Support Questions

Find answers, ask questions, and share your expertise

hive error GRANT PERMISSIONS

avatar
Master Collaborator

Hi:

From my manager iam doing this:

hive> GRANT SELECT ON TABLE logs TO USER hue; 

FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied: Principal [name=bigotes, type=USER] does not have following privileges for operation GRANT_PRIVILEGE [[SELECT with grant] on Object [type=TABLE_OR_VIEW, name=default.logs]] 

hive>

I don't have Kerberos installed.

Any Bug???

Thanks

18 REPLIES 18

avatar
Master Guru

Do GRANTs work on your cluster? Have you done them before? You must have hive.security.authorization.enabled=true and optionally hive.security.authorization.createtable.owner.grants=ALL

avatar
Master Mentor

OOoops GRANT SELECT ON TABLE logs TO USER bigotes WITH GRANT OPTION;

avatar
Master Collaborator

Hi:

I have this in /usr/hdp/2.3.2.0-2950/hive/conf/hive-site.xml

<property>
      <name>hive.security.authorization.enabled</name>
      <value>false</value>
    </property>

<property>
      <name>hive.security.authorization.createtable.owner.grants</name>
      <value>ALL</value>
      <description>the privileges automatically granted to the owner whenever a table gets created.
      </description>
    </property>

and I restarted all the hiveserver2

hive> GRANT SELECT ON TABLE logs TO USER bigotes WITH GRANT OPTION;
FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied: Principal [name=hive, type=USER] does not have following privileges for operation GRANT_PRIVILEGE [[SELECT with grant] on Object [type=TABLE_OR_VIEW, name=default.logs]]

Any Suggestions??

Many many thanks

avatar
Master Guru

@Roberto Sancho See my comment above, you need to set hive.security.authorization.enabled to true, so replace false by "true", then restart Hive and retry grant commands.

avatar
Master Mentor

Whats the output of these 2 scripts

SHOW CURRENT ROLES;

SHOW ROLES;

avatar
Master Collaborator
hive> SHOW CURRENT ROLES;
OK
public
Time taken: 1.518 seconds, Fetched: 1 row(s)
hive> SHOW ROLES;
FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Current user : hive is not allowed to list roles. User has to belong to ADMIN role and have it as current role, for this action.

avatar
Master Mentor

You need to grant bigotes an ADMIN role but try the below method first

Here are the points:

1. You should change all setting with Ambari.

2. Don't change hive.metastore.uris-setting

3. Manually change hiveserver2-site.xml property of hive.security.authorization.manager

<property>

<name>hive.security.authorization.enabled</name>

<value>true</value>

</property>

<property>

<name>hive.security.authorization.manager</name> <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>

</property>

<property>

<name>hive.security.authenticator.manager</name> <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>

</property>

<property>

<name>hive.metastore.uris</name>

<value>''</value>

</property>

<property>

<name>hive.conf.restricted.list</name> value>hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager</value> </property>

4. Copy hiveserver2-site.xml to /etc/hive/conf.server/

5. Restart hiveserver2

6. Use only beeline for SQL permissions

avatar
Master Collaborator

Hi:

After do this same error, here my xml file,

0: jdbc:hive2://lnxbig05.cajarural.gcr:10000> GRANT SELECT ON TABLE logs TO USER bigotes WITH GRANT OPTION;
Error: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied: Principal [name=hive, type=USER] does not have following privileges for operation GRANT_PRIVILEGE [[SELECT with grant] on Object [type=TABLE_OR_VIEW, name=default.logs]] (state=08S01,code=1)
[hive@lnxbig05 conf.server]$ pwd
/etc/hive/conf/conf.server
[hive@lnxbig05 conf.server]$ cat hiveserver2-site.xml
    <configuration>
    <property>
      <name>hive.conf.restricted.list</name>
      <value>hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager</value>
    </property>
    <property>
      <name>hive.metastore.uris</name>
      <value>thrift://lnxbig05.cajarural.gcr:9083</value>
    </property>
    <property>
      <name>hive.security.authenticator.manager</name>
      <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
    </property>
    <property>
      <name>hive.security.authorization.enabled</name>
      <value>true</value>
    </property>
    <property>
      <name>hive.security.authorization.manager</name>
      <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
    </property>

avatar
Master Mentor

@Roberto Sancho has this been addressed?