Return-Path: 
 <dev-return-67168-apmail-hive-dev-archive=hive.apache.org@hive.apache.org>
X-Original-To: apmail-hive-dev-archive@www.apache.org
Delivered-To: apmail-hive-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id E302C10819
	for <apmail-hive-dev-archive@www.apache.org>;
 Tue, 15 Oct 2013 02:30:48 +0000 (UTC)
Received: (qmail 35884 invoked by uid 500); 15 Oct 2013 02:30:48 -0000
Delivered-To: apmail-hive-dev-archive@hive.apache.org
Received: (qmail 35632 invoked by uid 500); 15 Oct 2013 02:30:47 -0000
Mailing-List: contact dev-help@hive.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@hive.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@hive.apache.org>
List-Post: <mailto:dev@hive.apache.org>
List-Id: <dev.hive.apache.org>
Reply-To: dev@hive.apache.org
Delivered-To: mailing list dev@hive.apache.org
Received: (qmail 35388 invoked by uid 500); 15 Oct 2013 02:30:47 -0000
Delivered-To: apmail-hadoop-hive-dev@hadoop.apache.org
Received: (qmail 35366 invoked by uid 99); 15 Oct 2013 02:30:45 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 15 Oct 2013 02:30:45 +0000
Date: Tue, 15 Oct 2013 02:30:44 +0000 (UTC)
From: "Sushanth Sowmyan (JIRA)" <jira@apache.org>
To: hive-dev@hadoop.apache.org
Message-ID: <JIRA.12673809.1381804015266.63935.1381804244947@arcas>
In-Reply-To: <JIRA.12673809.1381804015266@arcas>
References: <JIRA.12673809.1381804015266@arcas>
Subject: [jira] [Updated] (HIVE-5542) Webhcat is failing to run ddl command
 on a secure cluster
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/HIVE-5542?page=3Dcom.atlassian=
.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sushanth Sowmyan updated HIVE-5542:
-----------------------------------

    Description:=20
When switching client-side authorization from the now deprecated HdfsAuthor=
izationProvider to SBAP, we noticed an issue while testing. Basically, if, =
say webhcat were running as user "hcat" on a secure cluster, and we run the=
 following:

{noformat}
$ kinit -kt /homes/hrt_qa/hadoopqa/keytabs/hrt_qa.headless.keytab hrt_qa
$ curl -u : --negotiate -X PUT -H "Content-Type: application/json" -d "{\"c=
omment\":\"Hello there\", \"properties\":{\"a\":\"b\"}}" http://webhcat.abc=
.blahblah.net:50111/templeton/v1/ddl/database/hcatperms_a
{noformat}


{noformat}
{"errorDetail":"org.apache.hadoop.hive.ql.metadata.AuthorizationException: =
java.security.AccessControlException: action WRITE not permitted on path hd=
fs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat
=09at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthoriz=
ationProvider.authorizationException(StorageBasedAuthorizationProvider.java=
:375)
=09at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthoriz=
ationProvider.authorize(StorageBasedAuthorizationProvider.java:273)
=09at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthoriz=
ationProvider.authorize(StorageBasedAuthorizationProvider.java:135)
=09at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBas=
e.authorize(HCatSemanticAnalyzerBase.java:139)
=09at org.apache.hive.hcatalog.cli.SemanticAnalysis.CreateDatabaseHook.auth=
orizeDDLWork(CreateDatabaseHook.java:93)
=09at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBas=
e.authorizeDDL(HCatSemanticAnalyzerBase.java:105)
=09at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBas=
e.postAnalyze(HCatSemanticAnalyzerBase.java:63)
=09at org.apache.hive.hcatalog.cli.SemanticAnalysis.CreateDatabaseHook.post=
Analyze(CreateDatabaseHook.java:83)
=09at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzer.po=
stAnalyze(HCatSemanticAnalyzer.java:243)
=09at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:444)
=09at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:342)
=09at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:977)
=09at org.apache.hadoop.hive.ql.Driver.run(Driver.java:888)
=09at org.apache.hive.hcatalog.cli.HCatDriver.run(HCatDriver.java:43)
=09at org.apache.hive.hcatalog.cli.HCatCli.processCmd(HCatCli.java:251)
=09at org.apache.hive.hcatalog.cli.HCatCli.processLine(HCatCli.java:205)
=09at org.apache.hive.hcatalog.cli.HCatCli.main(HCatCli.java:164)
=09at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
=09at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.=
java:39)
=09at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces=
sorImpl.java:25)
=09at java.lang.reflect.Method.invoke(Method.java:597)
=09at org.apache.hadoop.util.RunJar.main(RunJar.java:212)
Caused by: java.security.AccessControlException: action WRITE not permitted=
 on path hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user =
hcat
=09at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthoriz=
ationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:351)
=09at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthoriz=
ationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:308)
=09at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthoriz=
ationProvider.authorize(StorageBasedAuthorizationProvider.java:270)
=09... 20 more
","error":"FAILED: AuthorizationException java.security.AccessControlExcept=
ion: action WRITE not permitted on path hdfs://webhcat.abc.blahblah.net:802=
0/apps/hive/warehouse for user hcat","sqlState":"42000","errorCode":40000,"=
database":"hcatperms_a"}
{noformat}





