Reply
Explorer
Posts: 11
Registered: ‎04-13-2015
Accepted Solution

hive user unable to access external table data after Sentry enabled

Hello All,

 

I'm facing a access problem with hive user when quering external table in CDH 5.3.2 after sentry enabled

I created a external table on top of a mapreduce output directory in hdfs. After mapreduce when i query external table it say's 

 

Caused by: org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException): Permission denied: user=hive, access=READ_EXECUTE, inode="/data/payload_preprocessor/maptemp":svcvmhdpdev:hadoop:drwxrwx---

 

where svcvmhdpdev is the user who launched mapreduce job and 

/data/payload_preprocessor/maptemp is mapreduce output direcotry (also i crearted external table using this location)

 

I used follwing query to grant ALL pervillges to hive user  but it's not working

 

GRANT ALL ON URI 'hdfs://data/payload_preprocessor/maptemp' TO ROLE admin_role;

 

Only option is set HDFS ACL's, but /data/payload_preprocessor/maptemp is a mapreduce output directory which need to be deleted everytime before mapreduce job.

 

Question is how do i grant read permissions to hive user permanently even directory deleted and created again?

 

 

Thanks,

Venu

Explorer
Posts: 11
Registered: ‎04-13-2015

Re: hive user unable to access external table data after Sentry enabled

I think default ACLS's is the solution to inherit parent directory ACL's. Still not clear why GRANT ALL ON URI 'hdfs://data/payload_preprocessor/maptemp' TO ROLE admin_role; is not working :(

 

Thanks,

Venu

New Contributor
Posts: 5
Registered: ‎07-28-2015

Re: hive user unable to access external table data after Sentry enabled

Hey venu123,

Hive does not pass though sentry so it will not adhere to any rules you set directly in sentry, it only looks at facl's. To manage hdfs permissions with sentry you have to enable the plugin for hdfs/sentry sync and configure it appropriately. With the sync enabled hive checks the configuration then references the group in sentry but the group will be applied authentically as a facl by sentry. 

 

To get items working use the "hadoop fs -setfacl" command to add the user as a facl. To have make the user add authentically as files are deleted and created add them to the default ACL on the root folder. (Please note this was hit and miss for me, sometimes worked other times did not)

 

Example add to default ACL

 

hadoop fs -setfacl -m -R default:username:r-x /<path>

Announcements