Support Questions
Find answers, ask questions, and share your expertise

While creating table Error:permission denied: user=hive,access=WRITE,inode=''(kerberos+sentry)


Whille creating a table through beeline with kinit user(not hive) default user going to hive (hiveserver2 high availability+kerberos+SSL+sentry)


I have enable HS2 high availability. After enabling i tried to create a table with another user but, by default it's going to USER=hive


Granted all permissions on URI  'hdfs://nameservice1/user/john/test.db/ha' to user

added user in allowed sentry users

current role is showing john in beeline


beeline URL:


>create table ha(id int, name string) stored as textfile location 'hdfs://nameservice1/user/john/test.db/ha'; 


getting below error:

Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.SentryFilterDDLTask. MetaException(message:Got exception: Permission denied: user=hive, access=WRITE, inode="/user/john/test.db":john:supergroup:drwxr-xr-x
at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider.checkFsPermission(
at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider.check(
at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider.check(
at org.apache.hadoop.hdfs.server.namenode.DefaultAuthorizationProvider.checkPermission(
at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(
at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPermission(
at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkPermission(
at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkAncestorAccess(
at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.mkdirsInternal(
at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.mkdirsInt(
at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.mkdirs(
at org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.mkdirs(
at org.apache.hadoop.hdfs.server.namenode.AuthorizationProviderProxyClientProtocol.mkdirs(
at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.mkdirs(
at org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(
at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$
at org.apache.hadoop.ipc.RPC$
at org.apache.hadoop.ipc.Server$Handler$
at org.apache.hadoop.ipc.Server$Handler$
at Method)
at org.apache.hadoop.ipc.Server$
) (state=08S01,code=1)



Please help me out,





Re: While creating table Error:permission denied: user=hive,access=WRITE,inode=''(kerberos+sentry)



  if you are use sentry you need to add the /user/john/test.db to the path managed by Sentry Plugin for HDFS.


In HDFS configuration you will find that the "Sentry Synchronization Path Prefix" property contains the default hive warehouse path (/user/hive/warehouse).


You need to add your path to this property (it is a multi values property).


Sentry will controll only the paths that contain a Hive db. I.e. if you add the /user/john/ path only the path under /user/john/test.db will be synchrinized by Sentry.

Re: While creating table Error:permission denied: user=hive,access=WRITE,inode=''(kerberos+sentry)

Thanks MicheleM for you response.

I didn't enabled HDFS Sentry synchronization. Before hiveserver2 highavailability config it used to work perfectly. Sentry enabled for only hive now. The problem here is ,create table/query is running by default user hive. It should be an enduser.

Re: While creating table Error:permission denied: user=hive,access=WRITE,inode=''(kerberos+sentry)


Hi Rakesh,

  afaik when you use sentry only Hive user runs ddl and dml instruction, for all of the databases, in the behalf of the enduser.


The Sentry synchronization will keep aligned the hdfs ACLs so the end user can see, via hdfs, its grants on database files.


More in deep, HDFS asks the actual ACLs to Sentry for the path that it manages.


If you add your path, /user/john/test.db, to Sentry synchronization then Sentry will do all work for you.




Re: While creating table Error:permission denied: user=hive,access=WRITE,inode=''(kerberos+sentry)


Also if you use Sentry Synchronization and Sentry Synchronization Path Prefixes you need to change owner an group for all hive directories and files in hdfs to hive:hive. If you enable this feature you cannot change hive warehouse ACLs manually, because it is controlled by Sentry (with grants).


You can assign this ACLs manually but is no recommended.