mahesh kumar behera created HIVE-20072:
------------------------------------------
Summary: Write access being requested when performing select on a
table
Key: HIVE-20072
URL: https://issues.apache.org/jira/browse/HIVE-20072
Project: Hive
Issue Type: Bug
Components: HiveServer2
Reporter: mahesh kumar behera
Assignee: mahesh kumar behera
hive.exec.pre.hooks=org.apache.hadoop.hive.ql.hooks.UpdateInputAccessTimeHook$PreExec
along with hive doAs=true
which is causing to perform Alter table operation internally when accessed
Hive table, and results in HiveException with Write access to table directory.
Select access is provided to a table and when performing select * for that
table, below exception is seen.
Steps to reproduce. (with ranger enabled)
1. Create test table
create table lastaccesstime (id int);
2. Enable Hive doAs
3. update
hive.exec.pre.hooks=org.apache.hadoop.hive.ql.hooks.ATSHook,org.apache.hadoop.hive.ql.hooks.UpdateInputAccessTimeHook$PreExec
4. Perform select on table lastaccesstime as non-hive user and exception will
be thrown.
{code:java}
0: jdbc:hive2://c470-node4.squadron-labs.com:> select * from lastaccesstime;
Error: Error while processing statement: FAILED: Hive Internal Error:
org.apache.hadoop.hive.ql.metadata.HiveException(Unable to alter table.
java.security.AccessControlException: Permission denied: user=kafka,
access=WRITE,
inode="/apps/hive/warehouse/testdb.db/lastaccesstime":hive:hadoop:drwxr-x---
at
org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:353)
at
org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:252)
at
org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer$RangerAccessControlEnforcer.checkDefaultEnforcer(RangerHdfsAuthorizer.java:427)
at
org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer$RangerAccessControlEnforcer.checkPermission(RangerHdfsAuthorizer.java:303)
at
org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:190)
at
org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:1950)
at
org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:1934)
at
org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPathAccess(FSDirectory.java:1908)
at
org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkAccess(FSNamesystem.java:8800)
at
org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.checkAccess(NameNodeRpcServer.java:2089)
at
org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.checkAccess(ClientNamenodeProtocolServerSideTranslatorPB.java:1466)
at
org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java)
at
org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:640)
at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:982)
at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2351)
at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2347)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at
org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1869)
at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2347)
) (state=08S01,code=12)
{code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
