this is what i have tried with a remote metastore:
> set hive.security.authorization.enabled=false;
hive>
>
>
> drop table src2;
OK
Time taken: 1.002 seconds
hive> create table src2 (key int, value string);
OK
Time taken: 0.03 seconds
hive>
>
>
> set hive.security.authorization.enabled=true;
hive> grant select on table src2 to user heyongqiang;
OK
Time taken: 0.113 seconds
hive> select * from src2;
OK
Time taken: 0.188 seconds
hive> show grant user heyongqiang on table src2;
OK
database default
table src2
principalName heyongqiang
principalType USER
privilege Select
grantTime Wed Aug 24 15:03:51 PDT 2011
grantor heyongqiang
can u do a show grant?
(But with remote metastore, i think hive should not return empty list
instead of null for list_privileges etc.)
On Wed, Aug 24, 2011 at 2:34 PM, Alex Holmes <grep.a...@gmail.com> wrote:
> Authorization works for me with the local metastore. The remote
> metastore works with authorization turned off, but as soon as I turn
> it on and issue any commands I get these exceptions on the hive
> client.
>
> Could you also try the remote metastore please? I'm pretty sure that
> authorization does not work with it at all.
>
> Thanks,
> Alex
>
> On Wed, Aug 24, 2011 at 5:20 PM, yongqiang he <heyongqiang...@gmail.com>
> wrote:
>> I am using local metastore, and can not reproduce the problem.
>>
>> what message did you get when running local metastore?
>>
>> On Wed, Aug 24, 2011 at 1:58 PM, Alex Holmes <grep.a...@gmail.com> wrote:
>>> Thanks for opening a ticket.
>>>
>>> Table-level grants aren't working for me either (HIVE-2405 suggests
>>> that the bug is only related to global grants).
>>>
>>> hive> set hive.security.authorization.enabled=false;
>>> hive> CREATE TABLE pokes (foo INT, bar STRING);
>>> OK
>>> Time taken: 1.245 seconds
>>> hive> LOAD DATA LOCAL INPATH 'hive1.in' OVERWRITE INTO TABLE pokes;
>>> FAILED: Error in semantic analysis: Line 1:23 Invalid path 'hive1.in':
>>> No files matching path file:/app/hadoop/hive-0.7.1/conf/hive1.in
>>> hive> LOAD DATA LOCAL INPATH '/app/hadoop/hive1.in' OVERWRITE INTO TABLE
>>> pokes;
>>> Copying data from file:/app/hadoop/hive1.in
>>> Copying file: file:/app/hadoop/hive1.in
>>> Loading data to table default.pokes
>>> Moved to trash: hdfs://localhost:54310/user/hive/warehouse/pokes
>>> OK
>>> Time taken: 0.33 seconds
>>> hive> select * from pokes;
>>> OK
>>> 1 a
>>> 2 b
>>> 3 c
>>> Time taken: 0.095 seconds
>>> hive> grant select on table pokes to user hduser;
>>> OK
>>> Time taken: 0.251 seconds
>>> hive> set hive.security.authorization.enabled=true;
>>> hive> select * from pokes;
>>> FAILED: Hive Internal Error:
>>> org.apache.hadoop.hive.ql.metadata.HiveException(org.apache.thrift.TApplicationException:
>>> get_privilege_set failed: unknown result)
>>> org.apache.hadoop.hive.ql.metadata.HiveException:
>>> org.apache.thrift.TApplicationException: get_privilege_set failed:
>>> unknown result
>>> at
>>> org.apache.hadoop.hive.ql.metadata.Hive.get_privilege_set(Hive.java:1617)
>>> at
>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserPriv(DefaultHiveAuthorizationProvider.java:201)
>>> at
>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserAndDBPriv(DefaultHiveAuthorizationProvider.java:226)
>>> ...
