Also, you should not change dfs.permission value. If you set that to false, you are essentially disabling all access control to HDFS.
Ideally, you should use HiveServer2 and set the doAs to false and using Ranger give all access to the user ³hive² for data warehouse folder. If you are going to use HiveCLI, then provide HDFS access to correspond database folder in HDFS for selective users. Thanks Bosco From: Balaji Ganesan <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Friday, January 16, 2015 at 7:34 AM To: "[email protected]" <[email protected]> Subject: Re: Hive permission denied issue > Mahesh, can you give some more details on your scenario? > * Are you using Hive client or Hiveserver2? > * Can you provide the values in hive-site.xml and hiveserber2-site.xml in the > /etc/hive/conf directory? > > From: Mahesh Sankaran <[email protected]> > Reply-To: "[email protected]" > <[email protected]> > Date: Friday, January 16, 2015 at 3:26 AM > To: "[email protected]" <[email protected]> > Subject: Re: Hive permission denied issue > > Hi all, > > I solved this error by changing property in hdfs-site.xml > dfs.persmissions to "true" to false.is <http://false.is> this the correct > one.After this change hive authenticated ranger users. > > <property> > <name>dfs.permissions</name> > <value>false</value> > </property> > > Thanks > Mahesh.S > > On Fri, Jan 16, 2015 at 12:45 PM, Mahesh Sankaran <[email protected]> > wrote: >> Hi all, >> I am configuring ranger-hive plugin.hive agent is created and also >> auditing.I created policy to select,update,create, and drop permissions for >> the database named mahesh for the use admin.when i trying to create table, in >> ranger audit-->access--> access Type (CREATE) and result shows "allowed" but >> in hiveserver2 i got following error.but when i change user >> "/user/hive/warehouse/mahesh.db" into admin(hadoop fs -chown -R admin:admin >> /user/hive/warehouse/mahesh.db) it worked.Seems like It does not authenticate >> ranger user.Kindly help me to solve this problem. >> >> 0: jdbc:hive2://10.10.10.63:10000 <http://10.10.10.63:10000> > create table >> t2 (id int); >> Error: Error while processing statement: FAILED: Execution Error, return code >> 1 from org.apache.hadoop.hive.ql.exec.DDLTask. MetaException(message:Got >> exception: org.apache.hadoop.security.AccessControlException Permission >> denied: user=admin, access=WRITE, inode=:hadoop2:supergroup:drwxr-xr-x >> at >> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkFsPermission( >> FSPermissionChecker.java:271) >> at >> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermission >> Checker.java:257) >> at >> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermission >> Checker.java:238) >> at >> org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FS >> PermissionChecker.java:179) >> at >> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPermission(FSNamesys >> tem.java:6512) >> at >> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPermission(FSNamesys >> tem.java:6494) >> at >> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkAncestorAccess(FSNam >> esystem.java:6446) >> at >> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.mkdirsInternal(FSNamesyst >> em.java:4248) >> at >> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.mkdirsInt(FSNamesystem.ja >> va:4218) >> at >> org.apache.hadoop.hdfs.server.namenode.FSNamesystem.mkdirs(FSNamesystem.java: >> 4191) >> at >> org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.mkdirs(NameNodeRpcSe >> rver.java:813) >> at >> org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorP >> B.mkdirs(ClientNamenodeProtocolServerSideTranslatorPB.java:600) >> at >> org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientName >> nodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java) >> at >> org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(Protob >> ufRpcEngine.java:619) >> at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:962) >> at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2039) >> at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2035) >> at java.security.AccessController.doPrivileged(Native Method) >> at javax.security.auth.Subject.doAs(Subject.java:415) >> at >> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.jav >> a:1628) >> at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2033) >> ) (state=08S01,code=1) >> 0: jdbc:hive2://10.10.10.63:10000 <http://10.10.10.63:10000> > >> >> Regards >> Mahesh.S > > > CONFIDENTIALITY NOTICE > NOTICE: This message is intended for the use of the individual or entity to > which it is addressed and may contain information that is confidential, > privileged and exempt from disclosure under applicable law. If the reader of > this message is not the intended recipient, you are hereby notified that any > printing, copying, dissemination, distribution, disclosure or forwarding of > this communication is strictly prohibited. If you have received this > communication in error, please contact the sender immediately and delete it > from your system. Thank You. > > CONFIDENTIALITY NOTICE > NOTICE: This message is intended for the use of the individual or entity to > which it is addressed and may contain information that is confidential, > privileged and exempt from disclosure under applicable law. If the reader of > this message is not the intended recipient, you are hereby notified that any > printing, copying, dissemination, distribution, disclosure or forwarding of > this communication is strictly prohibited. If you have received this > communication in error, please contact the sender immediately and delete it > from your system. Thank You.
