[jira] [Updated] (HIVE-8045) SQL standard auth with cli - Errors and configuration issues

Thejas M Nair (JIRA) Mon, 15 Sep 2014 14:58:51 -0700

     [ 
https://issues.apache.org/jira/browse/HIVE-8045?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Thejas M Nair updated HIVE-8045:
--------------------------------
    Description: 
HIVE-7533 enabled sql std authorization to be set in hive cli (without enabling 
authorization checks). This updates hive configuration so that create-table and 
create-views set permissions appropriately for the owner of the table.
HIVE-7209 added a metastore authorization provider that can be used to 
restricts calls made to the authorization api, so that only HS2 can make those 
calls (when HS2 uses embedded metastore).

Some issues were found with this.

# Even if hive.security.authorization.enabled=false, authorization checks were 
happening for non sql statements as add/detete/dfs/compile, which results in 
MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an error.
# Create table from hive-cli ended up calling metastore server api call 
(getRoles) and resulted in  MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an 
error.
# Some users prefer to enable authorization using hive-site.xml for 
hive-server2 (hive.security.authorization.enabled param). If this file is 
shared by hive-cli and hive-server2,  SQL std authorizer throws an error 
because is use in hive-cli is not allowed.



  was:
Unable to create external tables from hive cli after setting following two 
properties in hive-site.xml
{noformat}
<property>
  <name>hive.security.authorization.manager</name>
  
<value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
</property>
<property>
  <name>hive.security.metastore.authorization.manager</name>
 
<value>org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider,org.apache.hadoop.hive.ql.security.authorization.MetaStoreAuthzAPIAuthorizerEmbedOnly</value>
</property>
{noformat}

