Support Questions

Find answers, ask questions, and share your expertise

hive error GRANT PERMISSIONS

avatar
Master Collaborator

Hi:

From my manager iam doing this:

hive> GRANT SELECT ON TABLE logs TO USER hue; 

FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied: Principal [name=bigotes, type=USER] does not have following privileges for operation GRANT_PRIVILEGE [[SELECT with grant] on Object [type=TABLE_OR_VIEW, name=default.logs]] 

hive>

I don't have Kerberos installed.

Any Bug???

Thanks

18 REPLIES 18

avatar

Your user bigotes may not have the privelege to grant select on that object.

Do the following:

> Su - hive

> hive

hive> grant select on TABLE logs to USER hue;

avatar
Master Guru

Hi @Roberto Sancho you can do what @Ancil McBarnett suggested, or you can give "grant option" to user bigotes. As the Hive service user (most likely "hive")

hive> grant ALL on TABLE logs to USER bigotes WITH GRANT OPTION;

Or you can give such permission to the database which contains table "logs". After this user bigotes can grant permissions to other users on this table. Note that Hive authorization is not completely secure. It's intended to prevent good user from accidentally doing bad things, it won't prevent bad users from doing bad things. Full specs is here.

avatar
Master Mentor

I think you need to run the below statement for the user bigotes this will allow him to grant the privileges to others.

> su - hive

> hive hive

> GRANT SELECT ON TABLE logs TO bigotes WITH GRANT OPTION;

avatar
Master Mentor

@Roberto Sancho Predag's response grants all privileges which is NOT what is advisable I would think limiting the grant OPTION for only select is a more secure approach

avatar
Master Collaborator

Thanks everyone but the same error:

[bigotes@lnxbig05 hadoop]$ su - hive
Password:
[hive@lnxbig05 ~]$ hive
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/hdp/2.3.2.0-2950/hadoop/lib/slf4j-log4j12-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/hdp/2.3.2.0-2950/spark/lib/spark-assembly-1.4.1.2.3.2.0-2950-hadoop2.7.1.2.3.2.0-2950.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
WARNING: Use "yarn jar" to launch YARN applications.
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/hdp/2.3.2.0-2950/hadoop/lib/slf4j-log4j12-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/hdp/2.3.2.0-2950/spark/lib/spark-assembly-1.4.1.2.3.2.0-2950-hadoop2.7.1.2.3.2.0-2950.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
Logging initialized using configuration in file:/etc/hive/2.3.2.0-2950/0/hive-log4j.properties
hive> grant select on TABLE logs to USER hue;
FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied: Principal [name=hive, type=USER] does not have following privileges for operation GRANT_PRIVILEGE [[SELECT with grant] on Object [type=TABLE_OR_VIEW, name=default.logs]]
hive> grant ALL on TABLE logs to USER bigotes WITH GRANT OPTION;
FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTask. Permission denied: Principal [name=hive, type=USER] does not have following privileges for operation GRANT_PRIVILEGE [[SELECT with grant, INSERT with grant, UPDATE with grant, DELETE with grant] on Object [type=TABLE_OR_VIEW, name=default.logs]]

avatar
Master Mentor

@Roberto Sancho check out my syntax GRANT SELECT ON TABLE logs TO bigotes WITH GRANT OPTION;

avatar
Master Mentor

This should solve the "Permission denied:Principal[name=hive, type=USER] does not have following privileges for operation GRANT_PRIVILEGE [[SELECT with grant, INSERT with grant, UPDATE with grant, DELETE with grant] on Object[type=TABLE_OR_VIEW, name=default.logs]"

avatar
Master Guru

Your syntax is wrong, USER in "TO USER <user-name>" is required.

avatar
Master Collaborator
hive> GRANT SELECT ON TABLE logs TO bigotes WITH GRANT OPTION;
NoViableAltException(231@[734:1: ddlStatement : ( createDatabaseStatement | switchDatabaseStatement | dropDatabaseStatement | createTableStatement | dropTableStatement | truncateTableStatement | alterStatement | descStatement | showStatement | metastoreCheck | createViewStatement | dropViewStatement | createFunctionStatement | createMacroStatement | createIndexStatement | dropIndexStatement | dropFunctionStatement | reloadFunctionStatement | dropMacroStatement | analyzeStatement | lockStatement | unlockStatement | lockDatabase | unlockDatabase | createRoleStatement | dropRoleStatement | ( grantPrivileges )=> grantPrivileges | ( revokePrivileges )=> revokePrivileges | showGrants | showRoleGrants | showRolePrincipals | showRoles | grantRole | revokeRole | setRole | showCurrentRole );])
        at org.apache.hadoop.hive.ql.parse.HiveParser$DFA12.specialStateTransition(HiveParser.java:47646)
        at org.antlr.runtime.DFA.predict(DFA.java:80)
        at org.apache.hadoop.hive.ql.parse.HiveParser.ddlStatement(HiveParser.java:2589)
        at org.apache.hadoop.hive.ql.parse.HiveParser.execStatement(HiveParser.java:1653)
        at org.apache.hadoop.hive.ql.parse.HiveParser.statement(HiveParser.java:1112)
        at org.apache.hadoop.hive.ql.parse.ParseDriver.parse(ParseDriver.java:202)
        at org.apache.hadoop.hive.ql.parse.ParseDriver.parse(ParseDriver.java:166)
        at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:396)
        at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:308)
        at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1122)
        at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:1170)
        at org.apache.hadoop.hive.ql.Driver.run(Driver.java:1059)
        at org.apache.hadoop.hive.ql.Driver.run(Driver.java:1049)
        at org.apache.hadoop.hive.cli.CliDriver.processLocalCmd(CliDriver.java:213)
        at org.apache.hadoop.hive.cli.CliDriver.processCmd(CliDriver.java:165)
        at org.apache.hadoop.hive.cli.CliDriver.processLine(CliDriver.java:376)
        at org.apache.hadoop.hive.cli.CliDriver.executeDriver(CliDriver.java:736)
        at org.apache.hadoop.hive.cli.CliDriver.run(CliDriver.java:681)
        at org.apache.hadoop.hive.cli.CliDriver.main(CliDriver.java:621)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)
        at org.apache.hadoop.util.RunJar.run(RunJar.java:221)
        at org.apache.hadoop.util.RunJar.main(RunJar.java:136)
FAILED: ParseException line 1:6 cannot recognize input near 'GRANT' 'SELECT' 'ON' in ddl statement