Thanks for opening a ticket.
Table-level grants aren't working for me either (HIVE-2405 suggests
that the bug is only related to global grants).
hive> set hive.security.authorization.enabled=false;
hive> CREATE TABLE pokes (foo INT, bar STRING);
OK
Time taken: 1.245 seconds
hive> LOAD DATA LOCAL INPATH 'hive1.in' OVERWRITE INTO TABLE pokes;
FAILED: Error in semantic analysis: Line 1:23 Invalid path 'hive1.in':
No files matching path file:/app/hadoop/hive-0.7.1/conf/hive1.in
hive> LOAD DATA LOCAL INPATH '/app/hadoop/hive1.in' OVERWRITE INTO TABLE pokes;
Copying data from file:/app/hadoop/hive1.in
Copying file: file:/app/hadoop/hive1.in
Loading data to table default.pokes
Moved to trash: hdfs://localhost:54310/user/hive/warehouse/pokes
OK
Time taken: 0.33 seconds
hive> select * from pokes;
OK
1 a
2 b
3 c
Time taken: 0.095 seconds
hive> grant select on table pokes to user hduser;
OK
Time taken: 0.251 seconds
hive> set hive.security.authorization.enabled=true;
hive> select * from pokes;
FAILED: Hive Internal Error:
org.apache.hadoop.hive.ql.metadata.HiveException(org.apache.thrift.TApplicationException:
get_privilege_set failed: unknown result)
org.apache.hadoop.hive.ql.metadata.HiveException:
org.apache.thrift.TApplicationException: get_privilege_set failed:
unknown result
at
org.apache.hadoop.hive.ql.metadata.Hive.get_privilege_set(Hive.java:1617)
at
org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserPriv(DefaultHiveAuthorizationProvider.java:201)
at
org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserAndDBPriv(DefaultHiveAuthorizationProvider.java:226)
...
mysql> select * from TBL_PRIVS;
+--------------+-------------+--------------+---------+--------------+----------------+----------------+----------+--------+
| TBL_GRANT_ID | CREATE_TIME | GRANT_OPTION | GRANTOR | GRANTOR_TYPE |
PRINCIPAL_NAME | PRINCIPAL_TYPE | TBL_PRIV | TBL_ID |
+--------------+-------------+--------------+---------+--------------+----------------+----------------+----------+--------+
| 1 | 1314219701 | 0 | hduser | USER |
hduser | USER | Select | 1 |
+--------------+-------------+--------------+---------+--------------+----------------+----------------+----------+--------+
Also, I noticed in HIVE-2405 that you get a meaningful error message:
Authorization failed:No privilege 'Create' found for outputs {
database:default}. Use show grant to get more details.
Whereas I just get an exception (as you can see above). Were you also
running with the remote metastore? I get these meaningful messages
with the local metastore (and authorization on), but with the remote
metastore with authorization turned on, I always get exceptions.
Many thanks,
Alex
On Wed, Aug 24, 2011 at 3:38 PM, yongqiang he <heyongqiang...@gmail.com> wrote:
> This is a bug. Will open a jira to fix this. and will backport it to 0.7.1.
> https://issues.apache.org/jira/browse/HIVE-2405
>
> thanks for reporting this one!
>
> On Wed, Aug 24, 2011 at 6:25 AM, Alex Holmes <grep.a...@gmail.com> wrote:
>> I created the mysql database (with the simple create database command)
>> and the remote metastore seemed to creat the mysql tables. Here's
>> some grant information and what I see in the database:
>>
>> [hduser@aholmes-desktop conf]$ hive
>> hive> grant all to user hduser;
>> OK
>> Time taken: 0.334 seconds
>> hive> show grant user hduser;
>> OK
>>
>> principalName hduser
>> principalType USER
>> privilege All
>> grantTime 1314191500
>> grantor hduser
>> Time taken: 0.046 seconds
>> hive> CREATE TABLE pokes (foo INT, bar STRING);
>> FAILED: Hive Internal Error:
>> org.apache.hadoop.hive.ql.metadata.HiveException(org.apache.thrift.TApplicationException:
>> get_privilege_set failed: unknown result)
>> org.apache.hadoop.hive.ql.metadata.HiveException:
>> org.apache.thrift.TApplicationException: get_privilege_set failed:
>> unknown result
>> at
>> org.apache.hadoop.hive.ql.metadata.Hive.get_privilege_set(Hive.java:1617)
>> at
>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserPriv(DefaultHiveAuthorizationProvider.java:201)
>> at
>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserAndDBPriv(DefaultHiveAuthorizationProvider.java:226)
>> at
>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorize(DefaultHiveAuthorizationProvider.java:89)
>> ...
>>
>> mysql> use hive;
>> Database changed
>> mysql> select * from GLOBAL_PRIVS;
>> +---------------+-------------+--------------+---------+--------------+----------------+----------------+-----------+
>> | USER_GRANT_ID | CREATE_TIME | GRANT_OPTION | GRANTOR | GRANTOR_TYPE
>> | PRINCIPAL_NAME | PRINCIPAL_TYPE | USER_PRIV |
>> +---------------+-------------+--------------+---------+--------------+----------------+----------------+-----------+
>> | 1 | 1314191500 | 0 | hduser | USER
>> | hduser | USER | All |
>> +---------------+-------------+--------------+---------+--------------+----------------+----------------+-----------+
>> 1 row in set (0.00 sec)
>>
>>
>> Thanks for your help,
>> Alex
>>
>> On Tue, Aug 23, 2011 at 1:27 PM, yongqiang he <heyongqiang...@gmail.com>
>> wrote:
>>> Have you created the metastore mysql tables for authorization? Can u
>>> do a show grant?
>>>
>>> thanks
>>> yongqiang
>>> On Tue, Aug 16, 2011 at 2:55 PM, Alex Holmes <grep.a...@gmail.com> wrote:
>>>> Hi all,
>>>>
>>>> I've been struggling with getting Hive authorization to work for a few
>>>> hours, and I really hope someone can help me. I installed Hive 0.7.1
>>>> on top of Hadoop 0.20.203. I'm using mysql for the metastore, and
>>>> configured Hive to enable authorization:
>>>>
>>>> <property>
>>>> <name>hive.security.authorization.enabled</name>
>>>> <value>true</value>
>>>> <description>enable or disable the hive client authorization</description>
>>>> </property>
>>>>
>>>> I kept all the other Hive security configs with their default settings.
>>>>
>>>> I'm running in pseudo-distributed mode on a single node. HDFS, the Hive
>>>> metastore and the Hive CLI are all running as the same user (the HDFS
>>>> superuser). Here are the sequence of steps that are causing me issues.
>>>> Without authorization everything works perfectly (creating, loading,
>>>> selecting).
>>>> I've also tried creating and loading the table without authorization,
>>>> granting
>>>> the select privilege at various levels (global, table, database), turning
>>>> on
>>>> auth and performing the select, resulting in the same exception.
>>>>
>>>> Any help with this would be greatly appreciated!
>>>>
>>>> Thanks,
>>>> Alex
>>>>
>>>> --
>>>>
>>>> [hduser@aholmes-desktop ~]$ hive
>>>> Hive history
>>>> file=/tmp/hduser/hive_job_log_hduser_201108162158_1976573160.txt
>>>> hive> set hive.security.authorization.enabled=false;
>>>> hive> grant all to user hduser;
>>>> OK
>>>> Time taken: 0.233 seconds
>>>> hive> set hive.security.authorization.enabled=true;
>>>> hive> CREATE TABLE pokes3 (foo INT, bar STRING);
>>>> FAILED: Hive Internal Error:
>>>> org.apache.hadoop.hive.ql.metadata.HiveException(org.apache.thrift.TApplicationException:
>>>> get_privilege_set failed: unknown result)
>>>> org.apache.hadoop.hive.ql.metadata.HiveException:
>>>> org.apache.thrift.TApplicationException: get_privilege_set failed:
>>>> unknown result
>>>> at
>>>> org.apache.hadoop.hive.ql.metadata.Hive.get_privilege_set(Hive.java:1617)
>>>> at
>>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserPriv(DefaultHiveAuthorizationProvider.java:201)
>>>> at
>>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserAndDBPriv(DefaultHiveAuthorizationProvider.java:226)
>>>> at
>>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorize(DefaultHiveAuthorizationProvider.java:89)
>>>> at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:433)
>>>> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:393)
>>>> at org.apache.hadoop.hive.ql.Driver.run(Driver.java:736)
>>>> at
>>>> org.apache.hadoop.hive.cli.CliDriver.processCmd(CliDriver.java:164)
>>>> at
>>>> org.apache.hadoop.hive.cli.CliDriver.processLine(CliDriver.java:241)
>>>> at org.apache.hadoop.hive.cli.CliDriver.main(CliDriver.java:456)
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>> at
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>> at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>>> at org.apache.hadoop.util.RunJar.main(RunJar.java:156)
>>>> Caused by: org.apache.thrift.TApplicationException: get_privilege_set
>>>> failed: unknown result
>>>> at
>>>> org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.recv_get_privilege_set(ThriftHiveMetastore.java:2414)
>>>> at
>>>> org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.get_privilege_set(ThriftHiveMetastore.java:2379)
>>>> at
>>>> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.get_privilege_set(HiveMetaStoreClient.java:1042)
>>>> at
>>>> org.apache.hadoop.hive.ql.metadata.Hive.get_privilege_set(Hive.java:1615)
>>>> ... 14 more
>>>>
>>>
>>
>
