Uploaded image for project: 'Hive'
  1. Hive
  2. HIVE-5542

Webhcat is failing to run ddl command on a secure cluster

Log workAgile BoardRank to TopRank to BottomVotersWatch issueWatchersCreate sub-taskConvert to sub-taskMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.12.0
    • Fix Version/s: 0.13.0
    • Component/s: Authentication, WebHCat
    • Labels:
      None

      Description

      When switching client-side authorization from the now deprecated HdfsAuthorizationProvider to SBAP, we noticed an issue while testing. Basically, if, say webhcat were running as user "hcat" on a secure cluster, and we run the following:

      $ kinit -kt /homes/hrt_qa/hadoopqa/keytabs/hrt_qa.headless.keytab hrt_qa
      $ curl -u : --negotiate -X PUT -H "Content-Type: application/json" -d "{\"comment\":\"Hello there\", \"properties\":{\"a\":\"b\"}}" http://webhcat.abc.blahblah.net:50111/templeton/v1/ddl/database/hcatperms_a
      
      {"errorDetail":"org.apache.hadoop.hive.ql.metadata.AuthorizationException: java.security.AccessControlException: action WRITE not permitted on path hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat
      	at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorizationException(StorageBasedAuthorizationProvider.java:375)
      	at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:273)
      	at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:135)
      	at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.authorize(HCatSemanticAnalyzerBase.java:139)
      	at org.apache.hive.hcatalog.cli.SemanticAnalysis.CreateDatabaseHook.authorizeDDLWork(CreateDatabaseHook.java:93)
      	at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.authorizeDDL(HCatSemanticAnalyzerBase.java:105)
      	at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzerBase.postAnalyze(HCatSemanticAnalyzerBase.java:63)
      	at org.apache.hive.hcatalog.cli.SemanticAnalysis.CreateDatabaseHook.postAnalyze(CreateDatabaseHook.java:83)
      	at org.apache.hive.hcatalog.cli.SemanticAnalysis.HCatSemanticAnalyzer.postAnalyze(HCatSemanticAnalyzer.java:243)
      	at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:444)
      	at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:342)
      	at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:977)
      	at org.apache.hadoop.hive.ql.Driver.run(Driver.java:888)
      	at org.apache.hive.hcatalog.cli.HCatDriver.run(HCatDriver.java:43)
      	at org.apache.hive.hcatalog.cli.HCatCli.processCmd(HCatCli.java:251)
      	at org.apache.hive.hcatalog.cli.HCatCli.processLine(HCatCli.java:205)
      	at org.apache.hive.hcatalog.cli.HCatCli.main(HCatCli.java:164)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      	at java.lang.reflect.Method.invoke(Method.java:597)
      	at org.apache.hadoop.util.RunJar.main(RunJar.java:212)
      Caused by: java.security.AccessControlException: action WRITE not permitted on path hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat
      	at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:351)
      	at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:308)
      	at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:270)
      	... 20 more
      ","error":"FAILED: AuthorizationException java.security.AccessControlException: action WRITE not permitted on path hdfs://webhcat.abc.blahblah.net:8020/apps/hive/warehouse for user hcat","sqlState":"42000","errorCode":40000,"database":"hcatperms_a"}
      

        Attachments

        1. HIVE-5542.patch
          5 kB
          Sushanth Sowmyan

        Issue Links

          Activity

          $i18n.getText('security.level.explanation', $currentSelection) Viewable by All Users
          Cancel

            People

            • Assignee:
              sushanth Sushanth Sowmyan Assign to me
              Reporter:
              sushanth Sushanth Sowmyan

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment