hive-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sanjay Subramanian <Sanjay.Subraman...@wizecommerce.com>
Subject Hive Authorization (ROLES AND PRIVILEGES) does not work with hiveserver2 ?
Date Mon, 19 Aug 2013 19:30:49 GMT
0: jdbc:hive2://dev-thdp5:10000> CREATE ROLE sas_role;
No rows affected (0.16 seconds)

0: jdbc:hive2://dev-thdp5:10000> CREATE EXTERNAL TABLE  IF NOT EXISTS keyword_impressions_log
(date_ STRING,server STRING,impression_id STRING,search_session_id STRING,channel_id INT,visit_id
BIGINT,visitor_id BIGINT,app_style STRING,publisher_id INT,ip STRING,keyword_id BIGINT,keyword
STRING,node_constraint BIGINT,mfr_constraint BIGINT,seller_constraint BIGINT,other_constraint
STRING,continued INT,offset INT,results INT,sort_ INT,ad_nodes STRING,view_ INT,spelling STRING,referrer
STRING,internal_ip INT,cat_feat_mode STRING,rules STRING,rb_filter INT,shuffled INT,related_item_results
INT,pixeled INT,sr_attr_imps STRING,unranked_ptitle_ids STRING,perpage INT)PARTITIONED BY
(header_date_partition STRING)    STORED AS INPUTFORMAT  "com.hadoop.mapred.DeprecatedLzoTextInputFormat"
  OUTPUTFORMAT "org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat";
No rows affected (0.468 seconds)

0: jdbc:hive2://dev-thdp5:10000> alter table keyword_impressions_log add if not exists
partition (header_date_partition='2013-08-11') location '/user/hive/warehouse/keyword_impressions_log/2013-08-11';
No rows affected (0.438 seconds)

0: jdbc:hive2://dev-thdp5:10000> GRANT SELECT ON TABLE keyword_impressions_log TO ROLE
sas_role;
No rows affected (0.403 seconds)

0: jdbc:hive2://dev-thdp5:10000> GRANT ROLE sas_role TO USER hiveuser1;
No rows affected (0.168 seconds)

0: jdbc:hive2://dev-thdp5:10000> show grant role sas_role on table keyword_impressions_log;
No rows affected (0.117 seconds)

The following CLI command shows the role information

hive -e "show grant role sas_role on table keyword_impressions_log;"

Logging initialized using configuration in jar:file:/usr/lib/hive/lib/hive-common-0.10.0-cdh4.3.0.jar!/hive-log4j.properties
Hive history file=/tmp/sasubramanian/hive_job_log_99244cad-b6e4-4c71-9fe1-d4b248b078c3_1882800333.txt
OK
database default
table keyword_impressions_log
principalName sas_role
principalType ROLE
privilege select
grantTime Mon Aug 19 12:24:08 PDT 2013
grantor hive
Time taken: 1.76 seconds


From: Sanjay Subramanian <sanjay.subramanian@wizecommerce.com<mailto:sanjay.subramanian@wizecommerce.com>>
Reply-To: "user@hive.apache.org<mailto:user@hive.apache.org>" <user@hive.apache.org<mailto:user@hive.apache.org>>
Date: Friday, August 16, 2013 7:24 PM
To: "user@hive.apache.org<mailto:user@hive.apache.org>" <user@hive.apache.org<mailto:user@hive.apache.org>>
Subject: Hive Authorization clarification

Hi guys

I am not getting the expected result from my authorization settings

I am evaluating Hive0.10.0+121

mysql> select * from hive.ROLES;
+---------+-------------+------------+-----------+
| ROLE_ID | CREATE_TIME | OWNER_NAME | ROLE_NAME |
+---------+-------------+------------+-----------+
|       6 |  1376704610 | NULL       | sas_role  |
+---------+-------------+------------+-----------+



My settings are as follows.


