[
https://issues.apache.org/jira/browse/RANGER-1947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16318550#comment-16318550
]
Zsombor Gegesy commented on RANGER-1947:
----------------------------------------
Writing to the hdfs should be checked by the hdfs plugin. If Hive is configured
with user impersonation, then it will inherit the user rights, otherwise it
will try to act as user 'hive'. You should configure appropriate HDFS policy
for your cluster to avoid the problem.
> RangerHivePlugin does not authorize location on INSERT OVERWRITE DIRECTORY
> query
> --------------------------------------------------------------------------------
>
> Key: RANGER-1947
> URL: https://issues.apache.org/jira/browse/RANGER-1947
> Project: Ranger
> Issue Type: Bug
> Components: plugins
> Affects Versions: 0.7.1
> Environment: hadoop 2.7.5 + hive 2.3.2 + ranger 0.7.1
> Reporter: Jake Moon
>
> {code}
> insert overwrite directory '/user/user1/nonewrite3'
> ROW FORMAT DELIMITED
> FIELDS TERMINATED BY ','
> SELECT u.id, u.age, u.city, c.city
> FROM user_table u JOIN city_table c ON (u.city = c.code)
> WHERE u.age > 25
> AND u.age <= 28
> AND c.city = 'New York'
> {code}
> This query's hive operation type is HiveOperationType.QUERY, and also have a
> write location to 'hdfs://my.cluster/user/user1/nonewrite3'
> RangerHiveAuthorizer must authorize the location, but
> getURIAccessType(HiveOperationType.QUERY) always return FsAction.NONE, so
> it's not work.
> If hive-server2 have enough permission on hdfs with no impersonation, every
> user can format hdfs like this.
> {code}
> insert overwrite directory '/'
> ROW FORMAT DELIMITED
> FIELDS TERMINATED BY ','
> SELECT 1
> {code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
