Return-Path: 
 <dev-return-90964-apmail-hive-dev-archive=hive.apache.org@hive.apache.org>
X-Original-To: apmail-hive-dev-archive@www.apache.org
Delivered-To: apmail-hive-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 4C2311122E
	for <apmail-hive-dev-archive@www.apache.org>;
 Sat, 14 Jun 2014 05:33:10 +0000 (UTC)
Received: (qmail 78236 invoked by uid 500); 14 Jun 2014 05:33:05 -0000
Delivered-To: apmail-hive-dev-archive@hive.apache.org
Received: (qmail 78172 invoked by uid 500); 14 Jun 2014 05:33:04 -0000
Mailing-List: contact dev-help@hive.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@hive.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@hive.apache.org>
List-Post: <mailto:dev@hive.apache.org>
List-Id: <dev.hive.apache.org>
Reply-To: dev@hive.apache.org
Delivered-To: mailing list dev@hive.apache.org
Delivered-To: moderator for dev@hive.apache.org
Received: (qmail 86538 invoked by uid 99); 14 Jun 2014 03:39:04 -0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of apple.wangbin@gmail.com
 designates 209.85.213.171 as permitted sender)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=TYvE+8HpHsv8RmHU8rdgCe8XTi8G6c0NKFR1WpYKau4=;
        b=yR5t/tpiYp41lCLEekiWJEwN8Em5ZQIYtt7WvzQMZcKqgV690YIjgJtkVZg6fHx+e1
         YmLVZE3KYtnGFfmcMggFvlDF44hiQ16a102BqmKYHBIrkb0xSujjFfISgPir9Szcv3/h
         pT7odCuWjn5mnyAm7868GicwvuZAzGFg2NNfV/qa/wHXr+Jv0zG6FZ8kL8k5lxSjdWz4
         qyoop+cQEKD88i5E5a/ZxCbdsQCMkIPqWBawSfTSrykLZp3lgQWIt/4zrchns8mlZD9E
         AIWke9VYlSZN/DJrWoOLJL/RywOzmW+mhLmXiCW9Sv+AUSCw0R/AmnQsDHx+jMCZV77W
         ax1w==
MIME-Version: 1.0
X-Received: by 10.43.11.198 with SMTP id pf6mr7472097icb.10.1402717118538;
 Fri, 13 Jun 2014 20:38:38 -0700 (PDT)
Date: Sat, 14 Jun 2014 11:38:38 +0800
Message-ID: 
 <CAKuLrBh-=WgeOsApxx_zttPe9v1BqwzoLEjR9TBz9V503jp_tg@mail.gmail.com>
Subject: Questions about Hive authorization under HDFS permission
From: Apple Wang <apple.wangbin@gmail.com>
To: dev@hive.apache.org
Content-Type: multipart/alternative; boundary=bcaec5186b80922ae404fbc387c6
X-Virus-Checked: Checked by ClamAV on apache.org

--bcaec5186b80922ae404fbc387c6
Content-Type: text/plain; charset=UTF-8

Hi, all

I have enabled hive authorization in my testing cluster. I use the user
hive to create database hivedb and grant create privilege on hivedb to user
root.

But I come across the following problem that root can not create table in
hivedb even it has the create privilege.

FAILED: Execution Error, return code 1 from
org.apache.hadoop.hive.ql.exec.DDLTask.
MetaException(message:Got exception:
org.apache.hadoop.security.AccessControlException
Permission denied: user=root, access=WRITE, inode="/tmp/user/hive/
warehouse/hivedb.db":hive:hadoop:drwxr-xr-x
        at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.
check(FSPermissionChecker.java:234)
        at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.
check(FSPermissionChecker.java:214)
        at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.
checkPermission(FSPermissionChecker.java:158)
        at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.
checkPermission(FSNamesystem.java:5499)
        at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.
checkPermission(FSNamesystem.java:5481)
        at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.
checkAncestorAccess(FSNamesystem.java:5455)
        at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.
mkdirsInternal(FSNamesystem.java:3455)
        at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.
mkdirsInt(FSNamesystem.java:3425)
        at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.mkdirs(
FSNamesystem.java:3397)
        at org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.
mkdirs(NameNodeRpcServer.java:724)
        at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSi
deTranslatorPB.mkdirs(ClientNamenodeProtocolServerSideTranslatorPB.java:502)
        at org.apache.hadoop.hdfs.protocol.proto.
ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(
ClientNamenodeProtocolProtos.java:48089)
        at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$
ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:585)
        at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:928)
        at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2048)
        at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2044)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAs(Subject.java:396)
        at org.apache.hadoop.security.UserGroupInformation.doAs(
UserGroupInformation.java:1491)
        at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2042)


It is obviously that the hivedb.db directory in HDFS are not allowed to be
written by other user. So how does hive authorization work under the HDFS
permissions?

PS. if I create a table by user hive and grant update privilege to user
root. The same ERROR will come across if I load data into the table by root.

Look forward to your reply!

Thanks
Alex

--bcaec5186b80922ae404fbc387c6--