ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henning Kropp (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (RANGER-820) RangerHiveAuthorizer Ignores HDFS Policies for Creation of Objects
Date Mon, 25 Jan 2016 18:33:39 GMT

     [ https://issues.apache.org/jira/browse/RANGER-820?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Henning Kropp updated RANGER-820:
---------------------------------
    Description: 
*Update*: _This is not an issue. To resolve also add the hive user to the policy._

RangerHiveAuthorizer uses method {{isURIAccessAllowed}} during the creation of new objects
which relies solely on {{FileUtil}} and {{FileStatus}} to check whether the user has the required
rights in the FS hierarchy or not.

If following best practices a folder is for example owned by hdfs and only the hdfs user is
given RWX access it is impossible for any user to create an external table in that folder
through HS2, even if given access privileges by Ranger policies.

*Resulting exception*:
{code}
Caused by: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
Permission denied: user [user] does not have [READ] privilege on [hdfs://path/...]
at org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:249)
at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.java:779)
at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:574)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:468)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:308)
at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1122)
at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1116)
at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:110)
... 15 more
{code}

  was:
*Update*: _This is not an issue. To resolve also add the hive user to the policy._

RangerHiveAuthorizer uses method {{isURIAccessAllowed}} during the creation of new objects
which relies solely on {{FileUtil}} and {{FileStatus}} to check whether the user has the required
rights in the FS hierarchy or not.

If following best practices a folder is for example owned by hdfs and only the hdfs user is
given RWX access it is impossible for any user to create an external table in that folder
through HS2, even if given access privileges by Ranger policies.

*Resulting exception*:
{code}
Caused by: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
Permission denied: user [user] does not have [READ] privilege on [hdfs://path/...]
at org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:249)
at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.java:779)
at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:574)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:468)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:308)
at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1122)
at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1116)
at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:110)
... 15 more
{code}

*Workaround*: Use Hive CLI


> RangerHiveAuthorizer Ignores HDFS Policies for Creation of Objects
> ------------------------------------------------------------------
>
>                 Key: RANGER-820
>                 URL: https://issues.apache.org/jira/browse/RANGER-820
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: ranger
>         Environment: HiveServer2
>            Reporter: Henning Kropp
>
> *Update*: _This is not an issue. To resolve also add the hive user to the policy._
> RangerHiveAuthorizer uses method {{isURIAccessAllowed}} during the creation of new objects
which relies solely on {{FileUtil}} and {{FileStatus}} to check whether the user has the required
rights in the FS hierarchy or not.
> If following best practices a folder is for example owned by hdfs and only the hdfs user
is given RWX access it is impossible for any user to create an external table in that folder
through HS2, even if given access privileges by Ranger policies.
> *Resulting exception*:
> {code}
> Caused by: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:
Permission denied: user [user] does not have [READ] privilege on [hdfs://path/...]
> at org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:249)
> at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.java:779)
> at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:574)
> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:468)
> at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:308)
> at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1122)
> at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1116)
> at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:110)
> ... 15 more
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message