  was:
When switching client-side authorization from the now deprecated HdfsAuthor=
izationProvider to SBAP, we noticed an issue while testing. Basically, if, =
say webhcat were running as user "hcat" on a secure cluster, and we run the=
 following:

{noformat}
$ kinit -kt /homes/hrt_qa/hadoopqa/keytabs/hrt_qa.headless.keytab hrt_qa
$ curl -u : --negotiate -X PUT -H "Content-Type: application/json" -d "{\"c=
omment\":\"Hello there\", \"properties\":{\"a\":\"b\"}}" http://webhcat.abc=
.blahblah.net:50111/templeton/v1/ddl/database/hcatperms_a
{noformat}


{noformat}
{"errorDetail":"org.apache.hadoop.hive.ql.metadata.AuthorizationException: =
java.security.AccessControlException: action WRITE not permitted on path hd=
fs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat\n\tat =
org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationP=
rovider.authorizationException(StorageBasedAuthorizationProvider.java:375)\=
n\tat org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthoriz=
ationProvider.authorize(StorageBasedAuthorizationProvider.java:273)\n\tat o=
rg.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationPr=
ovider.authorize(StorageBasedAuthorizationProvider.java:135)\n\tat org.apac=
he.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.authorize(HC=
atSemanticAnalyzerBase.java:139)\n\tat org.apache.hive.hcatalog.cli.Semanti=
cAnalysis.CreateDatabaseHook.authorizeDDLWork(CreateDatabaseHook.java:93)\n=
\tat org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase=
.authorizeDDL(HCatSemanticAnalyzerBase.java:105)\n\tat org.apache.hive.hcat=
alog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.postAnalyze(HCatSemantic=
AnalyzerBase.java:63)\n\tat org.apache.hive.hcatalog.cli.SemanticAnalysis.C=
reateDatabaseHook.postAnalyze(CreateDatabaseHook.java:83)\n\tat org.apache.=
hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzer.postAnalyze(HCatSem=
anticAnalyzer.java:243)\n\tat org.apache.hadoop.hive.ql.Driver.compile(Driv=
er.java:444)\n\tat org.apache.hadoop.hive.ql.Driver.compile(Driver.java:342=
)\n\tat org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:977)\n\tat=
 org.apache.hadoop.hive.ql.Driver.run(Driver.java:888)\n\tat org.apache.hiv=
e.hcatalog.cli.HCatDriver.run(HCatDriver.java:43)\n\tat org.apache.hive.hca=
talog.cli.HCatCli.processCmd(HCatCli.java:251)\n\tat org.apache.hive.hcatal=
og.cli.HCatCli.processLine(HCatCli.java:205)\n\tat org.apache.hive.hcatalog=
.cli.HCatCli.main(HCatCli.java:164)\n\tat sun.reflect.NativeMethodAccessorI=
mpl.invoke0(Native Method)\n\tat sun.reflect.NativeMethodAccessorImpl.invok=
e(NativeMethodAccessorImpl.java:39)\n\tat sun.reflect.DelegatingMethodAcces=
sorImpl.invoke(DelegatingMethodAccessorImpl.java:25)\n\tat java.lang.reflec=
t.Method.invoke(Method.java:597)\n\tat org.apache.hadoop.util.RunJar.main(R=
unJar.java:212)\nCaused by: java.security.AccessControlException: action WR=
ITE not permitted on path hdfs://webhcat.abc.blahblah.net:8020/apps/hive/wa=
rehouse for user hcat\n\tat org.apache.hadoop.hive.ql.security.authorizatio=
n.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizat=
ionProvider.java:351)\n\tat org.apache.hadoop.hive.ql.security.authorizatio=
n.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizat=
ionProvider.java:308)\n\tat org.apache.hadoop.hive.ql.security.authorizatio=
n.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProv=
ider.java:270)\n\t... 20 more\n","error":"FAILED: AuthorizationException ja=
va.security.AccessControlException: action WRITE not permitted on path hdfs=
://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat","sqlSta=
te":"42000","errorCode":40000,"database":"hcatperms_a"}
{noformat}





