Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 3010A200CAF for ; Thu, 22 Jun 2017 08:36:55 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 2E8DF160BE7; Thu, 22 Jun 2017 06:36:55 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 1E094160BE5 for ; Thu, 22 Jun 2017 08:36:53 +0200 (CEST) Received: (qmail 93784 invoked by uid 500); 22 Jun 2017 06:36:52 -0000 Mailing-List: contact user-help@hive.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@hive.apache.org Delivered-To: mailing list user@hive.apache.org Received: (qmail 93770 invoked by uid 99); 22 Jun 2017 06:36:52 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 22 Jun 2017 06:36:52 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 86B2BC14D0 for ; Thu, 22 Jun 2017 06:36:51 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.085 X-Spam-Level: *** X-Spam-Status: No, score=3.085 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FORGED_HOTMAIL_RCVD2=1.187, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id 9gJbnWnA9qIR for ; Thu, 22 Jun 2017 06:36:49 +0000 (UTC) Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-oln040092008021.outbound.protection.outlook.com [40.92.8.21]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id B112C5F2F1 for ; Thu, 22 Jun 2017 06:36:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=xPhE3yAUxXbQ4/72MrBL94bgpfV5YEdRGQ0G6crcSf8=; b=JH251BpOt1B1TZ5YwFc/2gqNWUtxHWBk/qnrs01jbZRnPyOsWobASnz5le85eYPihv1vfqTLLeZY+8YkpXQ4fK0/UJee1kWE5tUJZE5PXt4Db5c2+NpPmGUcAJHCTb0ntJKMzvV4WyKDdPBcGXpat4G/DZ3WeEYXmtHJBDdr4w7mM4O4aOjvc114mW08JAk5425UdNFR0X3LDpuuQTZmaztf+d134KE6vToiEwOUHNkZaVUzvGevnH5w+WqlHwZvNCDLmlwJDAbc/YwGN7qH+CfnYHl3RDViLua+WrBvNyowZk5310aGoyNFfALoXHMNhmY5koKsXpstbryiR8XaGQ== Received: from BY2NAM03FT055.eop-NAM03.prod.protection.outlook.com (10.152.84.55) by BY2NAM03HT213.eop-NAM03.prod.protection.outlook.com (10.152.85.218) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.1178.14; Thu, 22 Jun 2017 06:36:42 +0000 Received: from YTOPR01MB0554.CANPRD01.PROD.OUTLOOK.COM (10.152.84.56) by BY2NAM03FT055.mail.protection.outlook.com (10.152.85.245) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1199.9 via Frontend Transport; Thu, 22 Jun 2017 06:36:42 +0000 Received: from YTOPR01MB0554.CANPRD01.PROD.OUTLOOK.COM ([10.166.152.10]) by YTOPR01MB0554.CANPRD01.PROD.OUTLOOK.COM ([10.166.152.10]) with mapi id 15.01.1178.023; Thu, 22 Jun 2017 06:36:41 +0000 From: Namas Amitabha To: "user@hive.apache.org" Subject: hive authorization problem Thread-Topic: hive authorization problem Thread-Index: AdLrHz6VWjPW8VAKQUieKV1W8Llv6Q== Date: Thu, 22 Jun 2017 06:36:41 +0000 Message-ID: Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: hive.apache.org; dkim=none (message not signed) header.d=none;hive.apache.org; dmarc=none action=none header.from=hotmail.com; x-incomingtopheadermarker: OriginalChecksum:F090B7D2B434854A34ED915EB1A1F7BDB67CA799077A6CBB3502ADAD0F4A623C;UpperCasedChecksum:6DBC2120B3D54338FE7BCABBEBCE80D16ED53C055B36891D9E4C4A74B1546A8A;SizeAsReceived:6981;Count:42 x-tmn: [VpqkZej2vO4nOc0o9cpIssPEP+EXzXRR] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;BY2NAM03HT213;7:Bt1wyQMfiP06vqc59Z3tawE6qcbmiVdUdE3KpRkeH+pfHNTyq5I4qdi2T0oOsijZI3L84sIgFznMy3lHqNlki8vZA9ZOJ7+EYENv2j6rKMllA0PS/yD/Fxz2ZtMM02ER1BrpIpleA4dpfF0QK1Io3l58Q9W535qVkJHWJlsh5ufKbHDd75o8Av/9GvWiygE4bT/eP1iykdjQ1dGi+x+O8DKBUAGJSd3PjA219nnTd3WvKGvO8d5W1d43X7smNkx6RaYzF+dscsOZSv2/EreUUn/1yisEoqUeKHbpP1QzYEgIeA8z13qphpc9Ff82xQSq72fe30/qbbBkOEj5weIOoGgytIPsm3QxZxQqi9yY4GzebC7xEDnoeXSIoHiniyshcuQ0a0RrmoOACw6p0+9RbKk3YQVJfIJkKatL8raHE/O9SGaYx0GgmaHAP7pK9F0KSWtwcr0myYtOxhWKeEApizFZGRnNEawngz0lNtrXd0UR3OoyK8WLHXSrob9oHKEzmsQpKzKB/bpDyl2aulZYBNP6F6JiKJ8A9yS3uXEm8QUMt6X0R7lXwbZUqyvfbw/SXdOXUyVXPZlmyCcsRmgjJn0DTqj8eWP/uVqszrxIadWSp5U3ykrBfT71Iw0yzVINx/d+zK8kFE22aTDqMyDlYqcpOh5gkKh7lgx4J85U1IwT5tFsamKhe/eoSuuvzwI4hJAK33WKIr5NMzOOQ+atoNjR1BfZFsfmg/v1lqDHV5zQwkPIqkmQh8LZh0x6Vqiq8fRjL8kccEoL8zqFIbabxQ== x-incomingheadercount: 42 x-eopattributedmessage: 0 x-forefront-antispam-report: EFV:NLI;SFV:NSPM;SFS:(7070007)(98901004);DIR:OUT;SFP:1901;SCL:1;SRVR:BY2NAM03HT213;H:YTOPR01MB0554.CANPRD01.PROD.OUTLOOK.COM;FPR:;SPF:None;LANG:en; x-ms-office365-filtering-correlation-id: 6d8a875a-68fd-4420-4ca3-08d4b9390ad8 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500055)(300135000095)(300000501055)(300135300095)(300000502055)(300135100095)(22001)(300000503055)(300135400095)(201702061074)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031324274)(2017031323274)(2017031322274)(1601125374)(1603101448)(1701031045)(300000504055)(300135200095)(300000505055)(300135600095)(300000506048)(300135500095);SRVR:BY2NAM03HT213; x-ms-traffictypediagnostic: BY2NAM03HT213: x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(444000031);SRVR:BY2NAM03HT213;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BY2NAM03HT213; x-forefront-prvs: 03468CBA43 spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_YTOPR01MB05541425CBC3EE0813F6D363AFDB0YTOPR01MB0554CANP_" MIME-Version: 1.0 X-OriginatorOrg: hotmail.com X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jun 2017 06:36:41.1523 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2NAM03HT213 archived-at: Thu, 22 Jun 2017 06:36:55 -0000 --_000_YTOPR01MB05541425CBC3EE0813F6D363AFDB0YTOPR01MB0554CANP_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi all, I met a problem with Hive Default Authorization - Legacy Mode, I tried to enable the authorization on hiveserver2, and this is my hive-sit= e.xml in hiveserver2 conf: hive.security.authorization.enabled true hive.security.authorization.createtable.owner.grants ALL hive.semantic.analyzer.hook com.hive.auth.AuthHook just for super administrator hive.security.authorization.task.factory org.apache.hadoop.hive.ql.parse.authorization.HiveAuthorization= TaskFactoryImpl The problem I met is that when I create a view of a table,and grant the sel= ect privilege of the view to somebody, then hive will check the view privilege first,and after that,hive check the= table privilege again.Like this: create view v_dual as select * from dual; grant select on v_dual to user test; And when user test tried to execute this sql : select * from v_dual, hive t= hrows an Error: "Error: Error while compiling statement: No privilege 'Sele= ct' found for inputs { database:default, table:dual, columnName:foo} (state= =3D42000,code=3D403)" But the hive wiki says that The default authorization model in Hive can be = used to provide fine grained access control by creating views and granting = access to views instead of the underlying tables. So I'm confused that why I am not performing this well as the wiki describe= d. --_000_YTOPR01MB05541425CBC3EE0813F6D363AFDB0YTOPR01MB0554CANP_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

 

Hi all,

 

I met a problem with Hive Default Authorization - Legacy Mode,

I tried to enable the authorization on hiveserver2, and= this is my hive-site.xml in hiveserver2 conf:

<property>

  <name>hive.security.authorization.ena= bled</name> 

  <value>true</value>

</property>

<property>

  <name>hive.security.authorization.createta= ble.owner.grants</name>

  <value>ALL</value>=

</property>

<property>

     <name>hive.semantic.anal= yzer.hook</name>

     <value>com.hive.auth.Aut= hHook</value>

     <description>just for su= per administrator</description>

</property>

<property>

     <name>hive.security.auth= orization.task.factory</name>

     <value>org.apache.hadoop= .hive.ql.parse.authorization.HiveAuthorizationTaskFactoryImpl</value>=

</property>

 

The problem I met is that when I create a view of a tab= le,and grant the select privilege of the view to somebody,

then hive will check the view privilege first,and after= that,hive check the table privilege again.Like this:

create view v_dual as select * from dual;

grant select on v_dual to user test;<= /p>

And when user test tried to execute this sql : select *= from v_dual, hive throws an Error: “Error: Error while compiling sta= tement: No privilege 'Select' found for inputs { database:default, table:dual, columnName:foo} (state=3D42000,code=3D403)”

But the hive wiki says that The default authorization model in Hive = can be used to provide fine grained access control by creating views and gr= anting access to views instead of the underlying tables.

So I’m confused th= at why I am not performing this well as the wiki described.

--_000_YTOPR01MB05541425CBC3EE0813F6D363AFDB0YTOPR01MB0554CANP_--