[jira] [Commented] (HIVE-8045) SQL standard auth with cli - Errors and configuration issues

Thejas M Nair (JIRA) Mon, 15 Sep 2014 14:58:44 -0700

    [ 
https://issues.apache.org/jira/browse/HIVE-8045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14134556#comment-14134556
 ]


Thejas M Nair commented on HIVE-8045:
-------------------------------------



Unable to create external tables from hive cli after setting following two 
properties in hive-site.xml
{noformat}
<property>
  <name>hive.security.authorization.manager</name>
  
<value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
</property>
<property>
  <name>hive.security.metastore.authorization.manager</name>
 
<value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider,org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly</value>
</property>
{noformat}

Table creation fails with the following error message:
{noformat}
hive> create external table abc(i int); 
14/09/09 20:21:23 [main]: INFO log.PerfLogger: <PERFLOG method=Driver.run 
from=org.apache.hadoop.hive.ql.Driver>
14/09/09 20:21:23 [main]: INFO log.PerfLogger: <PERFLOG method=TimeToSubmit 
from=org.apache.hadoop.hive.ql.Driver>
14/09/09 20:21:23 [main]: INFO ql.Driver: Concurrency mode is disabled, not 
creating a lock manager
14/09/09 20:21:23 [main]: INFO log.PerfLogger: <PERFLOG method=compile 
from=org.apache.hadoop.hive.ql.Driver>
14/09/09 20:21:23 [main]: INFO log.PerfLogger: <PERFLOG method=parse 
from=org.apache.hadoop.hive.ql.Driver>
14/09/09 20:21:23 [main]: INFO parse.ParseDriver: Parsing command: create 
external table abc(i int)
14/09/09 20:21:24 [main]: INFO parse.ParseDriver: Parse Completed
14/09/09 20:21:24 [main]: INFO log.PerfLogger: </PERFLOG method=parse 
start=1410294083692 end=1410294084088 duration=396 
from=org.apache.hadoop.hive.ql.Driver>
14/09/09 20:21:24 [main]: INFO log.PerfLogger: <PERFLOG method=semanticAnalyze 
from=org.apache.hadoop.hive.ql.Driver>
14/09/09 20:21:24 [main]: INFO parse.SemanticAnalyzer: Starting Semantic 
Analysis
14/09/09 20:21:24 [main]: INFO parse.SemanticAnalyzer: Creating table 
default.abc position=22
FAILED: RuntimeException 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException:
 Failed to retrieve roles for hrt_qa: Metastore Authorization api invocation 
for remote metastore is disabled in this configuration.
14/09/09 20:21:24 [main]: ERROR ql.Driver: FAILED: RuntimeException 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException:
 Failed to retrieve roles for hrt_qa: Metastore Authorization api invocation 
for remote metastore is disabled in this configuration.
java.lang.RuntimeException: 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException:
 Failed to retrieve roles for hrt_qa: Metastore Authorization api invocation 
for remote metastore is disabled in this configuration.
        at 
org.apache.hadoop.hive.ql.session.SessionState.setupAuth(SessionState.java:633)
        at 
org.apache.hadoop.hive.ql.session.SessionState.getAuthenticator(SessionState.java:1132)
        at 
org.apache.hadoop.hive.ql.session.SessionState.getUserFromAuthenticator(SessionState.java:822)
        at 
org.apache.hadoop.hive.ql.metadata.Table.getEmptyTable(Table.java:175)
        at org.apache.hadoop.hive.ql.metadata.Table.<init>(Table.java:117)
        at 
org.apache.hadoop.hive.ql.parse.SemanticAnalyzer.addDbAndTabToOutputs(SemanticAnalyzer.java:10302)
        at 
org.apache.hadoop.hive.ql.parse.SemanticAnalyzer.analyzeCreateTable(SemanticAnalyzer.java:10198)
        at 
org.apache.hadoop.hive.ql.parse.SemanticAnalyzer.analyzeInternal(SemanticAnalyzer.java:9405)
        at 
org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer.analyze(BaseSemanticAnalyzer.java:208)
        at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:402)
        at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:298)
        at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:992)
        at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:1062)
        at org.apache.hadoop.hive.ql.Driver.run(Driver.java:929)
        at org.apache.hadoop.hive.ql.Driver.run(Driver.java:919)
        at 
org.apache.hadoop.hive.cli.CliDriver.processLocalCmd(CliDriver.java:246)
        at org.apache.hadoop.hive.cli.CliDriver.processCmd(CliDriver.java:198)
        at org.apache.hadoop.hive.cli.CliDriver.processLine(CliDriver.java:408)
        at 
org.apache.hadoop.hive.cli.CliDriver.executeDriver(CliDriver.java:781)
        at org.apache.hadoop.hive.cli.CliDriver.run(CliDriver.java:675)
        at org.apache.hadoop.hive.cli.CliDriver.main(CliDriver.java:614)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.apache.hadoop.util.RunJar.run(RunJar.java:221)
        at org.apache.hadoop.util.RunJar.main(RunJar.java:136)
Caused by: 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException:
 Failed to retrieve roles for hrt_qa: Metastore Authorization api invocation 
for remote metastore is disabled in this configuration.
        at 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLAuthorizationUtils.getPluginException(SQLAuthorizationUtils.java:416)
        at 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController.getRolesFromMS(SQLStdHiveAccessController.java:161)
        at 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController.initUserRoles(SQLStdHiveAccessController.java:142)
        at 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController.<init>(SQLStdHiveAccessController.java:96)
        at 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessControllerWrapper.<init>(SQLStdHiveAccessControllerWrapper.java:57)
        at 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory.createHiveAuthorizer(SQLStdHiveAuthorizerFactory.java:35)
        at 
org.apache.hadoop.hive.ql.session.SessionState.setupAuth(SessionState.java:624)
        ... 26 more
Caused by: MetaException(message:Metastore Authorization api invocation for 
remote metastore is disabled in this configuration.)
        at 
org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$get_role_grants_for_principal_result$get_role_grants_for_principal_resultStandardScheme.read(ThriftHiveMetastore.java)
        at 
org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$get_role_grants_for_principal_result$get_role_grants_for_principal_resultStandardScheme.read(ThriftHiveMetastore.java)
        at 
org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$get_role_grants_for_principal_result.read(ThriftHiveMetastore.java)
        at org.apache.thrift.TServiceClient.receiveBase(TServiceClient.java:78)
        at 
org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.recv_get_role_grants_for_principal(ThriftHiveMetastore.java:3402)
        at 
org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.get_role_grants_for_principal(ThriftHiveMetastore.java:3389)
        at 
org.apache.hadoop.hive.metastore.HiveMetaStoreClient.get_role_grants_for_principal(HiveMetaStoreClient.java:1571)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at 
org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.invoke(RetryingMetaStoreClient.java:90)
        at com.sun.proxy.$Proxy9.get_role_grants_for_principal(Unknown Source)
        at 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController.getRoleGrants(SQLStdHiveAccessController.java:170)
        at 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController.getRolesFromMS(SQLStdHiveAccessController.java:148)
        ... 31 more
{noformat}


> SQL standard auth with cli - Errors and configuration issues
> ------------------------------------------------------------
>
>                 Key: HIVE-8045
>                 URL: https://issues.apache.org/jira/browse/HIVE-8045
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization
>            Reporter: Jagruti Varia
>            Assignee: Thejas M Nair
>
> HIVE-7533 enabled sql std authorization to be set in hive cli (without 
> enabling authorization checks). This updates hive configuration so that 
> create-table and create-views set permissions appropriately for the owner of 
> the table.
> HIVE-7209 added a metastore authorization provider that can be used to 
> restricts calls made to the authorization api, so that only HS2 can make 
> those calls (when HS2 uses embedded metastore).
> Some issues were found with this.
> # Even if hive.security.authorization.enabled=false, authorization checks 
> were happening for non sql statements as add/detete/dfs/compile, which 
> results in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an error.
> # Create table from hive-cli ended up calling metastore server api call 
> (getRoles) and resulted in  MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an 
> error.
> # Some users prefer to enable authorization using hive-site.xml for 
> hive-server2 (hive.security.authorization.enabled param). If this file is 
> shared by hive-cli and hive-server2,  SQL std authorizer throws an error 
> because is use in hive-cli is not allowed.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (HIVE-8045) SQL standard auth with cli - Errors and configuration issues

Reply via email to