Hortonworks Sandbox Forum

Hive permissions in 2.1 Sandbox

  • #54373
    Alex K
    Participant

    Hi,

    I’m having issues using Hive on Sandbox 2.1 with JDBC driver. I’m using user “hue” and find that almost no permissions are set, but I am not able to give this user admin rights.

    I tried:
    1. Set general SELECT grant to user hue:

    hive> grant select to user hue;
    OK
    Time taken: 0.65 seconds
    hive> show grant user hue;
    OK
    hue USER Select false 1400792265000 root
    Time taken: 0.612 seconds, Fetched: 1 row(s)

    This doesn’t give me any select rights to a table like default.sample_08.

    2. Set table-specific select rights to user hue:
    hive> grant select on table sample_08 to user hue;
    OK
    Time taken: 0.474 seconds
    show grant user hue;
    OK
    Time taken: 0.639 seconds

    This gives me select rights on user hue, but for some reason the grant is not shown on “show grant” .

    3. Grant admin role to user hue

    hive> grant role admin to user hue;
    OK
    Time taken: 1.075 seconds
    hive> show role grant user hue;
    OK
    admin false 1400864190000 root
    public false 0
    Time taken: 0.686 seconds, Fetched: 2 row(s)

    This doesn’t seem to give user hue any additional privileges.

    4. Assign user hue admin rights in hive-site.xml configuration:

    Added the following lines inside hive-site.xml and restarted sandbox:

    <property>
    <name>hive.users.in.admin.role</name>
    <value>hue</value>
    </property>

    This also has no effect on the permissions of user hue.

    Now my questions:
    – What did I do wrong in the steps above, or are there bugs?
    – Are there any other hive admin users already configured in Sandbox 2.1?
    – Is there doc on the table output of the “show grant” commands? I’d like to know what the “false” and other number there indicate.

    Thanks!
    Alex

to create new topics or reply. | New User Registration

  • Author
    Replies
  • #54375
    iandr413
    Moderator

    Hi Alex,
    What is returned when you try to run a select on say sample_08? Hive user and root user should be able to execute statements in hive client.

    Ian

    #54377
    Alex K
    Participant

    Hi,

    Thanks for the quick reply!

    The hive client has full permissions when I use it as OS user root, but I’m using JDBC. I can replicate the JDBC behavior in beeline:

    [root@sandbox ~]# beeline
    Beeline version 0.13.0.2.1.1.0-385 by Apache Hive
    beeline> !connect jdbc:hive2://localhost:10000 hive xxx org.apache.hive.jdbc.HiveDriver
    Connecting to jdbc:hive2://localhost:10000
    Connected to: Apache Hive (version 0.13.0.2.1.1.0-385)
    Driver: Hive JDBC (version 0.13.0.2.1.1.0-385)
    Transaction isolation: TRANSACTION_REPEATABLE_READ
    0: jdbc:hive2://localhost:10000> select * from default.sample_08;
    Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied. Principal [name=hive, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.sample_08] : [SELECT] (state=42000,code=40000)
    0: jdbc:hive2://localhost:10000>

    The same happens for users hue, hive, superuser, admin, sample, and root. I get a little further when I do the grant select on table… statements for a given user in the hive client, but I just like to set admin rights on a user I can use with JDBC.

    Regards,
    Alex

    #54382
    iandr413
    Moderator

    Hi Alex,
    If you are not concerned about security and are just testing, you can disable this under hive by setting hive.security.authorization.enabled = false

    If you want to use security, try using org.apache.hadoop.hive.ql.security.authorization.DefaultHiveAuthorizationProvider for the hive.security.authorization.manager and hive.security.metastore.authorization.manager settings. I just tested and that works. The default setting of org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider tries to look at the hdfs storage permissions rather than the hive grant authorization.

    I hope this helps

    Ian

    #54408
    Alex K
    Participant

    Hi Ian,

    I was unable to get this going. I started on a clean environment to make sure:

    1. Import clean Sandbox 2.1 OVA and start VM
    2. Login as root and edit /etc/hive/conf/hive-site.xml
    3. Change hive authorization entry to the following:
    <property>
    <name>hive.security.authorization.enabled</name>
    <value>false</value>
    </property>
    4. Restart sandbox VM
    5. Open Hue/Beeswax and check the Settings table; “hive.security.authorization.enabled false” is shown.
    6. Open beeline and try the following:

    [root@sandbox etc]# beeline
    Beeline version 0.13.0.2.1.1.0-385 by Apache Hive
    beeline> !connect jdbc:hive2://localhost:10000 hue xxx org.apache.hive.jdbc.HiveDriver
    Connecting to jdbc:hive2://localhost:10000
    Connected to: Apache Hive (version 0.13.0.2.1.1.0-385)
    Driver: Hive JDBC (version 0.13.0.2.1.1.0-385)
    Transaction isolation: TRANSACTION_REPEATABLE_READ
    0: jdbc:hive2://localhost:10000> select count(*) from sample_08;
    Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied. Principal [name=hue, type=USER] does not have following privileges on Object [type=TABLE_OR_VIEW, name=default.sample_08] : [SELECT] (state=42000,code=40000)

    Anything else I can try?
    Thanks,
    Alex

    #54409
    Alex K
    Participant

    I also ran the set command in beeline:

    0: jdbc:hive2://localhost:10000> set;
    +——————————————————————————+

    | hive.security.authorization.enabled=true

    So for some reason the Hive configuration used by beeline and JDBC is using a different set of configuration properties than what’s set in hive-site.xml.

    Regards,
    Alex

    #57085

    Hello,
    I have a problem with these permissions. And i have to add the Select permission to my user Hue. But could you please tell me where we are supposed to write this request : grant select to user hue;

    Thank you

    #57577
    Matt Tucker
    Participant

    It turns out that there’s a separate hive-site.xml file for the HiveServer2 in /etc/hive/conf.server/hive-site.xml

    #73493
    John Swain
    Participant

    Alex,

    did you ever resolve this issue? I have the same problem and cannot find any resolution.

    js

    #74079
    Dhruva Agrawal
    Participant

    try setting hive.server2.enable.impersonation=false

You must be to reply to this topic. | Create Account

Support from the Experts

A HDP Support Subscription connects you experts with deep experience running Apache Hadoop in production, at-scale on the most demanding workloads.

Enterprise Support »

Become HDP Certified

Real world training designed by the core architects of Hadoop. Scenario-based training courses are available in-classroom or online from anywhere in the world

Training »

Hortonworks Data Platform
The Hortonworks Data Platform is a 100% open source distribution of Apache Hadoop that is truly enterprise grade having been built, tested and hardened with enterprise rigor.
Get started with Sandbox
Hortonworks Sandbox is a self-contained virtual machine with Apache Hadoop pre-configured alongside a set of hands-on, step-by-step Hadoop tutorials.
Modern Data Architecture
Tackle the challenges of big data. Hadoop integrates with existing EDW, RDBMS and MPP systems to deliver lower cost, higher capacity infrastructure.