> Webhcat is failing to run ddl command on a secure cluster
> ---------------------------------------------------------
>
>                 Key: HIVE-5542
>                 URL: https://issues.apache.org/jira/browse/HIVE-5542
>             Project: Hive
>          Issue Type: Bug
>          Components: Authentication, WebHCat
>    Affects Versions: 0.12.0
>            Reporter: Sushanth Sowmyan
>            Assignee: Sushanth Sowmyan
>
> When switching client-side authorization from the now deprecated HdfsAuth=
orizationProvider to SBAP, we noticed an issue while testing. Basically, if=
, say webhcat were running as user "hcat" on a secure cluster, and we run t=
he following:
> {noformat}
> $ kinit -kt /homes/hrt_qa/hadoopqa/keytabs/hrt_qa.headless.keytab hrt_qa
> $ curl -u : --negotiate -X PUT -H "Content-Type: application/json" -d "{\=
"comment\":\"Hello there\", \"properties\":{\"a\":\"b\"}}" http://webhcat.a=
bc.blahblah.net:50111/templeton/v1/ddl/database/hcatperms_a
> {noformat}
> {noformat}
> {"errorDetail":"org.apache.hadoop.hive.ql.metadata.AuthorizationException=
: java.security.AccessControlException: action WRITE not permitted on path =
hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat
> =09at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthor=
izationProvider.authorizationException(StorageBasedAuthorizationProvider.ja=
va:375)
> =09at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthor=
izationProvider.authorize(StorageBasedAuthorizationProvider.java:273)
> =09at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthor=
izationProvider.authorize(StorageBasedAuthorizationProvider.java:135)
> =09at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerB=
ase.authorize(HCatSemanticAnalyzerBase.java:139)
> =09at org.apache.hive.hcatalog.cli.SemanticAnalysis.CreateDatabaseHook.au=
thorizeDDLWork(CreateDatabaseHook.java:93)
> =09at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerB=
ase.authorizeDDL(HCatSemanticAnalyzerBase.java:105)
> =09at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerB=
ase.postAnalyze(HCatSemanticAnalyzerBase.java:63)
> =09at org.apache.hive.hcatalog.cli.SemanticAnalysis.CreateDatabaseHook.po=
stAnalyze(CreateDatabaseHook.java:83)
> =09at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzer.=
postAnalyze(HCatSemanticAnalyzer.java:243)
> =09at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:444)
> =09at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:342)
> =09at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:977)
> =09at org.apache.hadoop.hive.ql.Driver.run(Driver.java:888)
> =09at org.apache.hive.hcatalog.cli.HCatDriver.run(HCatDriver.java:43)
> =09at org.apache.hive.hcatalog.cli.HCatCli.processCmd(HCatCli.java:251)
> =09at org.apache.hive.hcatalog.cli.HCatCli.processLine(HCatCli.java:205)
> =09at org.apache.hive.hcatalog.cli.HCatCli.main(HCatCli.java:164)
> =09at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> =09at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImp=
l.java:39)
> =09at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcc=
essorImpl.java:25)
> =09at java.lang.reflect.Method.invoke(Method.java:597)
> =09at org.apache.hadoop.util.RunJar.main(RunJar.java:212)
> Caused by: java.security.AccessControlException: action WRITE not permitt=
ed on path hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for use=
r hcat
> =09at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthor=
izationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:351=
)
> =09at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthor=
izationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:308=
)
> =09at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthor=
izationProvider.authorize(StorageBasedAuthorizationProvider.java:270)
> =09... 20 more
> ","error":"FAILED: AuthorizationException java.security.AccessControlExce=
ption: action WRITE not permitted on path hdfs://webhcat.abc.blahblah.net:8=
020/apps/hive/warehouse for user hcat","sqlState":"42000","errorCode":40000=
,"database":"hcatperms_a"}
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.1#6144)