The thinking is that Hive authorization should be based on underlying HDFS authorization. So we are using the permissions of the table directory as a proxy on whether or not the user should be allowed to write to the table. You can see the original design at https://cwiki.apache.org/confluence/display/HCATALOG/HCatalogAuthorizationProposal
We are changing this to fit into Hive's security model, though this is an implementation change and not a change of how permissions are determined (see https://issues.apache.org/jira/browse/HCATALOG-244 ) Alan. On Feb 8, 2012, at 12:28 PM, Travis Crawford wrote: > Hey hcat gurus - > > What's the reason for requiring the HiveMetaStore user have write > access to a partition directory to add the partition to a table? Hive > has the notion of external tables which are useful for existing data, > however partitions cannot be added to external tables unless the HMS > has write access to the partition HDFS directory. > > Instead of requiring write access to the partition, should > adding/removing partitions require: > > * write access to the table > * read access to the partition > > This would allow users to manage external tables through HCat. > > Thoughts? > > > DETAILS: > > This came up while running the following hcat command (slightly > modified for the mailing list): > > use data; ALTER TABLE foo ADD PARTITION (dt="20120208") LOCATION > '/data/foo/2012/02/08' > > And debugging the following stack trace: > > 2012-02-08 20:05:26,218 ERROR ql.Driver > (SessionState.java:printError(380)) - FAILED: Error in semantic > analysis: org.apache.hcatalog.common.HCatException : 3000 : Permission > denied > org.apache.hadoop.hive.ql.parse.SemanticException: > org.apache.hcatalog.common.HCatException : 3000 : Permission denied > at > org.apache.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzer.postAnalyze(HCatSemanticAnalyzer.java:178) > at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:432) > at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:337) > at org.apache.hadoop.hive.ql.Driver.run(Driver.java:889) > at org.apache.hcatalog.cli.HCatDriver.run(HCatDriver.java:42) > at org.apache.hcatalog.cli.HCatCli.processCmd(HCatCli.java:230) > at org.apache.hcatalog.cli.HCatCli.processLine(HCatCli.java:186) > at org.apache.hcatalog.cli.HCatCli.main(HCatCli.java:150) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) > at java.lang.reflect.Method.invoke(Method.java:597) > at org.apache.hadoop.util.RunJar.main(RunJar.java:156) > Caused by: org.apache.hcatalog.common.HCatException : 3000 : Permission denied > at org.apache.hcatalog.common.AuthUtils.authorize(AuthUtils.java:98) > at > org.apache.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzer.authorize(HCatSemanticAnalyzer.java:207) > at > org.apache.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzer.postAnalyze(HCatSemanticAnalyzer.java:134) > ... 12 more > > Thanks! > Travis