>>>
>>> mysql> select * from TBL_PRIVS;
>>> +--------------+-------------+--------------+---------+--------------+----------------+----------------+----------+--------+
>>> | TBL_GRANT_ID | CREATE_TIME | GRANT_OPTION | GRANTOR | GRANTOR_TYPE |
>>> PRINCIPAL_NAME | PRINCIPAL_TYPE | TBL_PRIV | TBL_ID |
>>> +--------------+-------------+--------------+---------+--------------+----------------+----------------+----------+--------+
>>> | 1 | 1314219701 | 0 | hduser | USER |
>>> hduser | USER | Select | 1 |
>>> +--------------+-------------+--------------+---------+--------------+----------------+----------------+----------+--------+
>>>
>>> Also, I noticed in HIVE-2405 that you get a meaningful error message:
>>>
>>> Authorization failed:No privilege 'Create' found for outputs {
>>> database:default}. Use show grant to get more details.
>>>
>>> Whereas I just get an exception (as you can see above). Were you also
>>> running with the remote metastore? I get these meaningful messages
>>> with the local metastore (and authorization on), but with the remote
>>> metastore with authorization turned on, I always get exceptions.
>>>
>>> Many thanks,
>>> Alex
>>>
>>> On Wed, Aug 24, 2011 at 3:38 PM, yongqiang he <heyongqiang...@gmail.com>
>>> wrote:
>>>> This is a bug. Will open a jira to fix this. and will backport it to 0.7.1.
>>>> https://issues.apache.org/jira/browse/HIVE-2405
>>>>
>>>> thanks for reporting this one!
>>>>
>>>> On Wed, Aug 24, 2011 at 6:25 AM, Alex Holmes <grep.a...@gmail.com> wrote:
>>>>> I created the mysql database (with the simple create database command)
>>>>> and the remote metastore seemed to creat the mysql tables. Here's
>>>>> some grant information and what I see in the database:
>>>>>
>>>>> [hduser@aholmes-desktop conf]$ hive
>>>>> hive> grant all to user hduser;
>>>>> OK
>>>>> Time taken: 0.334 seconds
>>>>> hive> show grant user hduser;
>>>>> OK
>>>>>
>>>>> principalName hduser
>>>>> principalType USER
>>>>> privilege All
>>>>> grantTime 1314191500
>>>>> grantor hduser
>>>>> Time taken: 0.046 seconds
>>>>> hive> CREATE TABLE pokes (foo INT, bar STRING);
>>>>> FAILED: Hive Internal Error:
>>>>> org.apache.hadoop.hive.ql.metadata.HiveException(org.apache.thrift.TApplicationException:
>>>>> get_privilege_set failed: unknown result)
>>>>> org.apache.hadoop.hive.ql.metadata.HiveException:
>>>>> org.apache.thrift.TApplicationException: get_privilege_set failed:
>>>>> unknown result
>>>>> at
>>>>> org.apache.hadoop.hive.ql.metadata.Hive.get_privilege_set(Hive.java:1617)
>>>>> at
>>>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserPriv(DefaultHiveAuthorizationProvider.java:201)
>>>>> at
>>>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserAndDBPriv(DefaultHiveAuthorizationProvider.java:226)
>>>>> at
>>>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorize(DefaultHiveAuthorizationProvider.java:89)
>>>>> ...
>>>>>
>>>>> mysql> use hive;
>>>>> Database changed
>>>>> mysql> select * from GLOBAL_PRIVS;
>>>>> +---------------+-------------+--------------+---------+--------------+----------------+----------------+-----------+
>>>>> | USER_GRANT_ID | CREATE_TIME | GRANT_OPTION | GRANTOR | GRANTOR_TYPE
>>>>> | PRINCIPAL_NAME | PRINCIPAL_TYPE | USER_PRIV |
>>>>> +---------------+-------------+--------------+---------+--------------+----------------+----------------+-----------+
>>>>> | 1 | 1314191500 | 0 | hduser | USER
>>>>> | hduser | USER | All |
>>>>> +---------------+-------------+--------------+---------+--------------+----------------+----------------+-----------+
>>>>> 1 row in set (0.00 sec)
>>>>>
>>>>>
>>>>> Thanks for your help,
>>>>> Alex
>>>>>
>>>>> On Tue, Aug 23, 2011 at 1:27 PM, yongqiang he <heyongqiang...@gmail.com>
>>>>> wrote:
>>>>>> Have you created the metastore mysql tables for authorization? Can u
>>>>>> do a show grant?
