Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
2.0.0
-
None
-
None
Description
A user "userA" want's to create an external table on "hdfs://test/testDir" via Hive Metastore installed Ranger Hive plugin. Permission information is as follows.
# id userA uid=3044(userA) gid=3044(userA) groups=992(supergroup) # hadoop fs -ls hdfs://test drwxrwxr-x - userB supergroup 0 2019-01-01 00:00 hdfs://test/testDir # hadoop fs -ls hdfs://test/testDir -rw-rw-r-- 3 userB supergroup 1000000 2019-01-01 00:00 hdfs://test/testDir/part-00000-db98bf17-bda6-4da9-9ea4-d7c75e8d995e-c000.snappy.parquet
When "userA" is trying to create an external table on "hdfs://test/testDir" with the following command,
spark.sql("create table userA_test USING org.apache.spark.sql.parquet OPTIONS ( path = 'hdfs://test/testDir')")
Ranger denied the operation with the following error message.
org.apache.hadoop.hive.ql.metadata.HiveException: MetaException(message:Permission denied: user [userA] does not have [ALL] privilege on [hdfs://test/testDir])
The reason is when Ranger is checking URI permission, it will check if the user has FSAction.ALL on the URI if "userA" is not the owner of the HDFS path, but HDFS file will not set the execution permission by default, so the Ranger permission check will return false.
I think in the getURIAccessType function in RangerHiveAuthorizer, we should return FSAction.READ_WRITE instead of FSAction.ALL. For HDFS directory, Hadoop will help us to add FSAction.EXECUTE when we are trying to do the permission check, we can skip FSAction.EXECUTE here to work well with HDFS files.
Attachments
Attachments
Issue Links
- links to
