[jira] [Commented] (HIVE-8954) StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT SQL request
[ https://issues.apache.org/jira/browse/HIVE-8954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14699014#comment-14699014 ] Thejas M Nair commented on HIVE-8954: - [~Alexandre LINTE] I would recommend setting hive.security.authorization.enabled=false and enabling SBA in metastore [see instructions|https://cwiki.apache.org/confluence/display/Hive/Storage+Based+Authorization+in+the+Metastore+Server] . Enabling it in metastore is more secure. When hive.security.authorization.enabled=true and hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider, you are having an additional SBA check during query compile time as well. That is redundant, and hits the bug mentioned in this jira. StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT SQL request -- Key: HIVE-8954 URL: https://issues.apache.org/jira/browse/HIVE-8954 Project: Hive Issue Type: Bug Components: Authorization Affects Versions: 0.14.0 Environment: centos 6.5 Reporter: LINTE With hive.security.metastore.authorization.manager set to org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider. It seem that on a read request, write permissions are check on the HDFS by the metastore. sample : bash# hive hive (default) use database; OK Time taken: 0.747 seconds hive (database) SELECT * FROM table LIMIT 10; FAILED: HiveException java.security.AccessControlException: action WRITE not permitted on path hdfs://cluster/hive_warehouse/database.db/table for user myuser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-8954) StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT SQL request
[ https://issues.apache.org/jira/browse/HIVE-8954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14695234#comment-14695234 ] LINTE commented on HIVE-8954: - Thejas M Nair, yes I have the same configuration. But I don't activate anything at compile time to enforce StorageBasedAuthorization (maybe I misunderstood what you call compile time). Regards, StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT SQL request -- Key: HIVE-8954 URL: https://issues.apache.org/jira/browse/HIVE-8954 Project: Hive Issue Type: Bug Components: Authorization Affects Versions: 0.14.0 Environment: centos 6.5 Reporter: LINTE With hive.security.metastore.authorization.manager set to org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider. It seem that on a read request, write permissions are check on the HDFS by the metastore. sample : bash# hive hive (default) use database; OK Time taken: 0.747 seconds hive (database) SELECT * FROM table LIMIT 10; FAILED: HiveException java.security.AccessControlException: action WRITE not permitted on path hdfs://cluster/hive_warehouse/database.db/table for user myuser -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (HIVE-8954) StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT SQL request
[
https://issues.apache.org/jira/browse/HIVE-8954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14649546#comment-14649546
]
Thejas M Nair commented on HIVE-8954:
-
[~Alexandre LINTE]
Do you also have following set ? (either via hive-site.xml or
hiveserver2-site.xml )
{code}
property
namehive.security.authorization.enabled/name
valuefalse/value
/property
property
namehive.security.authorization.manager/name
valueorg.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider/value
/property
{code}
StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT
SQL request
--
Key: HIVE-8954
URL: https://issues.apache.org/jira/browse/HIVE-8954
Project: Hive
Issue Type: Bug
Components: Authorization
Affects Versions: 0.14.0
Environment: centos 6.5
Reporter: LINTE
With hive.security.metastore.authorization.manager set to
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.
It seem that on a read request, write permissions are check on the HDFS by
the metastore.
sample :
bash# hive
hive (default) use database;
OK
Time taken: 0.747 seconds
hive (database) SELECT * FROM table LIMIT 10;
FAILED: HiveException java.security.AccessControlException: action WRITE not
permitted on path hdfs://cluster/hive_warehouse/database.db/table for user
myuser
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
