Archives of Support Questions (Read Only)

I want to run a very simple Oozie workflow with a Hive action on a kerberized cluster.

The problem is that Hive is using my credential and not the Hive-user as it is doing through Hive View. If I change my access in Ranger for "/apps/..." then the Oozie workflow is working fine. But we don't want personal account to have access for "/apps/..." folder

How is it possible to achieve do a Hive action where don't have access to "/apps"..." folder on HDFS?

== WORKFLOW.XML ==

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<workflow-app xmlns="uri:oozie:workflow:0.5" name="oozie_hive_kerberos_test"> 
<credentials> 
	<credential name="hcat" type="hcat"> 
	<property> 
		<name>hcat.metastore.principal</name> 
		<value>hive/_HOST@<host>.com</value> 
	</property> 
	<property> 
		<name>hcat.metastore.uri</name> 
		<value>thrift://<host>.com:9083</value> 
	</property> 
	</credential> 
</credentials> 
<start to="hive"/> 
<action cred="hcat" name="hive"> 
	<hive xmlns="uri:oozie:hive-action:0.6"> 
	<job-tracker>${resourceManager}</job-tracker> 
	<name-node>${nameNode}</name-node> 
	<query> 
		use XXXXX; 
		drop table if exists YYYY.ZZZZ; 
	</query> 
	</hive> 
	<ok to="end"/> 
	<error to="kill"/> 
	</action> 
	<kill name="kill"> 
<message>${wf:errorMessage(wf:lastErrorNode())}</message> 
</kill> 
<end name="end"/> 
</workflow-app> 

== ERROR MESSAGE ==

SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory] 
Logging initialized using configuration in /data/hadoop/yarn/local/usercache/MY_USER_NAME/appcache/application_1487006380071_0351/container_e94_1487006380071_0351_01_000002/hive-log4j.properties 
FAILED: SemanticException MetaException(message:org.apache.hadoop.security.AccessControlException: Permission denied: user=MY_USER_NAME, access=EXECUTE, inode="/apps/hive/warehouse/DATABASE.db":hdfs:hdfs:d--------- 
at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:319) 
at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkTraverse(FSPermissionChecker.java:259) 
at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:205) 
at org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer$RangerAccessControlEnforcer.checkPermission(RangerHdfsAuthorizer.java:307) 
at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:190) 
at org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:1827)