See https://cwiki.apache.org/confluence/display/Hive/Setting+up+HiveServer2#SettingUpHiveServer2-Impersonation
Alan. On Tue, Apr 16, 2019 at 10:03 PM Kaidi Zhao <kz...@salesforce.com> wrote: > Hello! > > Did I miss anything here or it is an known issue? Hive 1.2.1, hadoop > 2.7.x, kerberos, impersonation. > > Using hive client, create a hive db and hive table. I can select from this > table correctly. > In hdfs, change the table folder's permission to be 711. In hive client, I > can still select from the table. > However, if using beeline client (which talks to HS2 I believe), it > complains about can't read the table folder in hdfs, something like: > > Error: Error while compiling statement: FAILED: SemanticException Unable > to fetch table fact_app_logs. java.security.AccessControlException: > Permission denied: user=hive, access=READ, > inode="/data/mydb.db/my_table":myuser:mygroup:drwxr-x--x > at > org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:307) > at > org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:220) > at > org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:190) > at > org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:1752) > at > org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:1736) > at > org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPathAccess(FSDirectory.java:1710) > at > org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkAccess(FSNamesystem.java:8220) > at > org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.checkAccess(NameNodeRpcServer.java:1932) > at > org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.checkAccess(ClientNamenodeProtocolServerSideTranslatorPB.java:1455) > at > org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java) > at > org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:616) > at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:982) > at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2218) > at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2214) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1760) > at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2212) > (state=42000,code=40000) > > Note, from the log, it says it tries to use user "hive" (instead of my own > user "myuser") to read the table's folder (the folder is only readable by > its owner - myuser) > Again, using hive client I can read the table, but using beeline it can't. > If I change the folder's permission to 755, then it works. > > Why beeline / HS2 needs to use "hive" to read the table's folder? > > Thanks in advance. > > Kaidi > > >
