I figured out a workaround. Instead of making /apps/hive/warehouse permissions 000, make it 222 (only "write" permissions). This satisfies Hive's requirement to be able to write something to that directory when it's creating external tables. (It actually never writes anything there during this process, I think it only checks to make sure the "write" permission exists). And then the external table is correctly created in the external location, e.g. /user/anastetsky/warehouse.
If a user tries to create an internal table, it will error out for them because Hive requires "execute" permission in order to copy the data into /apps/hive/warehouse. On Thu, Jan 30, 2014 at 12:00 PM, Alex Nastetsky <anastet...@spryinc.com>wrote: > Thanks. But if I assign a group of the users to /apps/hive/warehouse then > they can still create internal tables, which is what I am trying to prevent. > > I am on version 0.12.0.2.0.6.0. > > > On Thu, Jan 30, 2014 at 11:55 AM, Peyman Mohajerian <mohaj...@gmail.com>wrote: > >> This is a known issue, it still will write something at >> '/apps/hive/warehouse', >> it's best to assign a common group to your hive and hdfs users and assign >> that group to both of these directories. I heard this issue is fixed in .12 >> or .13, others can confirm. >> >> >> On Thu, Jan 30, 2014 at 8:27 AM, Alex Nastetsky >> <anastet...@spryinc.com>wrote: >> >>> Hi, >>> >>> I am trying to enforce all Hive tables to be created with EXTERNAL. The >>> way I am doing this is by making the location of the warehouse >>> (/apps/hive/warehouse in my case) to have permissions 000 (completely >>> inaccessible). >>> >>> But then when I try to create an external table, I see that it still >>> tries to write to /apps/hive/warehouse and, of course, fails: >>> >>> hive> CREATE EXTERNAL TABLE mytable(id INT, name STRING) ROW FORMAT >>> DELIMITED FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' STORED AS >>> TEXTFILE LOCATION '/user/anastetsky/warehouse'; >>> Authorization failed:java.security.AccessControlException: action WRITE >>> not permitted on path hdfs://<hostname>:8020/apps/hive/warehouse for user >>> anastetsky. Use show grant to get more details. >>> >>> What am I missing? Or is there a better way to enforce tables to be >>> EXTERNAL? >>> >>> Thanks in advance, >>> Alex. >>> >> >> >
