Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Hive CREATE VIEW fails due to no SELECT access on object. But I can SELECT * on the object...

Labels:
avatar
author-rank rupert
Explorer

Created ‎12-06-2016 11:12 AM

I have been validating the Ranger options. I have select on all columns of a hive table:

SELECT ssn, name, location FROM employee;

works, however the following does not:

CREATE VIEW employee_v AS SELECT ssn, name, location FROM employee;

fails due to not having SELECT on "employee". So confused... thoughts?

org.apache.hive.service.cli.HiveSQLException: Error while compiling 
statement: FAILED: HiveAccessControlException Permission denied: user 
[raj_ops] does not have [SELECT] privilege on [default/employee]
4,525 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
Former Member

Created ‎12-06-2016 11:23 AM

@Rupert Bailey

Have you given the grant permission to the user "raj_ops" ?

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.0/bk_Ranger_User_Guide/content/user_access_hi...

Example:

GRANT
======
Syntax: grant <permissions> on table <table> to user <user or group>;

For example, to create a policy that grants user1 SELECT permission on the table default-hivesmoke22074, the command is grant select on table default.hivesmoke22074 to user user1;

View solution in original post

3,976 Views
3 REPLIES 3

avatar
Former Member

Created ‎12-06-2016 11:23 AM

@Rupert Bailey

Have you given the grant permission to the user "raj_ops" ?

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.0/bk_Ranger_User_Guide/content/user_access_hi...

Example:

GRANT
======
Syntax: grant <permissions> on table <table> to user <user or group>;

For example, to create a policy that grants user1 SELECT permission on the table default-hivesmoke22074, the command is grant select on table default.hivesmoke22074 to user user1;
3,977 Views

avatar
author-rank rupert
Explorer

Created ‎12-06-2016 11:48 AM

@jss thankyou for the tip. I was indeed required to execute an SQL DSL to GRANT SELECT on the employee TABLE. I was then required to GRANT CREATE on default DATABASE to USER. Which obeys ANSI I guess, but it seems adding the resource level privilege by Ranger is not sufficient (and I expect not with Atlas either with a tag). Interestingly from a SQL perspective even though the user creates the view, he needs to be explicitly provided GRANT SELECT on the object they create, which you don't need to do in Teradata SQL.

3,976 Views
0 Kudos

avatar
author-rank rupert
Explorer

Created ‎12-07-2016 12:44 AM

I take it from this that there is a difference between Table level selection and All column level selection. Perhaps that acts a little bit like an "SELECT ... WITH GRANT" on the object (Teradata SQL).

3,976 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics 1.14 for Cloudera Pu...
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
View More Announcements