[jira] [Commented] (RANGER-2976) User can not create external table in Hive Plugin

Tue, 29 Nov 2022 05:10:33 -0800 


    [ 
https://issues.apache.org/jira/browse/RANGER-2976?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17640696#comment-17640696
 ] 

Sugumar Srinivasan commented on RANGER-2976:
--------------------------------------------

Hi All, 

Even I'm also facing the similar issue. Do we have any fix for this? 

Version Details are below:
 # Apache Hadoop - 3.3.4
 # Apache Hive - 3.1.3
 # Apache Ranger - 2.0.0

Thanks & Regards, 

Sugumar Srinivasan. 

> User can not create external table in Hive Plugin
> -------------------------------------------------
>
>                 Key: RANGER-2976
>                 URL: https://issues.apache.org/jira/browse/RANGER-2976
>             Project: Ranger
>          Issue Type: Bug
>          Components: plugins
>    Affects Versions: 2.0.0
>            Reporter: Janus Chow
>            Priority: Major
>         Attachments: RANGER-2976.patch
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> A user "userA" want's to create an external table on "hdfs://test/testDir" 
> via Hive Metastore installed Ranger Hive plugin. Permission information is as 
> follows.
> {code:java}
> # id userA
> uid=3044(userA) gid=3044(userA) groups=992(supergroup)
> # hadoop fs -ls hdfs://test
> drwxrwxr-x   - userB supergroup          0 2019-01-01 00:00 
> hdfs://test/testDir
> # hadoop fs -ls hdfs://test/testDir
> -rw-rw-r--   3 userB supergroup    1000000 2019-01-01 00:00 
> hdfs://test/testDir/part-00000-db98bf17-bda6-4da9-9ea4-d7c75e8d995e-c000.snappy.parquet{code}
> When "userA" is trying to create an external table on "hdfs://test/testDir" 
> with the following command, 
> {code:java}
> spark.sql("create table userA_test USING org.apache.spark.sql.parquet OPTIONS 
> ( path = 'hdfs://test/testDir')")
> {code}
> Ranger denied the operation with the following error message.
> {code:java}
> org.apache.hadoop.hive.ql.metadata.HiveException: 
> MetaException(message:Permission denied: user [userA] does not have [ALL] 
> privilege on [hdfs://test/testDir])
> {code}
> The reason is when Ranger is checking URI permission, it will check if the 
> user has FSAction.ALL on the URI if "userA" is not the owner of the HDFS 
> path, but HDFS file will not set the execution permission by default, so the 
> Ranger permission check will return false.
> I think in the getURIAccessType function in RangerHiveAuthorizer, we should 
> return FSAction.READ_WRITE instead of FSAction.ALL. For HDFS directory, 
> Hadoop will help us to add FSAction.EXECUTE when we are trying to do the 
> permission check, we can skip FSAction.EXECUTE here to work well with HDFS 
> files. 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to