[jira] [Commented] (HIVE-8954) StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT SQL request
[ https://issues.apache.org/jira/browse/HIVE-8954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14699014#comment-14699014 ] Thejas M Nair commented on HIVE-8954: - [~Alexandre LINTE] I would recommend setting hive.security.authorization.enabled=false and enabling SBA in metastore [see instructions|https://cwiki.apache.org/confluence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server] . Enabling it in metastore is more secure. When hive.security.authorization.enabled=true and hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider, you are having an additional SBA check during query compile time as well. That is redundant, and hits the bug mentioned in this jira. StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT SQL request -- Key: HIVE-8954 URL: https://issues.apache.org/jira/browse/HIVE-8954 Project: Hive Issue Type: Bug Components: Authorization Affects Versions: 0.14.0 Environment: centos 6.5 Reporter: LINTE With hive.security.metastore.authorization.manager set to org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider. It seem that on a read request, write permissions are check on the HDFS by the metastore. sample : bash# hive hive (default) use database; OK Time taken: 0.747 seconds hive (database) SELECT * FROM table LIMIT 10; FAILED: HiveException java.security.AccessControlException: action WRITE not permitted on path hdfs://cluster/hive_warehouse/database.db/table for user myuser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-8954) StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT SQL request
[ https://issues.apache.org/jira/browse/HIVE-8954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14695234#comment-14695234 ] LINTE commented on HIVE-8954: - Thejas M Nair, yes I have the same configuration. But I don't activate anything at compile time to enforce StorageBasedAuthorization (maybe I misunderstood what you call compile time). Regards, StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT SQL request -- Key: HIVE-8954 URL: https://issues.apache.org/jira/browse/HIVE-8954 Project: Hive Issue Type: Bug Components: Authorization Affects Versions: 0.14.0 Environment: centos 6.5 Reporter: LINTE With hive.security.metastore.authorization.manager set to org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider. It seem that on a read request, write permissions are check on the HDFS by the metastore. sample : bash# hive hive (default) use database; OK Time taken: 0.747 seconds hive (database) SELECT * FROM table LIMIT 10; FAILED: HiveException java.security.AccessControlException: action WRITE not permitted on path hdfs://cluster/hive_warehouse/database.db/table for user myuser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-8954) StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT SQL request
[ https://issues.apache.org/jira/browse/HIVE-8954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14649546#comment-14649546 ] Thejas M Nair commented on HIVE-8954: - [~Alexandre LINTE] Do you also have following set ? (either via hive-site.xml or hiveserver2-site.xml ) {code} property namehive.security.authorization.enabled/name valuefalse/value /property property namehive.security.authorization.manager/name valueorg.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider/value /property {code} StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT SQL request -- Key: HIVE-8954 URL: https://issues.apache.org/jira/browse/HIVE-8954 Project: Hive Issue Type: Bug Components: Authorization Affects Versions: 0.14.0 Environment: centos 6.5 Reporter: LINTE With hive.security.metastore.authorization.manager set to org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider. It seem that on a read request, write permissions are check on the HDFS by the metastore. sample : bash# hive hive (default) use database; OK Time taken: 0.747 seconds hive (database) SELECT * FROM table LIMIT 10; FAILED: HiveException java.security.AccessControlException: action WRITE not permitted on path hdfs://cluster/hive_warehouse/database.db/table for user myuser -- This message was sent by Atlassian JIRA (v6.3.4#6332)