Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 18136200D2E for ; Tue, 17 Oct 2017 04:56:08 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 16BB2160BE9; Tue, 17 Oct 2017 02:56:08 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 59B2C1609EF for ; Tue, 17 Oct 2017 04:56:07 +0200 (CEST) Received: (qmail 24905 invoked by uid 500); 17 Oct 2017 02:56:06 -0000 Mailing-List: contact issues-help@hive.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@hive.apache.org Delivered-To: mailing list issues@hive.apache.org Received: (qmail 24895 invoked by uid 99); 17 Oct 2017 02:56:06 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 17 Oct 2017 02:56:06 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 989721808A7 for ; Tue, 17 Oct 2017 02:56:05 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.202 X-Spam-Level: X-Spam-Status: No, score=-99.202 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id 6F-yKlW13E-D for ; Tue, 17 Oct 2017 02:56:04 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id D93C460E26 for ; Tue, 17 Oct 2017 02:56:03 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id B6872E2575 for ; Tue, 17 Oct 2017 02:56:01 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 78A74243A8 for ; Tue, 17 Oct 2017 02:56:00 +0000 (UTC) Date: Tue, 17 Oct 2017 02:56:00 +0000 (UTC) From: "Thejas M Nair (JIRA)" To: issues@hive.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HIVE-12408) SQLStdAuthorizer expects external table creator to be owner of directory, does not respect rwx group permission. Only one user could ever create an external table definition to dir! MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Tue, 17 Oct 2017 02:56:08 -0000 [ https://issues.apache.org/jira/browse/HIVE-12408?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16206939#comment-16206939 ] Thejas M Nair commented on HIVE-12408: -------------------------------------- Sure, assigning the bug to you > SQLStdAuthorizer expects external table creator to be owner of directory, does not respect rwx group permission. Only one user could ever create an external table definition to dir! > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: HIVE-12408 > URL: https://issues.apache.org/jira/browse/HIVE-12408 > Project: Hive > Issue Type: Bug > Components: Authorization, Security, SQLStandardAuthorization > Affects Versions: 0.14.0 > Environment: HDP 2.2 + Kerberos > Reporter: Hari Sekhon > Assignee: Akira Ajisaka > Priority: Critical > > When trying to create an external table via beeline in Hive using the SQLStdAuthorizer it expects the table creator to be the owner of the directory path and ignores the group rwx permission that is granted to the user. > {code}Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: Principal [name=hari, type=USER] does not have following privileges for operation CREATETABLE [[INSERT, DELETE, OBJECT OWNERSHIP] on Object [type=DFS_URI, name=/etl/path/to/hdfs/dir]] (state=42000,code=40000){code} > All it should be checking is read access to that directory. > The directory owner requirement breaks the ability of more than one user to create external table definitions to a given location. For example this is a flume landing directory with json data, and the /etl tree is owned by the flume user. Even chowning the tree to another user would still break access to other users who are able to read the directory in hdfs but would still unable to create external tables on top of it. > This looks like a remnant of the owner only access model in SQLStdAuth and is a separate issue to HIVE-11864 / HIVE-12324. -- This message was sent by Atlassian JIRA (v6.4.14#64029)