Henning Kropp created RANGER-820:
------------------------------------
Summary: RangerHiveAuthorizer Ignores HDFS Policies for Creation
of Objects
Key: RANGER-820
URL: https://issues.apache.org/jira/browse/RANGER-820
Project: Ranger
Issue Type: Bug
Components: plugins
Affects Versions: ranger
Environment: HiveServer2
Reporter: Henning Kropp
RangerHiveAuthorizer uses method {{isURIAccessAllowed}} during the creation of
new objects ({{.isEmpty(inputHObjs)}}) which relies solely on {{FileUtil}} and
{{FileStatus}} to check whether the user has the required FS in the hierarchy
rights or not.
If following best practices a folder is for example owned by hdfs and only the
hdfs user is given RWX access it is impossible for any user to create an
external table in that folder through HS2, even if given access privileges by
Ranger policies.
Resulting exception:
{{Caused by:
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
Permission denied: user [user] does not have [READ] privilege on
[hdfs://path/...]
at
org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:249)
at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.java:779)
at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:574)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:468)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:308)
at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1122)
at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1116)
at
org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:110)
... 15 more}}
Workaround: Use Hive CLI
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
