Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
0.12.0
-
None
Description
When switching client-side authorization from the now deprecated HdfsAuthorizationProvider to SBAP, we noticed an issue while testing. Basically, if, say webhcat were running as user "hcat" on a secure cluster, and we run the following:
$ kinit -kt /homes/hrt_qa/hadoopqa/keytabs/hrt_qa.headless.keytab hrt_qa
$ curl -u : --negotiate -X PUT -H "Content-Type: application/json" -d "{\"comment\":\"Hello there\", \"properties\":{\"a\":\"b\"}}" http://webhcat.abc.blahblah.net:50111/templeton/v1/ddl/database/hcatperms_a
{"errorDetail":"org.apache.hadoop.hive.ql.metadata.AuthorizationException: java.security.AccessControlException: action WRITE not permitted on path hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat
at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorizationException(StorageBasedAuthorizationProvider.java:375)
at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:273)
at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:135)
at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.authorize(HCatSemanticAnalyzerBase.java:139)
at org.apache.hive.hcatalog.cli.SemanticAnalysis.CreateDatabaseHook.authorizeDDLWork(CreateDatabaseHook.java:93)
at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.authorizeDDL(HCatSemanticAnalyzerBase.java:105)
at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.postAnalyze(HCatSemanticAnalyzerBase.java:63)
at org.apache.hive.hcatalog.cli.SemanticAnalysis.CreateDatabaseHook.postAnalyze(CreateDatabaseHook.java:83)
at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzer.postAnalyze(HCatSemanticAnalyzer.java:243)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:444)
at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:342)
at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:977)
at org.apache.hadoop.hive.ql.Driver.run(Driver.java:888)
at org.apache.hive.hcatalog.cli.HCatDriver.run(HCatDriver.java:43)
at org.apache.hive.hcatalog.cli.HCatCli.processCmd(HCatCli.java:251)
at org.apache.hive.hcatalog.cli.HCatCli.processLine(HCatCli.java:205)
at org.apache.hive.hcatalog.cli.HCatCli.main(HCatCli.java:164)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.hadoop.util.RunJar.main(RunJar.java:212)
Caused by: java.security.AccessControlException: action WRITE not permitted on path hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat
at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:351)
at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:308)
at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:270)
... 20 more
","error":"FAILED: AuthorizationException java.security.AccessControlException: action WRITE not permitted on path hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat","sqlState":"42000","errorCode":40000,"database":"hcatperms_a"}
Attachments
Attachments
Issue Links
- is related to
-
-
- Closed
-