Home | About | Sematext search-lucene.com search-hadoop.com
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB
 Search Hadoop and all its subprojects:

Switch to Plain View
Hive >> mail # user >> Hive Authorization (ROLES AND PRIVILEGES) does not work with hiveserver2 ?


Copy link to this message
-
Hive Authorization (ROLES AND PRIVILEGES) does not work with hiveserver2 ?
0: jdbc:hive2://dev-thdp5:10000> CREATE ROLE sas_role;
No rows affected (0.16 seconds)

0: jdbc:hive2://dev-thdp5:10000> CREATE EXTERNAL TABLE  IF NOT EXISTS keyword_impressions_log (date_ STRING,server STRING,impression_id STRING,search_session_id STRING,channel_id INT,visit_id BIGINT,visitor_id BIGINT,app_style STRING,publisher_id INT,ip STRING,keyword_id BIGINT,keyword STRING,node_constraint BIGINT,mfr_constraint BIGINT,seller_constraint BIGINT,other_constraint STRING,continued INT,offset INT,results INT,sort_ INT,ad_nodes STRING,view_ INT,spelling STRING,referrer STRING,internal_ip INT,cat_feat_mode STRING,rules STRING,rb_filter INT,shuffled INT,related_item_results INT,pixeled INT,sr_attr_imps STRING,unranked_ptitle_ids STRING,perpage INT)PARTITIONED BY (header_date_partition STRING)    STORED AS INPUTFORMAT  "com.hadoop.mapred.DeprecatedLzoTextInputFormat"   OUTPUTFORMAT "org.apache.hadoop.hive.ql.io.HiveIgnoreKeyTextOutputFormat";
No rows affected (0.468 seconds)

0: jdbc:hive2://dev-thdp5:10000> alter table keyword_impressions_log add if not exists partition (header_date_partition='2013-08-11') location '/user/hive/warehouse/keyword_impressions_log/2013-08-11';
No rows affected (0.438 seconds)

0: jdbc:hive2://dev-thdp5:10000> GRANT SELECT ON TABLE keyword_impressions_log TO ROLE sas_role;
No rows affected (0.403 seconds)

0: jdbc:hive2://dev-thdp5:10000> GRANT ROLE sas_role TO USER hiveuser1;
No rows affected (0.168 seconds)

0: jdbc:hive2://dev-thdp5:10000> show grant role sas_role on table keyword_impressions_log;
No rows affected (0.117 seconds)

The following CLI command shows the role information

hive -e "show grant role sas_role on table keyword_impressions_log;"

Logging initialized using configuration in jar:file:/usr/lib/hive/lib/hive-common-0.10.0-cdh4.3.0.jar!/hive-log4j.properties
Hive history file=/tmp/sasubramanian/hive_job_log_99244cad-b6e4-4c71-9fe1-d4b248b078c3_1882800333.txt
OK
database default
table keyword_impressions_log
principalName sas_role
principalType ROLE
privilege select
grantTime Mon Aug 19 12:24:08 PDT 2013
grantor hive
Time taken: 1.76 seconds
From: Sanjay Subramanian <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>>
Reply-To: "[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>" <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>>
Date: Friday, August 16, 2013 7:24 PM
To: "[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>" <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>>
Subject: Hive Authorization clarification

Hi guys

I am not getting the expected result from my authorization settings

I am evaluating Hive0.10.0+121

mysql> select * from hive.ROLES;
+---------+-------------+------------+-----------+
| ROLE_ID | CREATE_TIME | OWNER_NAME | ROLE_NAME |
+---------+-------------+------------+-----------+
|       6 |  1376704610 | NULL       | sas_role  |
+---------+-------------+------------+-----------+

My settings are as follows.
<!-- added by sanjay -->
<property>
  <name>hive.server2.authentication</name>
  <value>LDAP</value>
</property>
<property>
  <name>hive.server2.authentication.ldap.url</name>
  <value>ldap://corp.nextag.com</value>
</property>

<property>
  <name>hive.security.authorization.enabled</name>
  <value>true</value>
  <description>enable or disable the hive client   authorization</description>
</property>

<property>
  <name>hive.security.authorization.createtable.owner.grants</name>
  <value>ALL</value>
  <description>the privileges automatically granted to the owner whenever a table gets created.
An example like "select,drop" will grant select and drop privilege to the owner of the table</description>
</property>

<property>
  <name>hive.security.authorization.createtable.role.grants</name>
  <value>sas_role:select</value>
  <description>The privileges automatically granted to some roles whenever a table gets created. An example like "roleX,roleY:select;roleZ:create" will grant select privilege to roleX and roleY, and grant create privilege to roleZ whenever a new table created.</description>
</property>

<property>
  <name>hive.security.authorization.createtable.group.grants</name>
  <value>hiveuser1:select</value>
  <description>The privileges automatically granted to some groups whenever a table gets created. An example like "groupX,groupY:select;groupZ:create" will grant select privilege to groupX and groupY, and grant create privilege to groupZ whenever a new table created.</description>
</property>
<property>
  <name>hive.security.authorization.createtable.user.grants</name>
  <value>hiveuser1:select</value>
  <description>The privileges automatically granted to some users whenever a table gets created. An example like "userX,userY:select;userZ:create" will grant select privilege to userX and userY, and grant create privilege to userZ whenever a new table created.</description>
</property>

USECASE STEPS
===========1.   Connect as sasubramanian and create table
beeline> !connect jdbc:hive2://dev-thdp5:10000 [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]> ********* org.apache.hive.jdbc.HiveDriver
Connecting to jdbc:hive2://dev-thdp5:10000
Connected to: Hive (version 0.10.0)
Driver: Hive (version 0.10.0-cdh4.3.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://dev-thdp5:10000> CREATE EXTERNAL TABLE  IF NOT EXISTS keyword_impressions_log (date_ STRING,server STRING,impression_id STRING,search_session_id STRING,channel_id INT,visit_id BIGINT,visitor_id BIGINT,app_style STRING,publisher_id INT,ip STRING,keyword_id BIGINT,keyword STRING,node_constraint BIGINT,mfr_constraint BIGINT,seller_constraint BIGINT,other_constraint STRING,continued INT,offset INT,results INT,sort_ INT,ad_nodes STRING,view_ INT,spelling STRING,referrer STRING,internal_ip INT,cat_feat_mode STRING,rules STRING,rb_filter INT,shuffled INT,related_item_results INT,pixeled INT,sr_attr_imps STRING,unranked_ptitle_ids STRING,perpage INT)PARTITIONED BY (header_date_
NEW: Monitor These Apps!
elasticsearch, apache solr, apache hbase, hadoop, redis, casssandra, amazon cloudwatch, mysql, memcached, apache kafka, apache zookeeper, apache storm, ubuntu, centOS, red hat, debian, puppet labs, java, senseiDB