.hive.ql.Driver.run(Driver.java:888)
at org.apache.hive.hcatalog.cli.HCatDriver.run(HCatDriver.java:43)
at org.apache.hive.hcatalog.cli.HCatCli.processCmd(HCatCli.java:251)
at org.apache.hive.hcatalog.cli.HCatCli.processLine(HCatCli.java:205)
at org.apache.hive.hcatalog.cli.HCatCli.main(HCatCli.java:164)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.hadoop.util.RunJar.main(RunJar.java:212)
Caused by: java.security.AccessControlException: action WRITE not permitted on
path hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat
at
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:351)
at
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:308)
at
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:270)
... 20 more
","error":"FAILED: AuthorizationException java.security.AccessControlException:
action WRITE not permitted on path
hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user
hcat","sqlState":"42000","errorCode":40000,"database":"hcatperms_a"}
{noformat}
was:
When switching client-side authorization from the now deprecated
HdfsAuthorizationProvider to SBAP, we noticed an issue while testing.
Basically, if, say webhcat were running as user "hcat" on a secure cluster, and
we run the following:
{noformat}
$ kinit -kt /homes/hrt_qa/hadoopqa/keytabs/hrt_qa.headless.keytab hrt_qa
$ curl -u : --negotiate -X PUT -H "Content-Type: application/json" -d
"{\"comment\":\"Hello there\", \"properties\":{\"a\":\"b\"}}"
http://webhcat.abc.blahblah.net:50111/templeton/v1/ddl/database/hcatperms_a
{noformat}
{noformat}
{"errorDetail":"org.apache.hadoop.hive.ql.metadata.AuthorizationException:
java.security.AccessControlException: action WRITE not permitted on path
hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat\n\tat
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorizationException(StorageBasedAuthorizationProvider.java:375)\n\tat
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:273)\n\tat
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:135)\n\tat
org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.authorize(HCatSemanticAnalyzerBase.java:139)\n\tat
org.apache.hive.hcatalog.cli.SemanticAnalysis.CreateDatabaseHook.authorizeDDLWork(CreateDatabaseHook.java:93)\n\tat
org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.authorizeDDL(HCatSemanticAnalyzerBase.java:105)\n\tat
org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.postAnalyze(HCatSemanticAnalyzerBase.java:63)\n\tat
org.apache.hive.hcatalog.cli.SemanticAnalysis.CreateDatabaseHook.postAnalyze(CreateDatabaseHook.java:83)\n\tat
org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzer.postAnalyze(HCatSemanticAnalyzer.java:243)\n\tat
org.apache.hadoop.hive.ql.Driver.compile(Driver.java:444)\n\tat
org.apache.hadoop.hive.ql.Driver.compile(Driver.java:342)\n\tat
org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:977)\n\tat
org.apache.hadoop.hive.ql.Driver.run(Driver.java:888)\n\tat
org.apache.hive.hcatalog.cli.HCatDriver.run(HCatDriver.java:43)\n\tat
org.apache.hive.hcatalog.cli.HCatCli.processCmd(HCatCli.java:251)\n\tat
org.apache.hive.hcatalog.cli.HCatCli.processLine(HCatCli.java:205)\n\tat
org.apache.hive.hcatalog.cli.HCatCli.main(HCatCli.java:164)\n\tat
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)\n\tat
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)\n\tat
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)\n\tat
java.lang.reflect.Method.invoke(Method.java:597)\n\tat
org.apache.hadoop.util.RunJar.main(RunJar.java:212)\nCaused by:
java.security.AccessControlException: action WRITE not permitted on path
hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat\n\tat
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:351)\n\tat
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:308)\n\tat
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:270)\n\t...
20 more\n","error":"FAILED: AuthorizationException
java.security.AccessControlException: action WRITE not permitted on path
hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user
hcat","sqlState":"42000","errorCode":40000,"database":"hcatperms_a"}
{noformat}
> Webhcat is failing to run ddl command on a secure cluster
> ---------------------------------------------------------
>
> Key: HIVE-5542
> URL: https://issues.apache.org/jira/browse/HIVE-5542
> Project: Hive
> Issue Type: Bug
> Components: Authentication, WebHCat
> Affects Versions: 0.12.0
> Reporter: Sushanth Sowmyan
> Assignee: Sushanth Sowmyan
>
> When switching client-side authorization from the now deprecated
> HdfsAuthorizationProvider to SBAP, we noticed an issue while testing.
> Basically, if, say webhcat were running as user "hcat" on a secure cluster,
> and we run the following:
> {noformat}
> $ kinit -kt /homes/hrt_qa/hadoopqa/keytabs/hrt_qa.headless.keytab hrt_qa
> $ curl -u : --negotiate -X PUT -H "Content-Type: application/json" -d
> "{\"comment\":\"Hello there\", \"properties\":{\"a\":\"b\"}}"
> http://webhcat.abc.blahblah.net:50111/templeton/v1/ddl/database/hcatperms_a
> {noformat}
> {noformat}
> {"errorDetail":"org.apache.hadoop.hive.ql.metadata.AuthorizationException:
> java.security.AccessControlException: action WRITE not permitted on path
> hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat
> at
> org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorizationException(StorageBasedAuthorizationProvider.java:375)
> at
> org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:273)
> at
> org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:135)
> at
> org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.authorize(HCatSemanticAnalyzerBase.java:139)
> at
> org.apache.hive.hcatalog.cli.SemanticAnalysis.CreateDatabaseHook.authorizeDDLWork(CreateDatabaseHook.java:93)
> at
> org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.authorizeDDL(HCatSemanticAnalyzerBase.java:105)
> at
> org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.postAnalyze(HCatSemanticAnalyzerBase.java:63)
> at
> org.apache.hive.hcatalog.cli.SemanticAnalysis.CreateDatabaseHook.postAnalyze(CreateDatabaseHook.java:83)
> at
> org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzer.postAnalyze(HCatSemanticAnalyzer.java:243)
> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:444)
> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:342)
> at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:977)
> at org.apache.hadoop.hive.ql.Driver.run(Driver.java:888)
> at org.apache.hive.hcatalog.cli.HCatDriver.run(HCatDriver.java:43)
> at org.apache.hive.hcatalog.cli.HCatCli.processCmd(HCatCli.java:251)
> at org.apache.hive.hcatalog.cli.HCatCli.processLine(HCatCli.java:205)
> at org.apache.hive.hcatalog.cli.HCatCli.main(HCatCli.java:164)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.hadoop.util.RunJar.main(RunJar.java:212)
> Caused by: java.security.AccessControlException: action WRITE not permitted
> on path hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat
> at
> org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:351)
> at
> org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:308)
> at
> org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:270)
> ... 20 more
> ","error":"FAILED: AuthorizationException
> java.security.AccessControlException: action WRITE not permitted on path
> hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user
> hcat","sqlState":"42000","errorCode":40000,"database":"hcatperms_a"}
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.1#6144)
