Home | About | Sematext search-lucene.com search-hadoop.com
 Search Hadoop and all its subprojects:

Switch to Plain View
Hive >> mail # user >> Hive Authorization (ROLES AND PRIVILEGES) does not work with hiveserver2 ?


Copy link to this message
-
Hive Authorization (ROLES AND PRIVILEGES) does not work with hiveserver2 ?
0: jdbc:hive2://dev-thdp5:10000> CREATE ROLE sas_role;
No rows affected (0.16 seconds)

0: jdbc:hive2://dev-thdp5:10000> CREATE EXTERNAL TABLE  IF NOT EXISTS keyword_impressions_log (date_ STRING,server STRING,impression_id STRING,search_session_id STRING,channel_id INT,visit_id BIGINT,visitor_id BIGINT,app_style STRING,publisher_id INT,ip STRING,keyword_id BIGINT,keyword STRING,node_constraint BIGINT,mfr_constraint BIGINT,seller_constraint BIGINT,other_constraint STRING,continued INT,offset INT,results INT,sort_ INT,ad_nodes STRING,view_ INT,spelling STRING,referrer STRING,internal_ip INT,cat_feat_mode STRING,rules STRING,rb_filter INT,shuffled INT,related_item_results INT,pixeled INT,sr_attr_imps STRING,unranked_ptitle_ids STRING,perpage INT)PARTITIONED BY (header_date_partition STRING)    STORED AS INPUTFORMAT  "com.hadoop.mapred.DeprecatedLzoTextInputFormat"   OUTPUTFORMAT "org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat";
No rows affected (0.468 seconds)

0: jdbc:hive2://dev-thdp5:10000> alter table keyword_impressions_log add if not exists partition (header_date_partition='2013-08-11') location '/user/hive/warehouse/keyword_impressions_log/2013-08-11';
No rows affected (0.438 seconds)

0: jdbc:hive2://dev-thdp5:10000> GRANT SELECT ON TABLE keyword_impressions_log TO ROLE sas_role;
No rows affected (0.403 seconds)

0: jdbc:hive2://dev-thdp5:10000> GRANT ROLE sas_role TO USER hiveuser1;
No rows affected (0.168 seconds)

0: jdbc:hive2://dev-thdp5:10000> show grant role sas_role on table keyword_impressions_log;
No rows affected (0.117 seconds)

The following CLI command shows the role information

hive -e "show grant role sas_role on table keyword_impressions_log;"

Logging initialized using configuration in jar:file:/usr/lib/hive/lib/hive-common-0.10.0-cdh4.3.0.jar!/hive-log4j.properties
Hive history file=/tmp/sasubramanian/hive_job_log_99244cad-b6e4-4c71-9fe1-d4b248b078c3_1882800333.txt
OK
database default
table keyword_impressions_log
principalName sas_role
principalType ROLE
privilege select
grantTime Mon Aug 19 12:24:08 PDT 2013
grantor hive
Time taken: 1.76 seconds
From: Sanjay Subramanian <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>>
Reply-To: "[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>" <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>>
Date: Friday, August 16, 2013 7:24 PM
To: "[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>" <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>>
Subject: Hive Authorization clarification

Hi guys

I am not getting the expected result from my authorization settings

I am evaluating Hive0.10.0+121

mysql> select * from hive.ROLES;
+---------+-------------+------------+-----------+
| ROLE_ID | CREATE_TIME | OWNER_NAME | ROLE_NAME |
+---------+-------------+------------+-----------+
|       6 |  1376704610 | NULL       | sas_role  |
+---------+-------------+------------+-----------+

My settings are as follows.
<!-- added by sanjay -->
<property>
  <name>hive.server2.authentication</name>
  <value>LDAP</value>
</property>
<property>
  <name>hive.server2.authentication.ldap.url</name>
  <value>ldap://corp.nextag.com</value>
</property>

<property>
  <name>hive.security.authorization.enabled</name>
  <value>true</value>
  <description>enable or disable the hive client   authorization</description>
</property>

<property>
  <name>hive.security.authorization.createtable.owner.grants</name>
  <value>ALL</value>
  <description>the privileges automatically granted to the owner whenever a table gets created.
An example like "select,drop" will grant select and drop privilege to the owner of the table</description>
</property>

<property>
  <name>hive.security.authorization.createtable.role.grants</name>
  <value>sas_role:select</value>
  <description>The privileges automatically granted to some roles whenever a table gets created. An example like "roleX,roleY:select;roleZ:create" will grant select privilege to roleX and roleY, and grant create privilege to roleZ whenever a new table created.</description>
</property>

<property>
  <name>hive.security.authorization.createtable.group.grants</name>
  <value>hiveuser1:select</value>
  <description>The privileges automatically granted to some groups whenever a table gets created. An example like "groupX,groupY:select;groupZ:create" will grant select privilege to groupX and groupY, and grant create privilege to groupZ whenever a new table created.</description>
</property>
<property>
  <name>hive.security.authorization.createtable.user.grants</name>
  <value>hiveuser1:select</value>
  <description>The privileges automatically granted to some users whenever a table gets created. An example like "userX,userY:select;userZ:create" will grant select privilege to userX and userY, and grant create privilege to userZ whenever a new table created.</description>
</property>

USECASE STEPS
===========1.   Connect as sasubramanian and create table
beeline> !connect jdbc:hive2://dev-thdp5:10000 [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]> ********* org.apache.hive.jdbc.HiveDriver
Connecting to jdbc:hive2://dev-thdp5:10000
Connected to: Hive (version 0.10.0)
Driver: Hive (version 0.10.0-cdh4.3.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://dev-thdp5:10000> CREATE EXTERNAL TABLE  IF NOT EXISTS keyword_impressions_log (date_ STRING,server STRING,impression_id STRING,search_session_id STRING,channel_id INT,visit_id BIGINT,visitor_id BIGINT,app_style STRING,publisher_id INT,ip STRING,keyword_id BIGINT,keyword STRING,node_constraint BIGINT,mfr_constraint BIGINT,seller_constraint BIGINT,other_constraint STRING,continued INT,offset INT,results INT,sort_ INT,ad_nodes STRING,view_ INT,spelling STRING,referrer STRING,internal_ip INT,cat_feat_mode STRING,rules STRING,rb_filter INT,shuffled INT,related_item_results INT,pixeled INT,sr_attr_imps STRING,unranked_ptitle_ids STRING,perpage INT)PARTITIONED BY (header_date_