Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger permissions to create temporary function

Labels:
avatar
author-rank Jim_B author-rank
Expert Contributor

Created ‎10-07-2016 07:35 PM

With Ranger permissions for Hive, I can create a permanent function, but not a temporary function.

I have Ranger installed with Hive Doas=false (queries run as hive.) Only Hive policies setup with no HDFS policies. There are two policies for this user and this database for

1) All Tables in this database granting all permissions

2) All Functions in this database granting all permissions

With the TEMPORARY keyword, getting an access denied error. Remove that and no problem.

Are there specific permissions needed for temp functions? Maybe in some other database?

-- Create Temporary Function - No Joy!
0: jdbc:hive2://evdp-lnx-hrt014.aginity.local> CREATE TEMPORARY FUNCTION FN_UNIQUE_NUMBER
0: jdbc:hive2://evdp-lnx-hrt014.aginity.local> AS 'com.screamingweasel.amp.hive.udf.UniqueNumberGenerator'
0: jdbc:hive2://evdp-lnx-hrt014.aginity.local> USING JAR 'hdfs:///tmp/custom-hive-udf-2.4.1.jar';
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [batyr_amp_admin] does not have [CREATE] privilege on [amp_unique_number] (state=42000,code=40000)

-- Create permanent function no problem
0: jdbc:hive2://evdp-lnx-hrt014.aginity.local> CREATE FUNCTION FN_UNIQUE_NUMBER
0: jdbc:hive2://evdp-lnx-hrt014.aginity.local> AS 'com.screamingweasel.amp.hive.udf.UniqueNumberGenerator'
0: jdbc:hive2://evdp-lnx-hrt014.aginity.local> USING JAR 'hdfs:///tmp/custom-hive-udf-2.4.1.jar';
INFO  : converting to local hdfs:///tmp/custom-hive-udf-2.4.1.jar
INFO  : Added [/tmp/68037a68-6f5b-40ef-8073-fefdaa6319be_resources/custom-hive-udf-2.4.1.jar] to class path
INFO  : Added resources: [hdfs:///tmp/custom-hive-udf-2.4.1.jar]
9,817 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank Jim_B author-rank
Expert Contributor

Created ‎10-07-2016 07:54 PM

Nothing like writing something down to make you find the answer! This has an open jira to correct in Ranger, where the database name is not being passed correctly to determine permissions for temporary functions. This is not the case for permanent functions.

The current workaround is to specify "*" for the database name in the function policy.

View solution in original post

7,910 Views
0 Kudos
0
6 REPLIES 6

avatar
author-rank Jim_B author-rank
Expert Contributor

Created ‎10-07-2016 07:54 PM

Nothing like writing something down to make you find the answer! This has an open jira to correct in Ranger, where the database name is not being passed correctly to determine permissions for temporary functions. This is not the case for permanent functions.

The current workaround is to specify "*" for the database name in the function policy.

7,911 Views
0 Kudos
0

avatar
author-rank florian_lalanne
New Contributor

Created ‎11-30-2016 10:14 AM

@jbarnett Thank you for this information. It seems I had the same problem and the wildcard "*" helped me. But I cannot find the jira that you are talking about. Could you tell the number of this jira or a direct link ? Thanks.

,

@jbarnett Thank you for this information. It seems I had the same problem and the wildcard "*" helped me. But I cannot find the jira that you are talking about. Could you tell the number of this jira or a direct link ? Thanks.

7,910 Views
0 Kudos

avatar
author-rank rodrigorondena1
Explorer

Created ‎06-07-2017 11:25 AM

@jbarnett I´ve enable '*' permission in database, the JAR file and directory has ALL permission and directory /user/hive has full permission, but I´m still in trouble to create temporary function, can you share more detailed your workaround ?

Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [XXXXXX] does not have [CREATE] privilege on [ZZZZZ] (state=42000,code=40000)

7,910 Views
0 Kudos

avatar
author-rank achandra
Explorer

Created ‎04-19-2018 03:36 PM

@Rodrigo Rondena I am having the same problem. There is full access but still I get an error with having a temporary function. Please let me know what else I can try.

I was also not able to find the JIRA that @jbarnett mentioned.

,

@Rodrigo RondenaWere you able to find a solution? I have the same problem.

7,910 Views
0 Kudos

avatar
author-rank dvillarreal
Guru

Created ‎05-16-2018 08:27 PM

This Ranger Jira is actually dependent on a hive Jira in order for it to be fixed.

7,910 Views
0 Kudos

avatar
author-rank achandra
Explorer

Created ‎05-16-2018 08:36 PM

So I identified that this is a bug which they will fix only in HDP 3. Looks like there is work around which worked on HDP 2.6.0 but it stopped working in 2.6.1. I upgraded my stack to 2.6.2 and it works fine now.

7,910 Views
0 Kudos
Announcements
Community Announcements
April 2025 Cloudera Customer Advisory: Cloudera’s response t...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
View More Announcements