Return-Path: X-Original-To: apmail-hive-dev-archive@www.apache.org Delivered-To: apmail-hive-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6FD8D11181 for ; Mon, 15 Sep 2014 21:58:35 +0000 (UTC) Received: (qmail 20528 invoked by uid 500); 15 Sep 2014 21:58:34 -0000 Delivered-To: apmail-hive-dev-archive@hive.apache.org Received: (qmail 20424 invoked by uid 500); 15 Sep 2014 21:58:34 -0000 Mailing-List: contact dev-help@hive.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hive.apache.org Delivered-To: mailing list dev@hive.apache.org Received: (qmail 20195 invoked by uid 500); 15 Sep 2014 21:58:34 -0000 Delivered-To: apmail-hadoop-hive-dev@hadoop.apache.org Received: (qmail 20155 invoked by uid 99); 15 Sep 2014 21:58:34 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 15 Sep 2014 21:58:34 +0000 Date: Mon, 15 Sep 2014 21:58:34 +0000 (UTC) From: "Thejas M Nair (JIRA)" To: hive-dev@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HIVE-8045) SQL standard auth with cli - Errors and configuration issues MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HIVE-8045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14134556#comment-14134556 ] Thejas M Nair commented on HIVE-8045: ------------------------------------- Unable to create external tables from hive cli after setting following two properties in hive-site.xml {noformat} hive.security.authorization.manager org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory hive.security.metastore.authorization.manager org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider,org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly {noformat} Table creation fails with the following error message: {noformat} hive> create external table abc(i int); 14/09/09 20:21:23 [main]: INFO log.PerfLogger: 14/09/09 20:21:23 [main]: INFO log.PerfLogger: 14/09/09 20:21:23 [main]: INFO ql.Driver: Concurrency mode is disabled, not creating a lock manager 14/09/09 20:21:23 [main]: INFO log.PerfLogger: 14/09/09 20:21:23 [main]: INFO log.PerfLogger: 14/09/09 20:21:23 [main]: INFO parse.ParseDriver: Parsing command: create external table abc(i int) 14/09/09 20:21:24 [main]: INFO parse.ParseDriver: Parse Completed 14/09/09 20:21:24 [main]: INFO log.PerfLogger: 14/09/09 20:21:24 [main]: INFO log.PerfLogger: 14/09/09 20:21:24 [main]: INFO parse.SemanticAnalyzer: Starting Semantic Analysis 14/09/09 20:21:24 [main]: INFO parse.SemanticAnalyzer: Creating table default.abc position=22 FAILED: RuntimeException org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException: Failed to retrieve roles for hrt_qa: Metastore Authorization api invocation for remote metastore is disabled in this configuration. 14/09/09 20:21:24 [main]: ERROR ql.Driver: FAILED: RuntimeException org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException: Failed to retrieve roles for hrt_qa: Metastore Authorization api invocation for remote metastore is disabled in this configuration. java.lang.RuntimeException: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException: Failed to retrieve roles for hrt_qa: Metastore Authorization api invocation for remote metastore is disabled in this configuration. at org.apache.hadoop.hive.ql.session.SessionState.setupAuth(SessionState.java:633) at org.apache.hadoop.hive.ql.session.SessionState.getAuthenticator(SessionState.java:1132) at org.apache.hadoop.hive.ql.session.SessionState.getUserFromAuthenticator(SessionState.java:822) at org.apache.hadoop.hive.ql.metadata.Table.getEmptyTable(Table.java:175) at org.apache.hadoop.hive.ql.metadata.Table.(Table.java:117) at org.apache.hadoop.hive.ql.parse.SemanticAnalyzer.addDbAndTabToOutputs(SemanticAnalyzer.java:10302) at org.apache.hadoop.hive.ql.parse.SemanticAnalyzer.analyzeCreateTable(SemanticAnalyzer.java:10198) at org.apache.hadoop.hive.ql.parse.SemanticAnalyzer.analyzeInternal(SemanticAnalyzer.java:9405) at org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer.analyze(BaseSemanticAnalyzer.java:208) at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:402) at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:298) at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:992) at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:1062) at org.apache.hadoop.hive.ql.Driver.run(Driver.java:929) at org.apache.hadoop.hive.ql.Driver.run(Driver.java:919) at org.apache.hadoop.hive.cli.CliDriver.processLocalCmd(CliDriver.java:246) at org.apache.hadoop.hive.cli.CliDriver.processCmd(CliDriver.java:198) at org.apache.hadoop.hive.cli.CliDriver.processLine(CliDriver.java:408) at org.apache.hadoop.hive.cli.CliDriver.executeDriver(CliDriver.java:781) at org.apache.hadoop.hive.cli.CliDriver.run(CliDriver.java:675) at org.apache.hadoop.hive.cli.CliDriver.main(CliDriver.java:614) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.hadoop.util.RunJar.run(RunJar.java:221) at org.apache.hadoop.util.RunJar.main(RunJar.java:136) Caused by: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException: Failed to retrieve roles for hrt_qa: Metastore Authorization api invocation for remote metastore is disabled in this configuration. at org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLAuthorizationUtils.getPluginException(SQLAuthorizationUtils.java:416) at org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController.getRolesFromMS(SQLStdHiveAccessController.java:161) at org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController.initUserRoles(SQLStdHiveAccessController.java:142) at org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController.(SQLStdHiveAccessController.java:96) at org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessControllerWrapper.(SQLStdHiveAccessControllerWrapper.java:57) at org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory.createHiveAuthorizer(SQLStdHiveAuthorizerFactory.java:35) at org.apache.hadoop.hive.ql.session.SessionState.setupAuth(SessionState.java:624) ... 26 more Caused by: MetaException(message:Metastore Authorization api invocation for remote metastore is disabled in this configuration.) at org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$get_role_grants_for_principal_result$get_role_grants_for_principal_resultStandardScheme.read(ThriftHiveMetastore.java) at org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$get_role_grants_for_principal_result$get_role_grants_for_principal_resultStandardScheme.read(ThriftHiveMetastore.java) at org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$get_role_grants_for_principal_result.read(ThriftHiveMetastore.java) at org.apache.thrift.TServiceClient.receiveBase(TServiceClient.java:78) at org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.recv_get_role_grants_for_principal(ThriftHiveMetastore.java:3402) at org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.get_role_grants_for_principal(ThriftHiveMetastore.java:3389) at org.apache.hadoop.hive.metastore.HiveMetaStoreClient.get_role_grants_for_principal(HiveMetaStoreClient.java:1571) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.invoke(RetryingMetaStoreClient.java:90) at com.sun.proxy.$Proxy9.get_role_grants_for_principal(Unknown Source) at org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController.getRoleGrants(SQLStdHiveAccessController.java:170) at org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController.getRolesFromMS(SQLStdHiveAccessController.java:148) ... 31 more {noformat} > SQL standard auth with cli - Errors and configuration issues > ------------------------------------------------------------ > > Key: HIVE-8045 > URL: https://issues.apache.org/jira/browse/HIVE-8045 > Project: Hive > Issue Type: Bug > Components: Authorization > Reporter: Jagruti Varia > Assignee: Thejas M Nair > > HIVE-7533 enabled sql std authorization to be set in hive cli (without enabling authorization checks). This updates hive configuration so that create-table and create-views set permissions appropriately for the owner of the table. > HIVE-7209 added a metastore authorization provider that can be used to restricts calls made to the authorization api, so that only HS2 can make those calls (when HS2 uses embedded metastore). > Some issues were found with this. > # Even if hive.security.authorization.enabled=false, authorization checks were happening for non sql statements as add/detete/dfs/compile, which results in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an error. > # Create table from hive-cli ended up calling metastore server api call (getRoles) and resulted in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an error. > # Some users prefer to enable authorization using hive-site.xml for hive-server2 (hive.security.authorization.enabled param). If this file is shared by hive-cli and hive-server2, SQL std authorizer throws an error because is use in hive-cli is not allowed. -- This message was sent by Atlassian JIRA (v6.3.4#6332)