Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-20001

With doas set to true, running select query as hrt_qa user on external table fails due to permission denied to read /warehouse/tablespace/managed directory.

    XMLWordPrintableJSON

Details

    Description

      Hive: With doas set to true, running select query as hrt_qa user on external table fails due to permission denied to read /warehouse/tablespace/managed directory.

      Steps:
      1. Create a external table.
      2. Set doas to true.
      3. run select count using user hrt_qa.

      Table creation query.

      beeline -n hrt_qa -p pwd -u "jdbc:hive2://ctr-e138-1518143905142-375925-01-000006.hwx.site:2181,ctr-e138-1518143905142-375925-01-000005.hwx.site:2181,ctr-e138-1518143905142-375925-01-000007.hwx.site:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;principal=hive/_HOST@EXAMPLE.COM;transportMode=http;httpPath=cliservice;ssl=true;sslTrustStore=/etc/security/serverKeys/hivetruststore.jks;trustStorePassword=changeit" --outputformat=tsv -e "drop table if exists test_table purge;
      create external table test_table(id int, age int) row format delimited fields terminated by '|' stored as textfile;
      load data inpath '/tmp/table1.dat' overwrite into table test_table;
      

      select count query execution fails

      beeline -n hrt_qa -p pwd -u "jdbc:hive2://ctr-e138-1518143905142-375925-01-000006.hwx.site:2181,ctr-e138-1518143905142-375925-01-000005.hwx.site:2181,ctr-e138-1518143905142-375925-01-000007.hwx.site:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;principal=hive/_HOST@EXAMPLE.COM;transportMode=http;httpPath=cliservice;ssl=true;sslTrustStore=/etc/security/serverKeys/hivetruststore.jks;trustStorePassword=changeit" --outputformat=tsv -e "select count(*) from test_table where age>30 and id<10100;"
      2018-06-22 10:22:29,328|INFO|Thread-126|machine.py:111 - tee_pipe()||b3a493ec-99be-483e-91fe-4b701ec27ebc|SLF4J: Class path contains multiple SLF4J bindings.
      2018-06-22 10:22:29,330|INFO|Thread-126|machine.py:111 - tee_pipe()||b3a493ec-99be-483e-91fe-4b701ec27ebc|SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
      2018-06-22 10:22:29,335|INFO|Thread-126|machine.py:111 - tee_pipe()||b3a493ec-99be-483e-91fe-4b701ec27ebc|SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
      2018-06-22 10:22:31,408|INFO|Thread-126|machine.py:111 - tee_pipe()||b3a493ec-99be-483e-91fe-4b701ec27ebc|Format tsv is deprecated, please use tsv2
      2018-06-22 10:22:31,529|INFO|Thread-126|machine.py:111 - tee_pipe()||b3a493ec-99be-483e-91fe-4b701ec27ebc|Connecting to jdbc:hive2://ctr-e138-1518143905142-375925-01-000006.hwx.site:2181,ctr-e138-1518143905142-375925-01-000005.hwx.site:2181,ctr-e138-1518143905142-375925-01-000007.hwx.site:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;principal=hive/_HOST@EXAMPLE.COM;transportMode=http;httpPath=cliservice;ssl=true;sslTrustStore=/etc/security/serverKeys/hivetruststore.jks;trustStorePassword=changeit
      2018-06-22 10:22:32,031|INFO|Thread-126|machine.py:111 - tee_pipe()||b3a493ec-99be-483e-91fe-4b701ec27ebc|18/06/22 10:22:32 [main]: INFO jdbc.HiveConnection: Connected to ctr-e138-1518143905142-375925-01-000004.hwx.site:10001
      2018-06-22 10:22:34,130|INFO|Thread-126|machine.py:111 - tee_pipe()||b3a493ec-99be-483e-91fe-4b701ec27ebc|18/06/22 10:22:34 [main]: WARN jdbc.HiveConnection: Failed to connect to ctr-e138-1518143905142-375925-01-000004.hwx.site:10001
      2018-06-22 10:22:34,244|INFO|Thread-126|machine.py:111 - tee_pipe()||b3a493ec-99be-483e-91fe-4b701ec27ebc|18/06/22 10:22:34 [main]: WARN jdbc.HiveConnection: Could not open client transport with JDBC Uri: jdbc:hive2://ctr-e138-1518143905142-375925-01-000004.hwx.site:10001/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;principal=hive/_HOST@EXAMPLE.COM;transportMode=http;httpPath=cliservice;ssl=true;sslTrustStore=/etc/security/serverKeys/hivetruststore.jks;trustStorePassword=changeit: Failed to open new session: org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:java.security.AccessControlException: Permission denied: user=hrt_qa, access=READ, inode="/warehouse/tablespace/managed/hive":hive:hadoop:drwx------
      

      warehouse directory -

      -bash-4.2$ hdfs dfs -ls /warehouse/tablespace/
      Found 2 items
      drwxr-xr-x   - hdfs hdfs          0 2018-06-22 07:01 /warehouse/tablespace/external
      drwxr-xr-x   - hdfs hdfs          0 2018-06-22 07:01 /warehouse/tablespace/managed
      -bash-4.2$ hdfs dfs -ls /warehouse/tablespace/managed/hive
      Found 5 items
      drwxrwx---+  - hive hadoop          0 2018-06-22 09:28 /warehouse/tablespace/managed/hive/all10kw
      drwxrwx---+  - hive hadoop          0 2018-06-22 09:24 /warehouse/tablespace/managed/hive/hive8295
      drwxrwx---+  - hive hadoop          0 2018-06-22 07:20 /warehouse/tablespace/managed/hive/information_schema.db
      drwxrwxrwx+  - hive hadoop          0 2018-06-22 07:20 /warehouse/tablespace/managed/hive/sys.db
      drwxrwx---+  - hive hadoop          0 2018-06-22 09:27 /warehouse/tablespace/managed/hive/tbl1002
      -bash-4.2$ hdfs dfs -ls /warehouse/tablespace/external/hive
      Found 2 items
      drwxr-xr-x+  - hive hadoop          0 2018-06-22 07:02 /warehouse/tablespace/external/hive/sys.db
      drwxrwxrwx+  - hive hadoop          0 2018-06-22 10:12 /warehouse/tablespace/external/hive/test_table
      -bash-4.2$ exit
      logout
      

      It looks like the code still assumes external tables to be present under '/warehouse/tablespace/managed' directory similar to earlier '/apps/hive/warehouse'.

      Attachments

        1. HIVE-20001.1.patch
          7 kB
          Jaume M
        2. HIVE-20001.1.patch
          21 kB
          Jaume M
        3. HIVE-20001.2.patch
          131 kB
          Jaume M
        4. HIVE-20001.3.patch
          21 kB
          Jaume M
        5. HIVE-20001.4.patch
          21 kB
          Jaume M
        6. HIVE-20001.5.patch
          19 kB
          Jaume M

        Issue Links

          Activity

            People

              jmarhuen Jaume M
              jmarhuen Jaume M
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h 10m
                  1h 10m