[
https://issues.apache.org/jira/browse/HIVE-8954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14699014#comment-14699014
]
Thejas M Nair commented on HIVE-8954:
-------------------------------------
[~Alexandre LINTE] I would recommend setting
hive.security.authorization.enabled=false and enabling SBA in metastore [see
instructions|https://cwiki.apache.org/confluence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server]
.
Enabling it in metastore is more secure. When
hive.security.authorization.enabled=true and
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider,
you are having an additional SBA check during query compile time as well. That
is redundant, and hits the bug mentioned in this jira.
> StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT
> SQL request
> --------------------------------------------------------------------------------------
>
> Key: HIVE-8954
> URL: https://issues.apache.org/jira/browse/HIVE-8954
> Project: Hive
> Issue Type: Bug
> Components: Authorization
> Affects Versions: 0.14.0
> Environment: centos 6.5
> Reporter: LINTE
>
> With hive.security.metastore.authorization.manager set to
> org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.
> It seem that on a read request, write permissions are check on the HDFS by
> the metastore.
> sample :
> bash# hive
> hive (default)> use database;
> OK
> Time taken: 0.747 seconds
> hive (database)> SELECT * FROM table LIMIT 10;
> FAILED: HiveException java.security.AccessControlException: action WRITE not
> permitted on path hdfs://cluster/hive_warehouse/database.db/table for user
> myuser
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