Table creation fails with the following error message:
{noformat}
hive> create external table abc(i int); 
14/09/09 20:21:23 [main]: INFO log.PerfLogger: <PERFLOG method=Driver.run 
from=org.apache.hadoop.hive.ql.Driver>
14/09/09 20:21:23 [main]: INFO log.PerfLogger: <PERFLOG method=TimeToSubmit 
from=org.apache.hadoop.hive.ql.Driver>
14/09/09 20:21:23 [main]: INFO ql.Driver: Concurrency mode is disabled, not 
creating a lock manager
14/09/09 20:21:23 [main]: INFO log.PerfLogger: <PERFLOG method=compile 
from=org.apache.hadoop.hive.ql.Driver>
14/09/09 20:21:23 [main]: INFO log.PerfLogger: <PERFLOG method=parse 
from=org.apache.hadoop.hive.ql.Driver>
14/09/09 20:21:23 [main]: INFO parse.ParseDriver: Parsing command: create 
external table abc(i int)
14/09/09 20:21:24 [main]: INFO parse.ParseDriver: Parse Completed
14/09/09 20:21:24 [main]: INFO log.PerfLogger: </PERFLOG method=parse 
start=1410294083692 end=1410294084088 duration=396 
from=org.apache.hadoop.hive.ql.Driver>
14/09/09 20:21:24 [main]: INFO log.PerfLogger: <PERFLOG method=semanticAnalyze 
from=org.apache.hadoop.hive.ql.Driver>
14/09/09 20:21:24 [main]: INFO parse.SemanticAnalyzer: Starting Semantic 
Analysis
14/09/09 20:21:24 [main]: INFO parse.SemanticAnalyzer: Creating table 
default.abc position=22
FAILED: RuntimeException 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException:
 Failed to retrieve roles for hrt_qa: Metastore Authorization api invocation 
for remote metastore is disabled in this configuration.
14/09/09 20:21:24 [main]: ERROR ql.Driver: FAILED: RuntimeException 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException:
 Failed to retrieve roles for hrt_qa: Metastore Authorization api invocation 
for remote metastore is disabled in this configuration.
java.lang.RuntimeException: 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException:
 Failed to retrieve roles for hrt_qa: Metastore Authorization api invocation 
for remote metastore is disabled in this configuration.
        at 
org.apache.hadoop.hive.ql.session.SessionState.setupAuth(SessionState.java:633)
        at 
org.apache.hadoop.hive.ql.session.SessionState.getAuthenticator(SessionState.java:1132)
        at 
org.apache.hadoop.hive.ql.session.SessionState.getUserFromAuthenticator(SessionState.java:822)
        at 
org.apache.hadoop.hive.ql.metadata.Table.getEmptyTable(Table.java:175)
        at org.apache.hadoop.hive.ql.metadata.Table.<init>(Table.java:117)
        at 
org.apache.hadoop.hive.ql.parse.SemanticAnalyzer.addDbAndTabToOutputs(SemanticAnalyzer.java:10302)
        at 
org.apache.hadoop.hive.ql.parse.SemanticAnalyzer.analyzeCreateTable(SemanticAnalyzer.java:10198)
        at 
org.apache.hadoop.hive.ql.parse.SemanticAnalyzer.analyzeInternal(SemanticAnalyzer.java:9405)
        at 
org.apache.hadoop.hive.ql.parse.BaseSemanticAnalyzer.analyze(BaseSemanticAnalyzer.java:208)
        at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:402)
        at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:298)
        at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:992)
        at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:1062)
        at org.apache.hadoop.hive.ql.Driver.run(Driver.java:929)
        at org.apache.hadoop.hive.ql.Driver.run(Driver.java:919)
        at 
org.apache.hadoop.hive.cli.CliDriver.processLocalCmd(CliDriver.java:246)
        at org.apache.hadoop.hive.cli.CliDriver.processCmd(CliDriver.java:198)
        at org.apache.hadoop.hive.cli.CliDriver.processLine(CliDriver.java:408)
        at 
org.apache.hadoop.hive.cli.CliDriver.executeDriver(CliDriver.java:781)
        at org.apache.hadoop.hive.cli.CliDriver.run(CliDriver.java:675)
        at org.apache.hadoop.hive.cli.CliDriver.main(CliDriver.java:614)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at org.apache.hadoop.util.RunJar.run(RunJar.java:221)
        at org.apache.hadoop.util.RunJar.main(RunJar.java:136)
Caused by: 
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAuthzPluginException:
 Failed to retrieve roles for hrt_qa: Metastore Authorization api invocation 
for remote metastore is disabled in this configuration.
        at 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLAuthorizationUtils.getPluginException(SQLAuthorizationUtils.java:416)
        at 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController.getRolesFromMS(SQLStdHiveAccessController.java:161)
        at 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController.initUserRoles(SQLStdHiveAccessController.java:142)
        at 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController.<init>(SQLStdHiveAccessController.java:96)
        at 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessControllerWrapper.<init>(SQLStdHiveAccessControllerWrapper.java:57)
        at 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory.createHiveAuthorizer(SQLStdHiveAuthorizerFactory.java:35)
        at 
org.apache.hadoop.hive.ql.session.SessionState.setupAuth(SessionState.java:624)
        ... 26 more
Caused by: MetaException(message:Metastore Authorization api invocation for 
remote metastore is disabled in this configuration.)
        at 
org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$get_role_grants_for_principal_result$get_role_grants_for_principal_resultStandardScheme.read(ThriftHiveMetastore.java)
        at 
org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$get_role_grants_for_principal_result$get_role_grants_for_principal_resultStandardScheme.read(ThriftHiveMetastore.java)
        at 
org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$get_role_grants_for_principal_result.read(ThriftHiveMetastore.java)
        at org.apache.thrift.TServiceClient.receiveBase(TServiceClient.java:78)
        at 
org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.recv_get_role_grants_for_principal(ThriftHiveMetastore.java:3402)
        at 
org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Client.get_role_grants_for_principal(ThriftHiveMetastore.java:3389)
        at 
org.apache.hadoop.hive.metastore.HiveMetaStoreClient.get_role_grants_for_principal(HiveMetaStoreClient.java:1571)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at 
org.apache.hadoop.hive.metastore.RetryingMetaStoreClient.invoke(RetryingMetaStoreClient.java:90)
        at com.sun.proxy.$Proxy9.get_role_grants_for_principal(Unknown Source)
        at 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController.getRoleGrants(SQLStdHiveAccessController.java:170)
        at 
org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAccessController.getRolesFromMS(SQLStdHiveAccessController.java:148)
        ... 31 more
{noformat}



> SQL standard auth with cli - Errors and configuration issues
> ------------------------------------------------------------
>
>                 Key: HIVE-8045
>                 URL: https://issues.apache.org/jira/browse/HIVE-8045
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization
>            Reporter: Jagruti Varia
>            Assignee: Thejas M Nair
>
> HIVE-7533 enabled sql std authorization to be set in hive cli (without 
> enabling authorization checks). This updates hive configuration so that 
> create-table and create-views set permissions appropriately for the owner of 
> the table.
> HIVE-7209 added a metastore authorization provider that can be used to 
> restricts calls made to the authorization api, so that only HS2 can make 
> those calls (when HS2 uses embedded metastore).
> Some issues were found with this.
> # Even if hive.security.authorization.enabled=false, authorization checks 
> were happening for non sql statements as add/detete/dfs/compile, which 
> results in MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an error.
> # Create table from hive-cli ended up calling metastore server api call 
> (getRoles) and resulted in  MetaStoreAuthzAPIAuthorizerEmbedOnly throwing an 
> error.
> # Some users prefer to enable authorization using hive-site.xml for 
> hive-server2 (hive.security.authorization.enabled param). If this file is 
> shared by hive-cli and hive-server2,  SQL std authorizer throws an error 
> because is use in hive-cli is not allowed.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (HIVE-8045) SQL standard auth with cli - Errors and configuration issues

Reply via email to