Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Hive LLAP ranger insert issue (requires default table permission)

Labels:
avatar
author-rank matt_andruff
Expert Contributor

Created ‎04-05-2018 02:21 PM

Using hdp 2.6.3 with LLAP in Zeppelin.

Hive impersonation = true

LLAP doas = false

insert into table myDatabase.test_sql values "test"

I get the following error message

shadehive.org.apache.hive.service.cli.HiveSQLException: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [test] does not have [CREATE] privilege on [default/tmp_0218b93f51bf49afb291f47ca315ee57]

I do not have permissions to create tables in default.. only in myDatabase. How can i change where this internal temp table is being created so that it's not trying to write to default, but instead myDatabase which I do have full permissions on?

2,076 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank bkosaraju
Super Collaborator

Created ‎04-06-2018 01:52 AM

Hi @Matt Andruff,

The approach I come got to know while on the DML operation is that, when we insert the data, it creates a temp table under the database you resides / rather the database you are trying to insert.

in your case, since you have not switch any database it is defaulted to "default" database (or you may selected default database) hence its trying to create the table underneath.

rather provisioning ranger policies for access on default database, use database to target/scratch database will avoid additional roles.

for the same issue you have raised there is an open Jria linked - https://issues.apache.org/jira/browse/HIVE-15317

Hope this helps !!

View solution in original post

1,969 Views
3 REPLIES 3

avatar
author-rank matt_andruff
Expert Contributor

Created ‎04-05-2018 02:56 PM

My question still stands... but I did fine a ranger work around. Ranger>Hive>default database policy. default database Allow create/select on table "tmp_*"

1,969 Views
0 Kudos

avatar
author-rank bkosaraju
Super Collaborator

Created ‎04-06-2018 01:52 AM

Hi @Matt Andruff,

The approach I come got to know while on the DML operation is that, when we insert the data, it creates a temp table under the database you resides / rather the database you are trying to insert.

in your case, since you have not switch any database it is defaulted to "default" database (or you may selected default database) hence its trying to create the table underneath.

rather provisioning ranger policies for access on default database, use database to target/scratch database will avoid additional roles.

for the same issue you have raised there is an open Jria linked - https://issues.apache.org/jira/browse/HIVE-15317

Hope this helps !!

1,970 Views

avatar
author-rank matt_andruff
Expert Contributor

Created ‎04-08-2018 04:50 PM

Interestingly I did try "use" but zeppelin's SQL interpreter doesn't seem to track 'use database' between statements. Maybe that's an issue I should report. @bkosaraju I really appreciate the thorough answer.

1,969 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements