what is your unix name on that machine? can u do a whoami?
On Thu, Aug 25, 2011 at 5:15 PM, Alex Holmes <grep.a...@gmail.com> wrote: > Here's the hive-site.xml file (I use the same file for both the client > and remote metastore). We're using mysql as the metastore DB. > > > <?xml version="1.0"?> > <?xml-stylesheet type="text/xsl" href="configuration.xsl"?> > <configuration> > <property> > <name>hive.security.authorization.enabled</name> > <value>true</value> > </property> > <property> > <name>hive.metastore.local</name> > <value>false</value> > </property> > <property> > <name>hive.metastore.uris</name> > <value>thrift://localhost:9083</value> > </property> > <property> > <name>javax.jdo.option.ConnectionURL</name> > <value>jdbc:mysql://localhost/hive?createDatabaseIfNotExist=true</value> > </property> > <property> > <name>javax.jdo.option.ConnectionDriverName</name> > <value>com.mysql.jdbc.Driver</value> > </property> > <property> > <name>javax.jdo.option.ConnectionUserName</name> > <value>hive</value> > </property> > <property> > <name>javax.jdo.option.ConnectionPassword</name> > <value>secret</value> > </property> > </configuration> > > > > On Wed, Aug 24, 2011 at 6:06 PM, yongqiang he <heyongqiang...@gmail.com> > wrote: >> this is what i have tried with a remote metastore: >> >> > set hive.security.authorization.enabled=false; >> hive> >> > >> > >> > drop table src2; >> OK >> Time taken: 1.002 seconds >> hive> create table src2 (key int, value string); >> OK >> Time taken: 0.03 seconds >> hive> >> > >> > >> > set hive.security.authorization.enabled=true; >> hive> grant select on table src2 to user heyongqiang; >> OK >> Time taken: 0.113 seconds >> hive> select * from src2; >> OK >> Time taken: 0.188 seconds >> hive> show grant user heyongqiang on table src2; >> OK >> >> database default >> table src2 >> principalName heyongqiang >> principalType USER >> privilege Select >> grantTime Wed Aug 24 15:03:51 PDT 2011 >> grantor heyongqiang >> >> can u do a show grant? >> >> (But with remote metastore, i think hive should not return empty list >> instead of null for list_privileges etc.) >> >> >> >> On Wed, Aug 24, 2011 at 2:34 PM, Alex Holmes <grep.a...@gmail.com> wrote: >>> Authorization works for me with the local metastore. The remote >>> metastore works with authorization turned off, but as soon as I turn >>> it on and issue any commands I get these exceptions on the hive >>> client. >>> >>> Could you also try the remote metastore please? I'm pretty sure that >>> authorization does not work with it at all. >>> >>> Thanks, >>> Alex >>> >>> On Wed, Aug 24, 2011 at 5:20 PM, yongqiang he <heyongqiang...@gmail.com> >>> wrote: >>>> I am using local metastore, and can not reproduce the problem. >>>> >>>> what message did you get when running local metastore? >>>> >>>> On Wed, Aug 24, 2011 at 1:58 PM, Alex Holmes <grep.a...@gmail.com> wrote: >>>>> Thanks for opening a ticket. >>>>> >>>>> Table-level grants aren't working for me either (HIVE-2405 suggests >>>>> that the bug is only related to global grants). >>>>> >>>>> hive> set hive.security.authorization.enabled=false; >>>>> hive> CREATE TABLE pokes (foo INT, bar STRING); >>>>> OK >>>>> Time taken: 1.245 seconds >>>>> hive> LOAD DATA LOCAL INPATH 'hive1.in' OVERWRITE INTO TABLE pokes; >>>>> FAILED: Error in semantic analysis: Line 1:23 Invalid path 'hive1.in': >>>>> No files matching path file:/app/hadoop/hive-0.7.1/conf/hive1.in >>>>> hive> LOAD DATA LOCAL INPATH '/app/hadoop/hive1.in' OVERWRITE INTO TABLE >>>>> pokes; >>>>> Copying data from file:/app/hadoop/hive1.in >>>>> Copying file: file:/app/hadoop/hive1.in >>>>> Loading data to table default.pokes >>>>> Moved to trash: hdfs://localhost:54310/user/hive/warehouse/pokes >>>>> OK >>>>> Time taken: 0.33 seconds >>>>> hive> select * from pokes; >>>>> OK >>>>> 1 a >>>>> 2 b >>>>> 3 c >>>>> Time taken: 0.095 seconds >>>>> hive> grant select on table pokes to user hduser; >>>>> OK >>>>> Time taken: 0.251 seconds >>>>> hive> set hive.security.authorization.enabled=true; >>>>> hive> select * from pokes; >>>>> FAILED: Hive Internal Error: >>>>> org.apache.hadoop.hive.ql.metadata.HiveException(org.apache.thrift.TApplicationException: >>>>> get_privilege_set failed: unknown result) >>>>> org.apache.hadoop.hive.ql.metadata.HiveException: >>>>> org.apache.thrift.TApplicationException: get_privilege_set