I hope you don't mind me cc'ing user-group so that this q&a is available for others as well.
The grant/revoke based authorization models (including the new sql-standards based authorization in hive 0.13) does not automatically ensure that the user has necessary privileges on hdfs dirs and files. To have this model work with hdfs, the usual strategy is to have all users go through hiveserver2. HiveServer2 is configured with hive.server2.doAs=false, and then you give permissions on hdfs to the user hiveserver2 is running as. On Sun, Jun 15, 2014 at 8:27 PM, Apple Wang <apple.wang...@gmail.com> wrote: > Hi, Thejas > > I'm a user of Hive and I'm confused with Hive authorization under hdfs > permission. I know you are an expert of it. Could you please help me with > the following problems? > > I have enabled hive authorization in my testing cluster(Hive 0.12). I use > the user hive to create database hivedb and grant create privilege on hivedb > to user root. > > But I come across the following problem that root can not create table in > hivedb even it has the create privilege. > > FAILED: Execution Error, return code 1 from > org.apache.hadoop.hive.ql.exec.DDLTask. MetaException(message:Got exception: > org.apache.hadoop.security.AccessControlException Permission denied: > user=root, access=WRITE, > inode="/tmp/user/hive/warehouse/hivedb.db":hive:hadoop:drwxr-xr-x > at > org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:234) > at > org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:214) > at > org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:158) > at > org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPermission(FSNamesystem.java:5499) > at > org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPermission(FSNamesystem.java:5481) > at > org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkAncestorAccess(FSNamesystem.java:5455) > at > org.apache.hadoop.hdfs.server.namenode.FSNamesystem.mkdirsInternal(FSNamesystem.java:3455) > at > org.apache.hadoop.hdfs.server.namenode.FSNamesystem.mkdirsInt(FSNamesystem.java:3425) > at > org.apache.hadoop.hdfs.server.namenode.FSNamesystem.mkdirs(FSNamesystem.java:3397) > at > org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.mkdirs(NameNodeRpcServer.java:724) > at > org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.mkdirs(ClientNamenodeProtocolServerSideTranslatorPB.java:502) > at > org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java:48089) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:585) > at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:928) > at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2048) > at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2044) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:396) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1491) > at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2042) > > > It is obviously that the hivedb.db directory in HDFS are not allowed to be > written by other user. So how does hive authorization work under the HDFS > permissions? > > PS. if I create a table by user hive and grant update privilege to user > root. The same ERROR will come across if I load data into the table by root. > > Looking forward to your reply! > > Thanks -- CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of the individual or entity to which it is addressed and may contain information that is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You.
