Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Drop table using beeline, with Ranger enabled.

Highlighted

Drop table using beeline, with Ranger enabled.

I have created a policy in Ranger(UNIX), giving drop permission to the user for the table (tuser_24) .

But while trying to drop table using the same user from beeline , it is throwing an error as permission denied . Logs from the console are as below.

Please suggest, weather is it possible to drop the table from beeline with Ranger enabled ?

Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://localhost:> drop table tuser_24;
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [hive] does not have [DROP] privilege on [default/tuser_24] (state=42000,code=40000)
0: jdbc:hive2://localhost:> show tables;
+------------+--+
|  tab_name  |
+------------+--+
| customers  |
| tuser_24   |
+------------+--+
2 rows selected (0.141 seconds)
0: jdbc:hive2://localhost:> drop table tuser_24;
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [hive] does not have [DROP] privilege on [default/tuser_24] (state=42000,code=40000)

5934-ranger.png

5 REPLIES 5
Highlighted

Re: Drop table using beeline, with Ranger enabled.

can you please tell me which user you have used to login into beeline and can you try with some other operation like create table or select using the same user , if it is working , just want to make sure if it is just about drop or other operations too ,

and can you please send last screenshot of ranger audit logs from Admin tab & plugin tab

Highlighted

Re: Drop table using beeline, with Ranger enabled.

5936-r1.png

Hi,

The same error came for create table. But select statement worked fine .

Adding the logs and screenshots of Ranger Audit tabs

WARNING: Use "yarn jar" to launch YARN applications.
Beeline version 1.2.1000.2.4.2.0-258 by Apache Hive
beeline> !connect jdbc:hive2://localhost:10000/default hive
Connecting to jdbc:hive2://localhost:10000/default
Enter password for jdbc:hive2://localhost:10000/default:
Connected to: Apache Hive (version 1.2.1000.2.4.2.0-258)
Driver: Hive JDBC (version 1.2.1000.2.4.2.0-258)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://localhost:> show tables;
+------------+--+
|  tab_name  |
+------------+--+
| customers  |
| tuser_24   |
+------------+--+
2 rows selected (0.169 seconds)
0: jdbc:hive2://localhost:> create table test1( ID int, Name STRING);
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [hive] does not have [CREATE] privilege on [default/test1] (state=42000,code=40000)
0: jdbc:hive2://localhost:> select count(*) from customers;
INFO  : Tez session hasn't been created yet. Opening session
INFO  : Dag name: select count(*) from customers(Stage-1)
INFO  :


INFO  : Status: Running (Executing on YARN cluster with App id application_1469079890327_0007)


INFO  : Map 1: -/-      Reducer 2: 0/1
INFO  : Map 1: 0/1      Reducer 2: 0/1
INFO  : Map 1: 0(+1)/1  Reducer 2: 0/1
INFO  : Map 1: 1/1      Reducer 2: 0/1
INFO  : Map 1: 1/1      Reducer 2: 0(+1)/1
INFO  : Map 1: 1/1      Reducer 2: 1/1
+------+--+
| _c0  |
+------+--+
| 501  |
+------+--+
1 row selected (12.527 seconds)
0: jdbc:hive2://localhost:> select * from customers LIMIT 5;
+----------------------+---------------------+---------------------------+---------------------+-----------------+-------------------+------------------+----------------+------------------+----------------+---------------------+-------------------------------+--+
| customers.firstname  | customers.lastname  |     customers.company     |  customers.address  | customers.city  | customers.county  | customers.state  | customers.zip  | customers.phone  | customers.fax  |   customers.email   |         customers.web         |
+----------------------+---------------------+---------------------------+---------------------+-----------------+-------------------+------------------+----------------+------------------+----------------+---------------------+-------------------------------+--+
| FirstName            | LastName            | Company                   | Address             | City            | County            | State            | ZIP            | Phone            | Fax            | Email               | Web                           |
| Essie                | Vaill               | Litronic Industries       | 14225 Hancock Dr    | Anchorage       | Anchorage         | AK               | 99515          | 907-345-0962     | 907-345-1215   | essie@vaill.com     | http://www.essievaill.com     |
| Cruz                 | Roudabush           | Meridian Products         | 2202 S Central Ave  | Phoenix         | Maricopa          | AZ               | 85004          | 602-252-4827     | 602-252-4009   | cruz@roudabush.com  | http://www.essievaill.com  |
| Billie               | Tinnes              | D & M Plywood Inc         | 28 W 27th St        | New York        | New York          | NY               | 10001          | 212-889-5775     | 212-889-5764   | billie@tinnes.com   | http://www.essievaill.com   |
| Zackary              | Mockus              | Metropolitan Elevator Co  | 286 State St        | Perth Amboy     | Middlesex         | NJ               | 8861           | 732-442-0638     | 732-442-5218   | zackary@mockus.com  | http://www.essievaill.com  |
+----------------------+---------------------+---------------------------+---------------------+-----------------+-------------------+------------------+----------------+------------------+----------------+---------------------+-------------------------------+--+
5 rows selected (0.089 seconds)

5935-r2.png

Highlighted

Re: Drop table using beeline, with Ranger enabled.

so here create will obviously fail since you are creation another table but you have policy for customer table and test24 table only , but thing is select is working fine , and drop is not working so can you please attach access audit log screenshot too for the operations

Re: Drop table using beeline, with Ranger enabled.

Contributor

You might want to check hive.server2.enable.doAs setting. Looks like it is set to false(the default value), since the error is complaining about hive user not having permission. In this case all queries will be run as user hive irrespective of which user is running the query. If you could set the property to 'true' then the query will be run as user 'tuser_24' and get processed fine.

Highlighted

Re: Drop table using beeline, with Ranger enabled.

Explorer

Also please do check the policy on /apps/hive/warehouse/default, if you have read, write and execute access where the tables are underlying. If you don't have the required permissions, drop and create statements will not get executed.

Don't have an account?
Coming from Hortonworks? Activate your account here