[jira] [Comment Edited] (RANGER-2976) User can not create external table in Hive Plugin

Sun, 30 Aug 2020 21:21:38 -0700 


    [ 
https://issues.apache.org/jira/browse/RANGER-2976?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17187420#comment-17187420
 ] 

Pradeep Agrawal edited comment on RANGER-2976 at 8/31/20, 4:20 AM:
-------------------------------------------------------------------

[~Symious]: If would able to let you know only after testing this patch. It may 
take time to get the env. and test. If possible please raise the review request.


was (Author: pradeep.agrawal):
[~Symious]: If would able to let you know only after testing this patch. It may 
take time to get the env. and test.

> User can not create external table in Hive Plugin
> -------------------------------------------------
>
>                 Key: RANGER-2976
>                 URL: https://issues.apache.org/jira/browse/RANGER-2976
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 2.0.0
>            Reporter: Janus Chow
>            Priority: Major
>         Attachments: RANGER-2976.patch
>
>
> A user "userA" want's to create an external table on "hdfs://test/testDir" 
> via Hive Metastore installed Ranger Hive plugin. Permission information is as 
> follows.
> {code:java}
> # id userA
> uid=3044(userA) gid=3044(userA) groups=992(supergroup)
> # hadoop fs -ls hdfs://test
> drwxrwxr-x   - userB supergroup          0 2019-01-01 00:00 
> hdfs://test/testDir
> # hadoop fs -ls hdfs://test/testDir
> -rw-rw-r--   3 userB supergroup    1000000 2019-01-01 00:00 
> hdfs://test/testDir/part-00000-db98bf17-bda6-4da9-9ea4-d7c75e8d995e-c000.snappy.parquet{code}
> When "userA" is trying to create an external table on "hdfs://test/testDir" 
> with the following command, 
> {code:java}
> spark.sql("create table userA_test USING org.apache.spark.sql.parquet OPTIONS 
> ( path = 'hdfs://test/testDir')")
> {code}
> Ranger denied the operation with the following error message.
> {code:java}
> org.apache.hadoop.hive.ql.metadata.HiveException: 
> MetaException(message:Permission denied: user [userA] does not have [ALL] 
> privilege on [hdfs://test/testDir])
> {code}
> The reason is when Ranger is checking URI permission, it will check if the 
> user has FSAction.ALL on the URI if "userA" is not the owner of the HDFS 
> path, but HDFS file will not set the execution permission by default, so the 
> Ranger permission check will return false.
> I think in the getURIAccessType function in RangerHiveAuthorizer, we should 
> return FSAction.READ_WRITE instead of FSAction.ALL. For HDFS directory, 
> Hadoop will help us to add FSAction.EXECUTE when we are trying to do the 
> permission check, we can skip FSAction.EXECUTE here to work well with HDFS 
> files. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to