Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Hive CREATE VIEW fails due to no SELECT access on object. But I can SELECT * on the object...

Labels:
avatar
author-rank rupert
Explorer

Created ‎12-06-2016 11:12 AM

I have been validating the Ranger options. I have select on all columns of a hive table:

SELECT ssn, name, location FROM employee;

works, however the following does not:

CREATE VIEW employee_v AS SELECT ssn, name, location FROM employee;

fails due to not having SELECT on "employee". So confused... thoughts?

org.apache.hive.service.cli.HiveSQLException: Error while compiling 
statement: FAILED: HiveAccessControlException Permission denied: user 
[raj_ops] does not have [SELECT] privilege on [default/employee]
4,733 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
Former Member

Created ‎12-06-2016 11:23 AM

@Rupert Bailey

Have you given the grant permission to the user "raj_ops" ?

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.0/bk_Ranger_User_Guide/content/user_access_hi...

Example:

GRANT
======
Syntax: grant <permissions> on table <table> to user <user or group>;

For example, to create a policy that grants user1 SELECT permission on the table default-hivesmoke22074, the command is grant select on table default.hivesmoke22074 to user user1;

View solution in original post

4,184 Views
0
3 REPLIES 3

avatar
Former Member

Created ‎12-06-2016 11:23 AM

@Rupert Bailey

Have you given the grant permission to the user "raj_ops" ?

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.0/bk_Ranger_User_Guide/content/user_access_hi...

Example:

GRANT
======
Syntax: grant <permissions> on table <table> to user <user or group>;

For example, to create a policy that grants user1 SELECT permission on the table default-hivesmoke22074, the command is grant select on table default.hivesmoke22074 to user user1;
4,185 Views
0

avatar
author-rank rupert
Explorer

Created ‎12-06-2016 11:48 AM

@jss thankyou for the tip. I was indeed required to execute an SQL DSL to GRANT SELECT on the employee TABLE. I was then required to GRANT CREATE on default DATABASE to USER. Which obeys ANSI I guess, but it seems adding the resource level privilege by Ranger is not sufficient (and I expect not with Atlas either with a tag). Interestingly from a SQL perspective even though the user creates the view, he needs to be explicitly provided GRANT SELECT on the object they create, which you don't need to do in Teradata SQL.

4,184 Views
0 Kudos

avatar
author-rank rupert
Explorer

Created ‎12-07-2016 12:44 AM

I take it from this that there is a difference between Table level selection and All column level selection. Perhaps that acts a little bit like an "SELECT ... WITH GRANT" on the object (Teradata SQL).

4,184 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements