ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Selvamohan Neethiraj (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-820) RangerHiveAuthorizer Ignores HDFS Policies for Creation of Objects
Date Mon, 25 Jan 2016 17:14:40 GMT

    [ https://issues.apache.org/jira/browse/RANGER-820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15115571#comment-15115571

Selvamohan Neethiraj commented on RANGER-820:

[~hkropp] - I am assuming that you have added hive user to the HDFS policies to resolve this
issue. If so, can you please remove the "workaround as Use Hive CLI" from the description
and mark this issue as resolved. 

> RangerHiveAuthorizer Ignores HDFS Policies for Creation of Objects
> ------------------------------------------------------------------
>                 Key: RANGER-820
>                 URL: https://issues.apache.org/jira/browse/RANGER-820
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: ranger
>         Environment: HiveServer2
>            Reporter: Henning Kropp
> *Update*: _This is not an issue. To resolve also add the hive user to the policy._
> RangerHiveAuthorizer uses method {{isURIAccessAllowed}} during the creation of new objects
which relies solely on {{FileUtil}} and {{FileStatus}} to check whether the user has the required
rights in the FS hierarchy or not.
> If following best practices a folder is for example owned by hdfs and only the hdfs user
is given RWX access it is impossible for any user to create an external table in that folder
through HS2, even if given access privileges by Ranger policies.
> *Resulting exception*:
> {code}
> Caused by: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
Permission denied: user [user] does not have [READ] privilege on [hdfs://path/...]
> at org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:249)
> at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.java:779)
> at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:574)
> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:468)
> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:308)
> at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1122)
> at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1116)
> at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:110)
> ... 15 more
> {code}
> *Workaround*: Use Hive CLI

This message was sent by Atlassian JIRA

View raw message