hive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Timothy Driscoll (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-8954) StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT SQL request
Date Mon, 16 Feb 2015 16:45:12 GMT

    [ https://issues.apache.org/jira/browse/HIVE-8954?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14322977#comment-14322977
] 

Timothy Driscoll commented on HIVE-8954:
----------------------------------------

We've run into the same issue as well.  Stack trace (below) is against the Hive 1.0.0 release.
 

Looks like it was introduced here:
https://github.com/apache/hive/commit/d466a4a266cad48a875cb78fc706c03878bfbfa3#diff-96eaae2c03bb93befeba9bf598597704L181

Apparently the assumption of when partitions may be null was incorrect.  From the stack trace,
the Driver is explicitly passing in null on this SELECT query:
https://github.com/apache/hive/blob/release-1.0.0/ql/src/java/org/apache/hadoop/hive/ql/Driver.java#L638

I don't know the ramifications, but I just reverted the diff to perform the original check
on the table and fixes this particular issue at least.

{code}
hive> select * from hive_table limit 5;
FAILED: HiveException java.security.AccessControlException: action WRITE not permitted on
path hdfs://cluster/hive_table for user <user>
15/02/16 09:37:06 ERROR ql.Driver: FAILED: HiveException java.security.AccessControlException:
action WRITE not permitted on path hdfs://cluster/hive_table for user <user>
org.apache.hadoop.hive.ql.metadata.HiveException: java.security.AccessControlException: action
WRITE not permitted on path hdfs://cluster/hive_table for user <user>
	at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:393)
	at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:357)
	at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:331)
	at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:180)
	at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:231)
	at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:253)
	at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:638)
	at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:455)
	at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:303)
	at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1067)
	at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:1129)
	at org.apache.hadoop.hive.ql.Driver.run(Driver.java:1004)
	at org.apache.hadoop.hive.ql.Driver.run(Driver.java:994)
	at org.apache.hadoop.hive.cli.CliDriver.processLocalCmd(CliDriver.java:201)
	at org.apache.hadoop.hive.cli.CliDriver.processCmd(CliDriver.java:153)
	at org.apache.hadoop.hive.cli.CliDriver.processLine(CliDriver.java:364)
	at org.apache.hadoop.hive.cli.CliDriver.executeDriver(CliDriver.java:712)
	at org.apache.hadoop.hive.cli.CliDriver.run(CliDriver.java:631)
	at org.apache.hadoop.hive.cli.CliDriver.main(CliDriver.java:570)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.apache.hadoop.util.RunJar.main(RunJar.java:212)
Caused by: java.security.AccessControlException: action WRITE not permitted on path hdfs://cluster/hive_table
for user <user>
	at org.apache.hadoop.fs.DefaultFileAccess.checkFileAccess(DefaultFileAccess.java:88)
	at org.apache.hadoop.fs.DefaultFileAccess.checkFileAccess(DefaultFileAccess.java:55)
	at org.apache.hadoop.hive.shims.Hadoop23Shims.checkFileAccess(Hadoop23Shims.java:790)
	at org.apache.hadoop.hive.common.FileUtils.checkFileAccessWithImpersonation(FileUtils.java:381)
	at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:384)
	... 23 more
{code}

> StorageBasedAuthorizationProvider Check write permission on HDFS on SELECT SQL request
> --------------------------------------------------------------------------------------
>
>                 Key: HIVE-8954
>                 URL: https://issues.apache.org/jira/browse/HIVE-8954
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization
>    Affects Versions: 0.14.0
>         Environment: centos 6.5 
>            Reporter: LINTE
>
> With hive.security.metastore.authorization.manager set to org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.
> It seem that on a read request, write permissions are check on the HDFS by the metastore.
> sample :
> bash# hive 
> hive (default)> use database;
> OK
> Time taken: 0.747 seconds
> hive (database)> SELECT * FROM  table LIMIT 10;
> FAILED: HiveException java.security.AccessControlException: action WRITE not permitted
on path hdfs://cluster/hive_warehouse/database.db/table for user myuser



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message