<!-- added by sanjay -->
<property>
  <name>hive.server2.authentication</name>
  <value>LDAP</value>
</property>
<property>
  <name>hive.server2.authentication.ldap.url</name>
  <value>ldap://corp.nextag.com</value>
</property>

<property>
  <name>hive.security.authorization.enabled</name>
  <value>true</value>
  <description>enable or disable the hive client   authorization</description>
</property>

<property>
  <name>hive.security.authorization.createtable.owner.grants</name>
  <value>ALL</value>
  <description>the privileges automatically granted to the owner whenever a table gets
created.
An example like "select,drop" will grant select and drop privilege to the owner of the table</description>
</property>

<property>
  <name>hive.security.authorization.createtable.role.grants</name>
  <value>sas_role:select</value>
  <description>The privileges automatically granted to some roles whenever a table gets
created. An example like "roleX,roleY:select;roleZ:create" will grant select privilege to
roleX and roleY, and grant create privilege to roleZ whenever a new table created.</description>
</property>

<property>
  <name>hive.security.authorization.createtable.group.grants</name>
  <value>hiveuser1:select</value>
  <description>The privileges automatically granted to some groups whenever a table
gets created. An example like "groupX,groupY:select;groupZ:create" will grant select privilege
to groupX and groupY, and grant create privilege to groupZ whenever a new table created.</description>
</property>


<property>
  <name>hive.security.authorization.createtable.user.grants</name>
  <value>hiveuser1:select</value>
  <description>The privileges automatically granted to some users whenever a table gets
created. An example like "userX,userY:select;userZ:create" will grant select privilege to
userX and userY, and grant create privilege to userZ whenever a new table created.</description>
</property>



USECASE STEPS
============
1.   Connect as sasubramanian and create table
beeline> !connect jdbc:hive2://dev-thdp5:10000 sanjay.subramanian@wizecommerce.com<mailto:sanjay.subramanian@wizecommerce.com>
********* org.apache.hive.jdbc.HiveDriver
Connecting to jdbc:hive2://dev-thdp5:10000
Connected to: Hive (version 0.10.0)
Driver: Hive (version 0.10.0-cdh4.3.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://dev-thdp5:10000> CREATE EXTERNAL TABLE  IF NOT EXISTS keyword_impressions_log
(date_ STRING,server STRING,impression_id STRING,search_session_id STRING,channel_id INT,visit_id
BIGINT,visitor_id BIGINT,app_style STRING,publisher_id INT,ip STRING,keyword_id BIGINT,keyword
STRING,node_constraint BIGINT,mfr_constraint BIGINT,seller_constraint BIGINT,other_constraint
STRING,continued INT,offset INT,results INT,sort_ INT,ad_nodes STRING,view_ INT,spelling STRING,referrer
STRING,internal_ip INT,cat_feat_mode STRING,rules STRING,rb_filter INT,shuffled INT,related_item_results
INT,pixeled INT,sr_attr_imps STRING,unranked_ptitle_ids STRING,perpage INT)PARTITIONED BY
(header_date_partition STRING)    STORED AS INPUTFORMAT  "com.hadoop.mapred.DeprecatedLzoTextInputFormat"
  OUTPUTFORMAT "org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat";
No rows affected (0.251 seconds)

2. Logout of Hive and connect as hiveuser1
beeline> !connect jdbc:hive2://dev-thdp5:10000 hiveuser1@corp.nextag.com<mailto:hiveuser1@corp.nextag.com>
W!ze2955 org.apache.hive.jdbc.HiveDriver
Connected to: Hive (version 0.10.0)
Driver: Hive (version 0.10.0-cdh4.3.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://dev-thdp5:10000> drop table keyword_impressions_log;
No rows affected (0.397 seconds)

TABLE GETS DROPPED BY hiveuser1 ????? Why ?
<property>
  <name>hive.security.authorization.createtable.group.grants</name>
  <value>hiveuser1:select</value>
  <description>The privileges automatically granted to some groups whenever a table
gets created. An example like "groupX,groupY:select;groupZ:create" will grant select privilege
to groupX and groupY, and grant create privilege to groupZ whenever a new table created.</description>
</property>

Thanks

sanjay



CONFIDENTIALITY NOTICE
======================
This email message and any attachments are for the exclusive use of the intended recipient(s)
and may contain confidential and privileged information. Any unauthorized review, use, disclosure
or distribution is prohibited. If you are not the intended recipient, please contact the sender
by reply email and destroy all copies of the original message along with any attachments,
from your computer system. If you are the intended recipient, please be advised that the content
of this message is subject to access, review and disclosure by the sender's Email System Administrator.

CONFIDENTIALITY NOTICE
======================
This email message and any attachments are for the exclusive use of the intended recipient(s)
and may contain confidential and privileged information. Any unauthorized review, use, disclosure
or distribution is prohibited. If you are not the intended recipient, please contact the sender
by reply email and destroy all copies of the original message along with any attachments,
from your computer system. If you are the intended recipient, please be advised that the content
of this message is subject to access, review and disclosure by the sender's Email System Administrator.

Mime
View raw message