hive-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thejas M Nair (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HIVE-12408) SQLStdAuthorizer should not require external table creator to be owner of directory, in addition to rw permissions
Date Fri, 27 Oct 2017 00:42:02 GMT

    [ https://issues.apache.org/jira/browse/HIVE-12408?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16221517#comment-16221517
] 

Thejas M Nair commented on HIVE-12408:
--------------------------------------

[~ajisakaa]
Please find instructions to request access to edit wiki here - https://cwiki.apache.org/confluence/display/Hive/AboutThisWiki#AboutThisWiki-Howtogetpermissiontoedit

cc [~leftylev]

> SQLStdAuthorizer should not require external table creator to be owner of directory,
in addition to rw permissions
> ------------------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-12408
>                 URL: https://issues.apache.org/jira/browse/HIVE-12408
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization, Security, SQLStandardAuthorization
>    Affects Versions: 0.14.0
>         Environment: HDP 2.2 + Kerberos
>            Reporter: Hari Sekhon
>            Assignee: Akira Ajisaka
>            Priority: Critical
>             Fix For: 3.0.0
>
>         Attachments: HIVE-12408.001.patch, HIVE-12408.002.patch
>
>
> When trying to create an external table via beeline in Hive using the SQLStdAuthorizer
it expects the table creator to be the owner of the directory path and ignores the group rwx
permission that is granted to the user.
> {code}Error: Error while compiling statement: FAILED: HiveAccessControlException Permission
denied: Principal [name=hari, type=USER] does not have following privileges for operation
CREATETABLE [[INSERT, DELETE, OBJECT OWNERSHIP] on Object [type=DFS_URI, name=/etl/path/to/hdfs/dir]]
(state=42000,code=40000){code}
> All it should be checking is read access to that directory.
> The directory owner requirement breaks the ability of more than one user to create external
table definitions to a given location. For example this is a flume landing directory with
json data, and the /etl tree is owned by the flume user. Even chowning the tree to another
user would still break access to other users who are able to read the directory in hdfs but
would still unable to create external tables on top of it.
> This looks like a remnant of the owner only access model in SQLStdAuth and is a separate
issue to HIVE-11864 / HIVE-12324.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message