https://community.cloudera.com/t5/Archives-of-Support-Questions/Spark-Security-Using-LLAP-Spark-SQL-Query-giving-error-when/m-p/218886#M60366 <A rel="user" href="https://community.cloudera.com/users/14047/karanalang.html" nodeid="14047">@Karan Alang</A><P>To do count(*) you need select privilege on all table. You can still do "select count(column name) from &lt;table name&gt;" and that will work but to run count(*) you need to have select permissions for whole table. This is working as expected.</P> Wed, 03 May 2017 08:55:04 GMT mqureshi 2017-05-03T08:55:04Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Spark-Security-Using-LLAP-Spark-SQL-Query-giving-error-when/m-p/218884#M60364 <P>hello - I've implemented Spark security using LLAP, and seeing error in specific scenario</P><P>Here is what is done -&gt; </P><P>1 - I login to Spark Thrift server using user - spark</P><P>2 - created a Ranger policy which specifies that user - 'spark' does not have access to column -<STRONG> storekey</STRONG> in table - <STRONG>factsales</STRONG></P><P>3 - fired query -&gt; select count(1) from factsales;</P><P>Error is as shown below.</P><P>Pls. note - this seems to be happening when i try to get count of rows.</P><P>When i fire query to get values of specific columns, i get expected result (based on whether i have access to the column or not). </P><P>------------------------------- QUERY WHERE I GET ERROR (in getting count) --------------------</P><P>[alanka01@nwk2-bdp-hadoop-06 ~]$ beeline -u jdbc:hive2://<A href="http://nwk2-bdp-hadoop-08.gdcs-qa.apple.com">nwk2-bdp-hadoop-08.gdcs-qa.apple.com</A>:10015/default -n spark Connecting to jdbc:hive2://<A href="http://nwk2-bdp-hadoop-08.gdcs-qa.apple.com">nwk2-bdp-hadoop-08.gdcs-qa.apple.com</A>:10015/default Connected to: Spark SQL (version 1.6.2) Driver: Hive JDBC (version 1.2.1000.2.5.3.0-37) Transaction isolation: TRANSACTION_REPEATABLE_READ Beeline version 1.2.1000.2.5.3.0-37 by Apache Hive 0: jdbc:hive2://nwk2-bdp-hadoop-08.gdcs-qa.ap&gt;</P><P> <STRONG>select count(1) from factsales; </STRONG></P><P><STRONG>Error: org.apache.spark.sql.catalyst.errors.package$TreeNodeException: execute, tree: TungstenAggregate(key=[], functions=[(count(1),mode=Final,isDistinct=false)], output=[_c0#402L]) +- TungstenExchange SinglePartition, None +- TungstenAggregate(key=[], functions=[(count(1),mode=Partial,isDistinct=false)], output=[count#405L]) +- Scan LlapRelation(org.apache.spark.sql.hive.llap.LlapContext@32b7eb41,Map(table -&gt; default.factsales, url -&gt; jdbc:hive2://<A href="http://nwk2-bdp-hadoop-06.gdcs-qa.apple.com">nwk2-bdp-hadoop-06.gdcs-qa.apple.com</A>:10500))[] (state=,code=0)</STRONG></P><P>-------------------------QUERIES WITH EXPECTED RESULT -1 -------------------------------------</P><P>0: jdbc:hive2://nwk2-bdp-hadoop-08.gdcs-qa.ap&gt; </P><P>select saleskey from factsales limit 10; </P><P>+-----------+--+ | saleskey | +-----------+--+ | 3343549 | | 2822385 | | 2764012 | | 3289348 | | 2531906 | | 3055870 | | 2530527 | | 2880758 | | 2297049 | | 3356058 | +-----------+--+</P><P>-------------------------QUERIES WITH EXPECTED RESULT -2 (since user - spark does not have access to column - storekey) ----------------------------------------------------------------------------------------------------------</P><P>0: jdbc:hive2://nwk2-bdp-hadoop-09.gdcs-qa.ap&gt; </P><P>select saleskey, storekey from factsales limit 10; </P><P>Error: java.io.IOException: org.apache.hive.service.cli.HiveSQLException: java.io.IOException: org.apache.hadoop.hive.ql.metadata.HiveException: Failed to compile query: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Permission denied: user [spark] does not have [SELECT] privilege on [default/factsales/saleskey,storekey] (state=,code=0)</P> Wed, 03 May 2017 06:17:52 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Spark-Security-Using-LLAP-Spark-SQL-Query-giving-error-when/m-p/218884#M60364 karan_alang1 2017-05-03T06:17:52Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Spark-Security-Using-LLAP-Spark-SQL-Query-giving-error-when/m-p/218885#M60365 <P><A rel="user" href="https://community.cloudera.com/users/10969/mqureshi.html" nodeid="10969">@mqureshi</A> -looping you in, any ideas ?</P> Wed, 03 May 2017 06:19:17 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Spark-Security-Using-LLAP-Spark-SQL-Query-giving-error-when/m-p/218885#M60365 karan_alang1 2017-05-03T06:19:17Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Spark-Security-Using-LLAP-Spark-SQL-Query-giving-error-when/m-p/218886#M60366 <A rel="user" href="https://community.cloudera.com/users/14047/karanalang.html" nodeid="14047">@Karan Alang</A><P>To do count(*) you need select privilege on all table. You can still do "select count(column name) from &lt;table name&gt;" and that will work but to run count(*) you need to have select permissions for whole table. This is working as expected.</P> Wed, 03 May 2017 08:55:04 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Spark-Security-Using-LLAP-Spark-SQL-Query-giving-error-when/m-p/218886#M60366 mqureshi 2017-05-03T08:55:04Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Spark-Security-Using-LLAP-Spark-SQL-Query-giving-error-when/m-p/218887#M60367 <P><A rel="user" href="https://community.cloudera.com/users/10969/mqureshi.html" nodeid="10969">@mqureshi</A> - i guess what you mentioned makes sense, the error message, however, does not indicate the actual issue.</P> Fri, 05 May 2017 05:27:47 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Spark-Security-Using-LLAP-Spark-SQL-Query-giving-error-when/m-p/218887#M60367 karan_alang1 2017-05-05T05:27:47Z