ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henning Kropp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-820) RangerHiveAuthorizer Ignores HDFS Policies for Creation of Objects
Date Mon, 25 Jan 2016 16:48:39 GMT

    [ https://issues.apache.org/jira/browse/RANGER-820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15115516#comment-15115516
] 

Henning Kropp commented on RANGER-820:
--------------------------------------

This is not an issue. To resolve from this also add the {{hive}} user to the policy.

> RangerHiveAuthorizer Ignores HDFS Policies for Creation of Objects
> ------------------------------------------------------------------
>
>                 Key: RANGER-820
>                 URL: https://issues.apache.org/jira/browse/RANGER-820
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: ranger
>         Environment: HiveServer2
>            Reporter: Henning Kropp
>
> *Update*: _This is not an issue. To resolve also add the hive user to the policy._
> RangerHiveAuthorizer uses method {{isURIAccessAllowed}} during the creation of new objects
which relies solely on {{FileUtil}} and {{FileStatus}} to check whether the user has the required
rights in the FS hierarchy or not.
> If following best practices a folder is for example owned by hdfs and only the hdfs user
is given RWX access it is impossible for any user to create an external table in that folder
through HS2, even if given access privileges by Ranger policies.
> *Resulting exception*:
> {code}
> Caused by: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
Permission denied: user [user] does not have [READ] privilege on [hdfs://path/...]
> at org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:249)
> at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.java:779)
> at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:574)
> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:468)
> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:308)
> at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1122)
> at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1116)
> at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:110)
> ... 15 more
> {code}
> *Workaround*: Use Hive CLI



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message