If i give grants to the user that is specified in my hive-site.xml to
connect to metastore (javax.jdo.option.ConnectionUserName) then i can create
tables and such using remote hive connection. So it seems it is doing the
authorization checks against that user, and not the user that is actually
logged in?
I thought the actual username was passed along in thrift if authorization
was enabled, and that the actual username would be used for authorization.
Am i wrong about this?
On Wed, Oct 19, 2011 at 6:01 PM, Koert Kuipers <ko...@tresata.com> wrote:
> Using a normal hive connection and authorization it seems to work for me:
> hive> revoke all on database default from user koert;
> OK
> Time taken: 0.043 seconds
> hive> create table tmp(x string);
> Authorization failed:No privilege 'Create' found for outputs {
> database:default}. Use show grant to get more details.
> hive> grant all on database default to user koert;
> OK
> Time taken: 0.052 seconds
> hive> create table tmp(x string);
> OK
> Time taken: 0.187 seconds
>
> However when i now switch to a remote connection, it does not work for me:
> [node01:10000] hive> create table tmp123(x string);
> [Hive Error]: Query returned non-zero code: 403, cause: null
>
> The logs for the hive server show:
> Authorization failed:No privilege 'Create' found for outputs {
> database:default}. Use show grant to get more details.
>
> What am i doing wrong? Both the hive server and my local hive have in their
> site.xml:
> <property>
> <name>hive.security.authorization.enabled</name>
> <value>true</value>
> <final>true</final>
> </property>
>
> <property>
> <name>hive.security.authorization.createtable.owner.grants</name>
> <value>ALL</value>
> <final>true</final>
> </property>
>
>
