[jira] [Comment Edited] (HIVE-8954) StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT SQL request

Fri, 31 Jul 2015 10:57:48 -0700 

    [ 
https://issues.apache.org/jira/browse/HIVE-8954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14649546#comment-14649546
 ] 

Thejas M Nair edited comment on HIVE-8954 at 7/31/15 5:56 PM:
--------------------------------------------------------------

[~Alexandre LINTE]
Do you also have following set ? (either via hive-site.xml or 
hiveserver2-site.xml )
{code}
<property>
   <name>hive.security.authorization.enabled</name>
   <value>false</value>
</property>

<property>
   <name>hive.security.authorization.manager</name>
   
<value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
</property>
{code}

Looks like this happens only when StorageBasedAuthorization is enabled at 
compile time.
The recommended place for enabling StorageBasedAuthorization is in hive 
metastore.  [see SBA metastore 
instructions|https://cwiki.apache.org/confluence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server]
Setting this for compile time is redundant and not something I would recommend.
I would recommend compile time authorization being enabled only if you want to  
use fine grained authorization such as SQL Standards based authorization or 
Apache Ranger.



was (Author: thejas):
[~Alexandre LINTE]
Do you also have following set ? (either via hive-site.xml or 
hiveserver2-site.xml )
{code}
<property>
   <name>hive.security.authorization.enabled</name>
   <value>false</value>
</property>

<property>
   <name>hive.security.authorization.manager</name>
   
<value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider</value>
</property>
{code}

> StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT 
> SQL request
> --------------------------------------------------------------------------------------
>
>                 Key: HIVE-8954
>                 URL: https://issues.apache.org/jira/browse/HIVE-8954
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization
>    Affects Versions: 0.14.0
>         Environment: centos 6.5 
>            Reporter: LINTE
>
> With hive.security.metastore.authorization.manager set to 
> org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.
> It seem that on a read request, write permissions are check on the HDFS by 
> the metastore.
> sample :
> bash# hive 
> hive (default)> use database;
> OK
> Time taken: 0.747 seconds
> hive (database)> SELECT * FROM  table LIMIT 10;
> FAILED: HiveException java.security.AccessControlException: action WRITE not 
> permitted on path hdfs://cluster/hive_warehouse/database.db/table for user 
> myuser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to