>>>>>>
>>>>>> thanks
>>>>>> yongqiang
>>>>>> On Tue, Aug 16, 2011 at 2:55 PM, Alex Holmes <grep.a...@gmail.com> wrote:
>>>>>>> Hi all,
>>>>>>>
>>>>>>> I've been struggling with getting Hive authorization to work for a few
>>>>>>> hours, and I really hope someone can help me. I installed Hive 0.7.1
>>>>>>> on top of Hadoop 0.20.203. I'm using mysql for the metastore, and
>>>>>>> configured Hive to enable authorization:
>>>>>>>
>>>>>>> <property>
>>>>>>> <name>hive.security.authorization.enabled</name>
>>>>>>> <value>true</value>
>>>>>>> <description>enable or disable the hive client
>>>>>>> authorization</description>
>>>>>>> </property>
>>>>>>>
>>>>>>> I kept all the other Hive security configs with their default settings.
>>>>>>>
>>>>>>> I'm running in pseudo-distributed mode on a single node. HDFS, the Hive
>>>>>>> metastore and the Hive CLI are all running as the same user (the HDFS
>>>>>>> superuser). Here are the sequence of steps that are causing me issues.
>>>>>>> Without authorization everything works perfectly (creating, loading,
>>>>>>> selecting).
>>>>>>> I've also tried creating and loading the table without authorization,
>>>>>>> granting
>>>>>>> the select privilege at various levels (global, table, database),
>>>>>>> turning on
>>>>>>> auth and performing the select, resulting in the same exception.
>>>>>>>
>>>>>>> Any help with this would be greatly appreciated!
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Alex
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> [hduser@aholmes-desktop ~]$ hive
>>>>>>> Hive history
>>>>>>> file=/tmp/hduser/hive_job_log_hduser_201108162158_1976573160.txt
>>>>>>> hive> set hive.security.authorization.enabled=false;
>>>>>>> hive> grant all to user hduser;
>>>>>>> OK
>>>>>>> Time taken: 0.233 seconds
>>>>>>> hive> set hive.security.authorization.enabled=true;
>>>>>>> hive> CREATE TABLE pokes3 (foo INT, bar STRING);
>>>>>>> FAILED: Hive Internal Error:
>>>>>>> org.apache.hadoop.hive.ql.metadata.HiveException(org.apache.thrift.TApplicationException:
>>>>>>> get_privilege_set failed: unknown result)
>>>>>>> org.apache.hadoop.hive.ql.metadata.HiveException:
>>>>>>> org.apache.thrift.TApplicationException: get_privilege_set failed:
>>>>>>> unknown result
>>>>>>> at
>>>>>>> org.apache.hadoop.hive.ql.metadata.Hive.get_privilege_set(Hive.java:1617)
>>>>>>> at
>>>>>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserPriv(DefaultHiveAuthorizationProvider.java:201)
>>>>>>> at
>>>>>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserAndDBPriv(DefaultHiveAuthorizationProvider.java:226)
>>>>>>> at
>>>>>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorize(DefaultHiveAuthorizationProvider.java:89)
>>>>>>> at
>>>>>>> org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:433)
>>>>>>> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:393)
>>>>>>> at org.apache.hadoop.hive.ql.Driver.run(Driver.java:736)
>>>>>>> at
>>>>>>> org.apache.hadoop.hive.cli.CliDriver.processCmd(CliDriver.java:164)
>>>>>>> at
>>>>>>> org.apache.hadoop.hive.cli.CliDriver.processLine(CliDriver.java:241)
>>>>>>> at org.apache.hadoop.hive.cli.CliDriver.main(CliDriver.java:456)
>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>>>> at
>>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>>>>> at
>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>>>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>>>>>> at org.apache.hadoop.util.RunJar.main(RunJar.java:156)
>>>>>>> Caused by: org.apache.thrift.TApplicationException: get_privilege_set
>>>>>>> failed: unknown result
>>>>>>> at
>>>>>>> org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.recv_get_privilege_set(ThriftHiveMetastore.java:2414)
>>>>>>> at
>>>>>>> org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.get_privilege_set(ThriftHiveMetastore.java:2379)
>>>>>>> at
>>>>>>> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.get_privilege_set(HiveMetaStoreClient.java:1042)
>>>>>>> at
>>>>>>> org.apache.hadoop.hive.ql.metadata.Hive.get_privilege_set(Hive.java:1615)
>>>>>>> ... 14 more
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
