Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Unable to read/write directory /user/hive/warehouse

Highlighted

Unable to read/write directory /user/hive/warehouse

New Contributor

We have sentry authorization enabled for hive. User has been granted all privilege on a database through a role which indeed assigned to a AD group and user also belongs to this AD group. User is able to query tables, create tables in this database from hue and beeline (Hiveserver2) but unable to view hdfs directory of the database and repspective tables in this database. 

 

-bash-4.1$ hadoop fs -ls /user/hive/warehouse/empd.db
ls: Permission denied: user=test, access=READ_EXECUTE, inode="/user/hive/warehouse":hive:hive:drwxrwx--x:user:hive:rwx,group::---,group:hive:rwx

 

Since we have granted all on the database to user, doesn't mean that user has read and write privileges on this database hdfs directory ?

 

Any suggestion would be appreciated.

 

3 REPLIES 3

Re: Unable to read/write directory /user/hive/warehouse

Hi Naren,

Unless you turn on HDFS Sentry sync, users are not expected to be able to look at the tables via HDFS. This is exactly because of the HDFS permissions you showed, which prevent users not authenticated through sentry from direct access to the HDFS files.

Even if you turn on HDFS Sentry Sync, it is impossible to map Sentry permissions exactly to file permissions, since HDFS permissions are fairly coarse-grained. It will be good enough for you to get read access to your HDFS files though.

Read more about this feature here:
http://www.cloudera.com/content/cloudera/en/documentation/core/latest/topics/sg_hdfs_sentry_sync.htm...

Thanks,
Darren

Re: Unable to read/write directory /user/hive/warehouse

New Contributor

Thanks Darren for quick reply.

 

Looking at the HDFS configuration in CM, I see Enable Sentry Synchronization for HDFS (Service-wide) is enabled and sentry synchronization path prefixes is pointing to /use/hive/warehouse which is expected.

 

In this case user should be able to get the HDFS permissions as defined by sentry right ?

Re: Unable to read/write directory /user/hive/warehouse

New Contributor

My admin ran the below commands as you could see, If i underastand correctly the table in emp database have permissions to read,write for my group as i have granted all privilege on emp database in sentry wheras since emp.db folder doesn't have any permissions in hdfs it is not letting me go beyond. I am part of both the groups dev_test_hadoop and 

dev_hadoop_hue.

 

$ hdfs dfs -getfacl /user/hive/warehouse/emp.db
# file: /user/hive/warehouse/emp.db
# owner: hive
# group: hive
user::rwx
user:hive:rwx
group::---
group:hive:rwx
mask::rwx
other::---

$ hdfs dfs -getfacl /user/hive/warehouse/emp.db/employee
# file: /user/hive/warehouse/emp.db/employee
# owner: hive
# group: hive
user::rwx
user:hive:rwx
group:dev_test_hadoop:rwx
group::---
group:dev_hadoop_hue:rwx
group:hive:rwx
mask::rwx
other::---