Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

dfs commands in Hive/beeline after enabling Ranger plugin

avatar
Expert Contributor

After enabling Ranger Plugin for Hive, I was running a "dfs -ls" in hive/ beeline to list hdfs files. I'm getting the following error :

jdbc:hive2://vserver69901.example.com> dfs -ls ;Error:
 Error while processing statement: Permission denied: user [ambari] does
 not have privilege for [DFS] command (state=,code=1)

Do we need to update/enable  any other properties. hadoop fs -ls works without any issues

The user has admin access in Ranger. The storage is on Isilon , so the HDFS Ranger plugin cannot be enabled.

2015-11-12 17:07:31,980 INFO  [HiveServer2-Handler-Pool: Thread-46]: operation.Operation (HiveCommandOperation.java:setupSessionIO(69)) - Putting temp output to file /tmp/hive/012f5aa7-fa31-4fb2-8cd5-4f3fe3f3120624919258595801789.pipeout
2015-11-12 17:07:31,981 ERROR [HiveServer2-Handler-Pool: Thread-46]: processors.CommandUtil (CommandUtil.java:authorizeCommand(66)) - Error authorizing command [-ls]
org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: Permission denied: user [ambari] does not have privilege for [DFS] command
at com.xasecure.authorization.hive.authorizer.XaSecureHiveAuthorizer.handleDfsCommand(XaSecureHiveAuthorizer.java:644)
at com.xasecure.authorization.hive.authorizer.XaSecureHiveAuthorizer.checkPrivileges(XaSecureHiveAuthorizer.java:227)
at org.apache.hadoop.hive.ql.processors.CommandUtil.authorizeCommandThrowEx(CommandUtil.java:86)
at org.apache.hadoop.hive.ql.processors.CommandUtil.authorizeCommand(CommandUtil.java:59)
at org.apache.hadoop.hive.ql.processors.DfsProcessor.run(DfsProcessor.java:71)
at org.apache.hive.service.cli.operation.HiveCommandOperation.runInternal(HiveCommandOperation.java:105)
at org.apache.hive.service.cli.operation.Operation.run(Operation.java:256)
at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementInternal(HiveSessionImpl.java:376)
at org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementAsync(HiveSessionImpl.java:363)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.hive.service.cli.session.HiveSessionProxy.invoke(HiveSessionProxy.java:79)
at org.apache.hive.service.cli.session.HiveSessionProxy.access$000(HiveSessionProxy.java:37)
at org.apache.hive.service.cli.session.HiveSessionProxy$1.run(HiveSessionProxy.java:64)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:415)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1671)
at org.apache.hadoop.hive.shims.HadoopShimsSecure.doAs(HadoopShimsSecure.java:536)
at org.apache.hive.service.cli.session.HiveSessionProxy.invoke(HiveSessionProxy.java:60)
at com.sun.proxy.$Proxy32.executeStatementAsync(Unknown Source)
at org.apache.hive.service.cli.CLIService.executeStatementAsync(CLIService.java:271)
at org.apache.hive.service.cli.thrift.ThriftCLIService.ExecuteStatement(ThriftCLIService.java:401)
at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1313)
at org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:129
at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
1 ACCEPTED SOLUTION

avatar
Rising Star

DFS commands are restricted in Hive when authorization is enabled, either through Ranger or SQL std authorization.

View solution in original post

4 REPLIES 4

avatar
Rising Star

DFS commands are restricted in Hive when authorization is enabled, either through Ranger or SQL std authorization.

avatar

How can we remove the restriction from the hive, is there any property which we can enable/set for whitelisting the user or command ?

UPDATE : After going through the hive documentation (https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization), it has been stated that "Commands such as dfs, add, delete, compile, and reset are disabled when this authorization is enabled"

I really wanted to understand the logic behind the above statement.

avatar
Expert Contributor

Thanks Balaji for the explanation.

avatar
New Contributor

Hi, what is the solution to this error?. thanks