Return-Path: X-Original-To: apmail-hive-user-archive@www.apache.org Delivered-To: apmail-hive-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D41CD10F87 for ; Thu, 30 Jan 2014 17:00:59 +0000 (UTC) Received: (qmail 56917 invoked by uid 500); 30 Jan 2014 17:00:56 -0000 Delivered-To: apmail-hive-user-archive@hive.apache.org Received: (qmail 56777 invoked by uid 500); 30 Jan 2014 17:00:56 -0000 Mailing-List: contact user-help@hive.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hive.apache.org Delivered-To: mailing list user@hive.apache.org Received: (qmail 56768 invoked by uid 99); 30 Jan 2014 17:00:56 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Jan 2014 17:00:56 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of anastetsky@spryinc.com designates 74.125.82.50 as permitted sender) Received: from [74.125.82.50] (HELO mail-wg0-f50.google.com) (74.125.82.50) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Jan 2014 17:00:49 +0000 Received: by mail-wg0-f50.google.com with SMTP id l18so6856576wgh.5 for ; Thu, 30 Jan 2014 09:00:28 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=cLMoMzOoXyMTgIrYG078SjIrvCn7VvEwfvACmX2Z2q4=; b=EggVouWF/xICGGLebVD7g3XsvzWxJa7927y33urDIpJHgVrFOP7gxDHGbsuPrhMOhr fImhBWfGOcbnysj8aepdF/bcQt6lD8Z3wo78Nv/a47g2aTh1S2gr3sW+Eh2NXr3TW9aS K3RkGgI5d85r8jPaDPzp8ajWd2X4JkY9u4ZnnwkVhRV6mNZnGIxIG+a0m6Fzgt3jQNRL Dz1dsOo3I9Ufj5pYrpCHBZ0NRjTNKHCDTwGLq9HwiHVzw6jiy8nvZVNKXVynpg8v3CeN egunpbrrcCm0ZbCqSqKLJ2C4Hpm3OKWwRm99/2WmOKm5MLovtJQpGTT3ADVboAwdH8PV Sukg== X-Gm-Message-State: ALoCoQmjOyoOrUhRExsagtPagYAXn5tWxN7LpiwfBUK5J62/GGrs+/iBXAVhz/qwPZ34f/s1Bb+H MIME-Version: 1.0 X-Received: by 10.180.37.193 with SMTP id a1mr10372627wik.52.1391101228728; Thu, 30 Jan 2014 09:00:28 -0800 (PST) Received: by 10.180.205.202 with HTTP; Thu, 30 Jan 2014 09:00:28 -0800 (PST) X-Originating-IP: [75.145.94.105] In-Reply-To: References: Date: Thu, 30 Jan 2014 12:00:28 -0500 Message-ID: Subject: Re: disable internal tables From: Alex Nastetsky To: user@hive.apache.org Content-Type: multipart/alternative; boundary=e89a8f502fa096b2ed04f132fe1f X-Virus-Checked: Checked by ClamAV on apache.org --e89a8f502fa096b2ed04f132fe1f Content-Type: text/plain; charset=ISO-8859-1 Thanks. But if I assign a group of the users to /apps/hive/warehouse then they can still create internal tables, which is what I am trying to prevent. I am on version 0.12.0.2.0.6.0. On Thu, Jan 30, 2014 at 11:55 AM, Peyman Mohajerian wrote: > This is a known issue, it still will write something at '/apps/hive/warehouse', > it's best to assign a common group to your hive and hdfs users and assign > that group to both of these directories. I heard this issue is fixed in .12 > or .13, others can confirm. > > > On Thu, Jan 30, 2014 at 8:27 AM, Alex Nastetsky wrote: > >> Hi, >> >> I am trying to enforce all Hive tables to be created with EXTERNAL. The >> way I am doing this is by making the location of the warehouse >> (/apps/hive/warehouse in my case) to have permissions 000 (completely >> inaccessible). >> >> But then when I try to create an external table, I see that it still >> tries to write to /apps/hive/warehouse and, of course, fails: >> >> hive> CREATE EXTERNAL TABLE mytable(id INT, name STRING) ROW FORMAT >> DELIMITED FIELDS TERMINATED BY ',' LINES TERMINATED BY '\n' STORED AS >> TEXTFILE LOCATION '/user/anastetsky/warehouse'; >> Authorization failed:java.security.AccessControlException: action WRITE >> not permitted on path hdfs://:8020/apps/hive/warehouse for user >> anastetsky. Use show grant to get more details. >> >> What am I missing? Or is there a better way to enforce tables to be >> EXTERNAL? >> >> Thanks in advance, >> Alex. >> > > --e89a8f502fa096b2ed04f132fe1f Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
Thanks. But if I assign a group of the users to /apps/hive= /warehouse then they can still create internal tables, which is what I am t= rying to prevent.

I am on version=A00.12.0.2.0.6.0.


On Thu,= Jan 30, 2014 at 11:55 AM, Peyman Mohajerian <mohajeri@gmail.com>= wrote:
This is a known issue, it s= till will write something at '/apps/hive/warehouse', it's best= to assign a common group to your hive and hdfs users and assign that group= to both of these directories. I heard this issue is fixed in .12 or .13, o= thers can confirm.


On Thu, Jan 3= 0, 2014 at 8:27 AM, Alex Nastetsky <anastetsky@spryinc.com> wrote:
Hi,

I am= trying to enforce all Hive tables to be created with EXTERNAL. The way I a= m doing this is by making the location of the warehouse (/apps/hive/warehou= se in my case) to have permissions 000 (completely inaccessible).

But then when I try to create an external table, I see = that it still tries to write to /apps/hive/warehouse and, of course, fails:=

hive> CREATE EXTERNAL TABLE mytable(id IN= T, name STRING) ROW FORMAT DELIMITED FIELDS TERMINATED BY ',' LINES= TERMINATED BY '\n' STORED AS TEXTFILE LOCATION '/user/anastets= ky/warehouse';
Authorization failed:java.security.AccessControlException: action WRIT= E not permitted on path hdfs://<hostname>:8020/apps/hive/warehouse fo= r user anastetsky. Use show grant to get more details.

What am I missing? Or is there a better way to enforce table= s to be EXTERNAL?

Thanks in advance,
Ale= x.


--e89a8f502fa096b2ed04f132fe1f--