failed: >>>>> unknown result >>>>> at >>>>> org.apache.hadoop.hive.ql.metadata.Hive.get_privilege_set(Hive.java:1617) >>>>> at >>>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserPriv(DefaultHiveAuthorizationProvider.java:201) >>>>> at >>>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserAndDBPriv(DefaultHiveAuthorizationProvider.java:226) >>>>> ... >>>>> >>>>> mysql> select * from TBL_PRIVS; >>>>> +--------------+-------------+--------------+---------+--------------+----------------+----------------+----------+--------+ >>>>> | TBL_GRANT_ID | CREATE_TIME | GRANT_OPTION | GRANTOR | GRANTOR_TYPE | >>>>> PRINCIPAL_NAME | PRINCIPAL_TYPE | TBL_PRIV | TBL_ID | >>>>> +--------------+-------------+--------------+---------+--------------+----------------+----------------+----------+--------+ >>>>> | 1 | 1314219701 | 0 | hduser | USER | >>>>> hduser | USER | Select | 1 | >>>>> +--------------+-------------+--------------+---------+--------------+----------------+----------------+----------+--------+ >>>>> >>>>> Also, I noticed in HIVE-2405 that you get a meaningful error message: >>>>> >>>>> Authorization failed:No privilege 'Create' found for outputs { >>>>> database:default}. Use show grant to get more details. >>>>> >>>>> Whereas I just get an exception (as you can see above). Were you also >>>>> running with the remote metastore? I get these meaningful messages >>>>> with the local metastore (and authorization on), but with the remote >>>>> metastore with authorization turned on, I always get exceptions. >>>>> >>>>> Many thanks, >>>>> Alex >>>>> >>>>> On Wed, Aug 24, 2011 at 3:38 PM, yongqiang he <heyongqiang...@gmail.com> >>>>> wrote: >>>>>> This is a bug. Will open a jira to fix this. and will backport it to >>>>>> 0.7.1. >>>>>> https://issues.apache.org/jira/browse/HIVE-2405 >>>>>> >>>>>> thanks for reporting this one! >>>>>> >>>>>> On Wed, Aug 24, 2011 at 6:25 AM, Alex Holmes <grep.a...@gmail.com> wrote: >>>>>>> I created the mysql database (with the simple create database command) >>>>>>> and the remote metastore seemed to creat the mysql tables. Here's >>>>>>> some grant information and what I see in the database: >>>>>>> >>>>>>> [hduser@aholmes-desktop conf]$ hive >>>>>>> hive> grant all to user hduser; >>>>>>> OK >>>>>>> Time taken: 0.334 seconds >>>>>>> hive> show grant user hduser; >>>>>>> OK >>>>>>> >>>>>>> principalName hduser >>>>>>> principalType USER >>>>>>> privilege All >>>>>>> grantTime 1314191500 >>>>>>> grantor hduser >>>>>>> Time taken: 0.046 seconds >>>>>>> hive> CREATE TABLE pokes (foo INT, bar STRING); >>>>>>> FAILED: Hive Internal Error: >>>>>>> org.apache.hadoop.hive.ql.metadata.HiveException(org.apache.thrift.TApplicationException: >>>>>>> get_privilege_set failed: unknown result) >>>>>>> org.apache.hadoop.hive.ql.metadata.HiveException: >>>>>>> org.apache.thrift.TApplicationException: get_privilege_set failed: >>>>>>> unknown result >>>>>>> at >>>>>>> org.apache.hadoop.hive.ql.metadata.Hive.get_privilege_set(Hive.java:1617) >>>>>>> at >>>>>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserPriv(DefaultHiveAuthorizationProvider.java:201) >>>>>>> at >>>>>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserAndDBPriv(DefaultHiveAuthorizationProvider.java:226) >>>>>>> at >>>>>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorize(DefaultHiveAuthorizationProvider.java:89) >>>>>>> ... >>>>>>> >>>>>>> mysql> use hive; >>>>>>> Database changed >>>>>>> mysql> select * from GLOBAL_PRIVS; >>>>>>> +---------------+-------------+--------------+---------+--------------+----------------+----------------+-----------+ >>>>>>> | USER_GRANT_ID | CREATE_TIME | GRANT_OPTION | GRANTOR | GRANTOR_TYPE >>>>>>> | PRINCIPAL_NAME | PRINCIPAL_TYPE | USER_PRIV | >>>>>>> +---------------+-------------+--------------+---------+--------------+----------------+----------------+-----------+ >>>>>>> | 1 | 1314191500 | 0 | hduser | USER >>>>>>> | hduser | USER | All | >>>>>>> +---------------+-------------+--------------+---------+--------------+----------------+----------------+-----------+ >>>>>>> 1 row in set (0.00 sec) >>>>>>> >>>>>>> >>>>>>> Thanks for your help, >>>>>>> Alex >>>>>>> >>>>>>> On Tue, Aug 23, 2011 at 1:27 PM, yongqiang he >>>>>>> <heyongqiang...@gmail.com> wrote: >>>>>>>> Have you created the metastore mysql tables for authorization? Can u >>>>>>>> do a show grant? >>>>>>>> >>>>>>>> thanks >>>>>>>> yongqiang >>>>>>>> On Tue, Aug 16, 2011 at 2:55 PM, Alex Holmes <grep.a...