[jira] [Assigned] (HIVE-20072) Write access being requested when performing select on a table

Tue, 03 Jul 2018 09:30:21 -0700 


     [ 
https://issues.apache.org/jira/browse/HIVE-20072?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

mahesh kumar behera reassigned HIVE-20072:
------------------------------------------


> Write access being requested when performing select on a table
> --------------------------------------------------------------
>
>                 Key: HIVE-20072
>                 URL: https://issues.apache.org/jira/browse/HIVE-20072
>             Project: Hive
>          Issue Type: Bug
>          Components: HiveServer2
>            Reporter: mahesh kumar behera
>            Assignee: mahesh kumar behera
>            Priority: Critical
>
> hive.exec.pre.hooks=org.apache.hadoop.hive.ql.hooks.UpdateInputAccessTimeHook$PreExec
>  along with hive doAs=true
>  which is causing to perform Alter table operation internally when accessed 
> Hive table, and results in HiveException with Write access to table directory.
> Select access is provided to a table and when performing select * for that 
> table, below exception is seen.
>  
> Steps to reproduce. (with ranger enabled)
> 1. Create test table
> create table lastaccesstime (id int);
> 2. Enable Hive doAs
> 3. update 
> hive.exec.pre.hooks=org.apache.hadoop.hive.ql.hooks.ATSHook,org.apache.hadoop.hive.ql.hooks.UpdateInputAccessTimeHook$PreExec
> 4. Perform select on table lastaccesstime as non-hive user and exception will 
> be thrown.
> {code:java}
> 0: jdbc:hive2://c470-node4.squadron-labs.com:> select * from lastaccesstime;
> Error: Error while processing statement: FAILED: Hive Internal Error: 
> org.apache.hadoop.hive.ql.metadata.HiveException(Unable to alter table. 
> java.security.AccessControlException: Permission denied: user=kafka, 
> access=WRITE, 
> inode="/apps/hive/warehouse/testdb.db/lastaccesstime":hive:hadoop:drwxr-x---
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:353)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:252)
>       at 
> org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer$RangerAccessControlEnforcer.checkDefaultEnforcer(RangerHdfsAuthorizer.java:427)
>       at 
> org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer$RangerAccessControlEnforcer.checkPermission(RangerHdfsAuthorizer.java:303)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:190)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:1950)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:1934)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPathAccess(FSDirectory.java:1908)
>       at 
> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkAccess(FSNamesystem.java:8800)
>       at 
> org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.checkAccess(NameNodeRpcServer.java:2089)
>       at 
> org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.checkAccess(ClientNamenodeProtocolServerSideTranslatorPB.java:1466)
>       at 
> org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java)
>       at 
> org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:640)
>       at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:982)
>       at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2351)
>       at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2347)
>       at java.security.AccessController.doPrivileged(Native Method)
>       at javax.security.auth.Subject.doAs(Subject.java:422)
>       at 
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1869)
>       at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2347)
> ) (state=08S01,code=12)
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to