[jira] [Commented] (HIVE-12408) SQLStdAuthorizer should not require external table creator to be owner of directory, in addition to rw permissions

Thu, 26 Oct 2017 17:43:07 -0700 

    [ 
https://issues.apache.org/jira/browse/HIVE-12408?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16221517#comment-16221517
 ] 

Thejas M Nair commented on HIVE-12408:
--------------------------------------

[~ajisakaa]
Please find instructions to request access to edit wiki here - 
https://cwiki.apache.org/confluence/display/Hive/AboutThisWiki#AboutThisWiki-Howtogetpermissiontoedit

cc [~leftylev]

> SQLStdAuthorizer should not require external table creator to be owner of 
> directory, in addition to rw permissions
> ------------------------------------------------------------------------------------------------------------------
>
>                 Key: HIVE-12408
>                 URL: https://issues.apache.org/jira/browse/HIVE-12408
>             Project: Hive
>          Issue Type: Bug
>          Components: Authorization, Security, SQLStandardAuthorization
>    Affects Versions: 0.14.0
>         Environment: HDP 2.2 + Kerberos
>            Reporter: Hari Sekhon
>            Assignee: Akira Ajisaka
>            Priority: Critical
>             Fix For: 3.0.0
>
>         Attachments: HIVE-12408.001.patch, HIVE-12408.002.patch
>
>
> When trying to create an external table via beeline in Hive using the 
> SQLStdAuthorizer it expects the table creator to be the owner of the 
> directory path and ignores the group rwx permission that is granted to the 
> user.
> {code}Error: Error while compiling statement: FAILED: 
> HiveAccessControlException Permission denied: Principal [name=hari, 
> type=USER] does not have following privileges for operation CREATETABLE 
> [[INSERT, DELETE, OBJECT OWNERSHIP] on Object [type=DFS_URI, 
> name=/etl/path/to/hdfs/dir]] (state=42000,code=40000){code}
> All it should be checking is read access to that directory.
> The directory owner requirement breaks the ability of more than one user to 
> create external table definitions to a given location. For example this is a 
> flume landing directory with json data, and the /etl tree is owned by the 
> flume user. Even chowning the tree to another user would still break access 
> to other users who are able to read the directory in hdfs but would still 
> unable to create external tables on top of it.
> This looks like a remnant of the owner only access model in SQLStdAuth and is 
> a separate issue to HIVE-11864 / HIVE-12324.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to