@gmail.com> >>>>>>>> wrote: >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> I've been struggling with getting Hive authorization to work for a few >>>>>>>>> hours, and I really hope someone can help me. I installed Hive 0.7.1 >>>>>>>>> on top of Hadoop 0.20.203. I'm using mysql for the metastore, and >>>>>>>>> configured Hive to enable authorization: >>>>>>>>> >>>>>>>>> <property> >>>>>>>>> <name>hive.security.authorization.enabled</name> >>>>>>>>> <value>true</value> >>>>>>>>> <description>enable or disable the hive client >>>>>>>>> authorization</description> >>>>>>>>> </property> >>>>>>>>> >>>>>>>>> I kept all the other Hive security configs with their default >>>>>>>>> settings. >>>>>>>>> >>>>>>>>> I'm running in pseudo-distributed mode on a single node. HDFS, the >>>>>>>>> Hive >>>>>>>>> metastore and the Hive CLI are all running as the same user (the HDFS >>>>>>>>> superuser). Here are the sequence of steps that are causing me >>>>>>>>> issues. >>>>>>>>> Without authorization everything works perfectly (creating, loading, >>>>>>>>> selecting). >>>>>>>>> I've also tried creating and loading the table without authorization, >>>>>>>>> granting >>>>>>>>> the select privilege at various levels (global, table, database), >>>>>>>>> turning on >>>>>>>>> auth and performing the select, resulting in the same exception. >>>>>>>>> >>>>>>>>> Any help with this would be greatly appreciated! >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Alex >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> [hduser@aholmes-desktop ~]$ hive >>>>>>>>> Hive history >>>>>>>>> file=/tmp/hduser/hive_job_log_hduser_201108162158_1976573160.txt >>>>>>>>> hive> set hive.security.authorization.enabled=false; >>>>>>>>> hive> grant all to user hduser; >>>>>>>>> OK >>>>>>>>> Time taken: 0.233 seconds >>>>>>>>> hive> set hive.security.authorization.enabled=true; >>>>>>>>> hive> CREATE TABLE pokes3 (foo INT, bar STRING); >>>>>>>>> FAILED: Hive Internal Error: >>>>>>>>> org.apache.hadoop.hive.ql.metadata.HiveException(org.apache.thrift.TApplicationException: >>>>>>>>> get_privilege_set failed: unknown result) >>>>>>>>> org.apache.hadoop.hive.ql.metadata.HiveException: >>>>>>>>> org.apache.thrift.TApplicationException: get_privilege_set failed: >>>>>>>>> unknown result >>>>>>>>> at >>>>>>>>> org.apache.hadoop.hive.ql.metadata.Hive.get_privilege_set(Hive.java:1617) >>>>>>>>> at >>>>>>>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserPriv(DefaultHiveAuthorizationProvider.java:201) >>>>>>>>> at >>>>>>>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorizeUserAndDBPriv(DefaultHiveAuthorizationProvider.java:226) >>>>>>>>> at >>>>>>>>> org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider.authorize(DefaultHiveAuthorizationProvider.java:89) >>>>>>>>> at >>>>>>>>> org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:433) >>>>>>>>> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:393) >>>>>>>>> at org.apache.hadoop.hive.ql.Driver.run(Driver.java:736) >>>>>>>>> at >>>>>>>>> org.apache.hadoop.hive.cli.CliDriver.processCmd(CliDriver.java:164) >>>>>>>>> at >>>>>>>>> org.apache.hadoop.hive.cli.CliDriver.processLine(CliDriver.java:241) >>>>>>>>> at >>>>>>>>> org.apache.hadoop.hive.cli.CliDriver.main(CliDriver.java:456) >>>>>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>>>>>>> at >>>>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>>>>>>>> at >>>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>>>>>>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>>>>>>> at org.apache.hadoop.util.RunJar.main(RunJar.java:156) >>>>>>>>> Caused by: org.apache.thrift.TApplicationException: get_privilege_set >>>>>>>>> failed: unknown result >>>>>>>>> at >>>>>>>>> org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.recv_get_privilege_set(ThriftHiveMetastore.java:2414) >>>>>>>>> at >>>>>>>>> org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.get_privilege_set(ThriftHiveMetastore.java:2379) >>>>>>>>> at >>>>>>>>> org.apache.hadoop.hive.metastore.HiveMetaStoreClient.get_privilege_set(HiveMetaStoreClient.java:1042) >>>>>>>>> at >>>>>>>>> org.apache.hadoop.hive.ql.metadata.Hive.get_privilege_set(Hive.java:1615) >>>>>>>>> ... 14 more >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >