In ranger, I have already gave the select permission of certain hive table, and read, execute permission on hdfs path of the table. To make a example:
set read, execute permission on path /apps/hive/warehouse/testdb.db/table1 to account
set select permission on hive table 'table1' on all columns to account
When I do the command:
"show tables in testdb.db;" or "desc testdb.table1"
I get the Error from hive client:
Error: Error while compiling statement: FAILED: SemanticException [Error 10072]: Database does not exist: dwd (state=42000,code=10072)
When I check the 'hivemetastore.log', it shows the query requires the read permission on path '/apps/hive/warehouse/testdb.db'
|org.apache.hadoop.ipc.RemoteException(org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException): Permission denied: user=xxx, access=READ, inode="/apps/hive/warehouse/testdb.db"|
The problem is, I only want to grant the permission of the table to this account. From my experience I don't need such database path permission to use 'desc' command on the table. What could be the problem?
Can you check in ranger audit if it blocked and ranger or HDFS ACL ?
thanks for your reply, the enforcer is ranger-acl.
it means permissions not applied. can you grant again and check rangeradmin log for any error ?