Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Hive Blocking User's access via group

Highlighted

Hive Blocking User's access via group

New Contributor

I am having an issue accessing hive through knox using Ranger for authorization. I am using an LDAP for my user store. Knox and Ranger are synced with the LDAP. The users show up in the Ranger UI, and I can access WebHDFS using knox. However, I am running into an issue with accessing hive through knox.

Example Ranger policy: "mjane" authorized to select * from foodmart database". This policy works and grants access to the user. However, if in the policy I use "group_name" (that "mjane" beongs to) then Hive rejects the request.

If I run the command hdfs group mjane, it does indeed list the groups that "mjane" belongs to.

Any ideas if I am missing anything. I also checked the casing of the groups between Ranger and HDFS, and they were the same. Any help would be much appreciated.

Stack Trace from Java Program

Nov 03, 2016 4:12:04 PM org.apache.hive.jdbc.Utils parseURL
INFO: Supplied authorities: sandbox.hortonworks.com:8443
Nov 03, 2016 4:12:04 PM org.apache.hive.jdbc.Utils handleParamDeprecation
WARNING: ***** JDBC param deprecation *****
Nov 03, 2016 4:12:04 PM org.apache.hive.jdbc.Utils handleParamDeprecation
WARNING: The use of hive.server2.transport.mode is deprecated.
Nov 03, 2016 4:12:04 PM org.apache.hive.jdbc.Utils handleParamDeprecation
WARNING: Please use transportMode like so: jdbc:hive2://<host>:<port>/dbName;transportMode=<transport_mode_value>
Nov 03, 2016 4:12:04 PM org.apache.hive.jdbc.Utils handleParamDeprecation
WARNING: ***** JDBC param deprecation *****
Nov 03, 2016 4:12:04 PM org.apache.hive.jdbc.Utils handleParamDeprecation
WARNING: The use of hive.server2.thrift.http.path is deprecated.
Nov 03, 2016 4:12:04 PM org.apache.hive.jdbc.Utils handleParamDeprecation
WARNING: Please use httpPath like so: jdbc:hive2://<host>:<port>/dbName;httpPath=<http_path_value>
Nov 03, 2016 4:12:04 PM org.apache.hive.jdbc.Utils parseURL
INFO: Resolved authority: sandbox.hortonworks.com:8443
Nov 03, 2016 4:12:05 PM HiveJDBCSample main
SEVERE: null
org.apache.hive.service.cli.HiveSQLException: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [mjane] does not have [SELECT] privilege on [foodmart/customer/account_num,address1,address2,address3,address4,birthdate,city,country,customer_id,customer_region_id,date_accnt_opened,education,fname,fullname,gender,houseowner,lname,marital_status,member_card,mi,num_cars_owned,num_children_at_home,occupation,phone1,phone2,postal_code,state_province,total_children,yearly_income]
	at org.apache.hive.jdbc.Utils.verifySuccess(Utils.java:262)
	at org.apache.hive.jdbc.Utils.verifySuccessWithInfo(Utils.java:248)
	at org.apache.hive.jdbc.HiveStatement.runAsyncOnServer(HiveStatement.java:297)
	at org.apache.hive.jdbc.HiveStatement.execute(HiveStatement.java:238)
	at org.apache.hive.jdbc.HiveStatement.executeQuery(HiveStatement.java:422)
	at HiveJDBCSample.main(HiveJDBCSample.java:35)
Caused by: org.apache.hive.service.cli.HiveSQLException: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [mjane] does not have [SELECT] privilege on [foodmart/customer/account_num,address1,address2,address3,address4,birthdate,city,country,customer_id,customer_region_id,date_accnt_opened,education,fname,fullname,gender,houseowner,lname,marital_status,member_card,mi,num_cars_owned,num_children_at_home,occupation,phone1,phone2,postal_code,state_province,total_children,yearly_income]
	at org.apache.hive.service.cli.operation.Operation.toSQLException(Operation.java:335)
	at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:148)
	at org.apache.hive.service.cli.operation.SQLOperation.runInternal(SQLOperation.java:226)
	at org.apache.hive.service.cli.operation.Operation.run(Operation.java:276)
	at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementInternal(HiveSessionImpl.java:468)
	at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementAsync(HiveSessionImpl.java:456)
	at org.apache.hive.service.cli.CLIService.executeStatementAsync(CLIService.java:298)
	at org.apache.hive.service.cli.thrift.ThriftCLIService.ExecuteStatement(ThriftCLIService.java:506)
	at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1317)
	at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1302)
	at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
	at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
	at org.apache.thrift.server.TServlet.doPost(TServlet.java:83)
	at org.apache.hive.service.cli.thrift.ThriftHttpServlet.doPost(ThriftHttpServlet.java:206)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
	at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:565)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:479)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:225)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1031)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:406)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:186)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:965)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:117)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
	at org.eclipse.jetty.server.Server.handle(Server.java:349)
	at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:449)
	at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:925)
	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:952)
	at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
	at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:76)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:609)
	at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:45)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.RuntimeException: org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException:Permission denied: user [mjane] does not have [SELECT] privilege on [foodmart/customer/account_num,address1,address2,address3,address4,birthdate,city,country,customer_id,customer_region_id,date_accnt_opened,education,fname,fullname,gender,houseowner,lname,marital_status,member_card,mi,num_cars_owned,num_children_at_home,occupation,phone1,phone2,postal_code,state_province,total_children,yearly_income]
	at org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges(RangerHiveAuthorizer.java:412)
	at org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.java:855)
	at org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:643)
	at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:510)
	at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:320)
	at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1219)
	at org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1213)
	at org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:146)
	... 34 more
1 REPLY 1

Re: Hive Blocking User's access via group

Mentor

@Allen Wood

Sorry you are going against the rules by publishing links to exam dumps.

Please try to desist this practice in future.

Repeated voilation

Don't have an account?
Coming from Hortonworks? Activate your account here