[
https://issues.apache.org/jira/browse/RANGER-1865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16225286#comment-16225286
]
Zsombor Gegesy commented on RANGER-1865:
----------------------------------------
I think, this is the intended functionality, if the current user doesn't have
read permission on that hdfs path, then hive shouldn't proxy the call (You
tried to access an external hive table, not an internal one).
Otherwise, this would be a security hole, as any user could read any files,
which is readable by hive.
> hive plugin alter table add partition failed HiveAccessControlException
> Permission denied: user does not have [READ] privilege on location
> ------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-1865
> URL: https://issues.apache.org/jira/browse/RANGER-1865
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 0.6.3
> Reporter: chuanjie.duan
> Priority: Critical
> Labels: hive-agent
> Attachments: RANGER-1865.patch
>
>
> hive execute insert sql:alter table tablename add if not exists
> partition(yyyymmdd='20170911',ds='rcc_02') location
> 'hdfs://xxxx/yyyymmdd=20170911/ds=rcc_02'
> Client Log:
> org.apache.hive.service.cli.HiveSQLException: Error while compiling
> statement: FAILED: HiveAccessControlException Permission denied: user
> [username] does not have [READ] privilege on
> [hdfs://xxxx/yyyymmdd=20170911/ds=rcc_02]
> Hiveserver Log:
> 017-10-27 16:53:26,929 ERROR [HiveServer2-Handler-Pool: Thread-43]:
> authorizer.RangerHiveAuthorizer
> (RangerHiveAuthorizer.java:isURIAccessAllowed(1034)) - Error getting
> permissions for hdfs://xxxx/yyyymmdd=20170911/ds=rcc_02
> java.net.ConnectException: Call From hostname/ipaddress to hiveserver
> host:9000 failed on connection exception: java.net.ConnectException:
> Connection refused; For more details see:
> http://wiki.apache.org/hadoop/ConnectionRefused
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
> at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
> at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
> at org.apache.hadoop.net.NetUtils.wrapWithMessage(NetUtils.java:792)
> at org.apache.hadoop.net.NetUtils.wrapException(NetUtils.java:732)
> at org.apache.hadoop.ipc.Client.call(Client.java:1480)
> at org.apache.hadoop.ipc.Client.call(Client.java:1407)
> at
> org.apache.hadoop.ipc.ProtobufRpcEngine$Invoker.invoke(ProtobufRpcEngine.java:229)
> at com.sun.proxy.$Proxy12.getFileInfo(Unknown Source)
> at
> org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolTranslatorPB.getFileInfo(ClientNamenodeProtocolTranslatorPB.java:771)
> at sun.reflect.GeneratedMethodAccessor10.invoke(Unknown Source)
> Cause:
> Hive security enabled kerberos, hive plugin access hdfs should do
> authentication first.
>
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
