Re: Securing Hive inserts

Fri, 15 Apr 2016 07:36:01 -0700 

Thanks Colm. I also verified that the issue exists.  This may be a due to the 
way Hive is handling access verification for temporary tables.
I will some more digging to find the right solution for this … In the 
meanwhile, can you please open a RANGER bug to identify/fix this issue?

Thanks,
Selva-

From:  Colm O hEigeartaigh <cohei...@apache.org>
Reply-To:  "user@ranger.incubator.apache.org" 
<user@ranger.incubator.apache.org>, "cohei...@apache.org" <cohei...@apache.org>
Date:  Friday, April 15, 2016 at 9:59 AM
To:  Balaji Ganesan <bgane...@apache.org>
Cc:  "user@ranger.incubator.apache.org" <user@ranger.incubator.apache.org>
Subject:  Re: Securing Hive inserts

Hi Balaji,

I have a trivial table containing the output of the canonical "WordCount" 
program on a text file. The table just contains two columns, one containing the 
word and the other the count. The following query fails with the error message 
above:

insert into words (word, count) values ('xyz', 5);

To get it to work, I have to edit the Ranger policy for "*" for the "Table" 
part. At a guess, the HIVE insertion process ends up creating a temporary table 
and I don't have permission to call "select" on this table, as the policy 
strictly limits to the "words" table?

Colm.

On Thu, Apr 14, 2016 at 5:02 PM, Balaji Ganesan <bgane...@apache.org> wrote:
Can you provide the full query you are running? What is this table 
"values__tmp__table__3" ?

On Thu, Apr 14, 2016 at 4:09 PM, Colm O hEigeartaigh <cohei...@apache.org> 
wrote:
Hi all,

I have a policy that grants permissions Select + Update to all columns in a 
table called "words" in a given database. However, I can't insert into this 
table - I get an error:

H110 Unable to submit statement. Error while compiling statement: FAILED: 
HiveAccessControlException Permission denied: user [colm] does not have 
[SELECT] privilege on 
[default/values__tmp__table__3/tmp_values_col1,tmp_values_col2] [ERROR_STATUS]

Only when I change the table in the policy to "*" does it work. Is there any 
way around this? I'm using HDP 2.3.2 btw.

Thanks,

Colm.


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com




-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Reply via email to