Support Questions

venu123 · ‎07-27-2015

Hello All,

I'm facing a access problem with hive user when quering external table in CDH 5.3.2 after sentry enabled

I created a external table on top of a mapreduce output directory in hdfs. After mapreduce when i query external table it say's

Caused by: org.apache.hadoop.ipc.RemoteException(org.apache.hadoop.security.AccessControlException): Permission denied: user=hive, access=READ_EXECUTE, inode="/data/payload_preprocessor/maptemp":svcvmhdpdev:hadoop:drwxrwx---

where svcvmhdpdev is the user who launched mapreduce job and

/data/payload_preprocessor/maptemp is mapreduce output direcotry (also i crearted external table using this location)

I used follwing query to grant ALL pervillges to hive user but it's not working

GRANT ALL ON URI 'hdfs://data/payload_preprocessor/maptemp' TO ROLE admin_role;

Only option is set HDFS ACL's, but /data/payload_preprocessor/maptemp is a mapreduce output directory which need to be deleted everytime before mapreduce job.

Question is how do i grant read permissions to hive user permanently even directory deleted and created again?

Thanks,

Venu

Rusty M · ‎07-28-2015

Hey venu123,

Hive does not pass though sentry so it will not adhere to any rules you set directly in sentry, it only looks at facl's. To manage hdfs permissions with sentry you have to enable the plugin for hdfs/sentry sync and configure it appropriately. With the sync enabled hive checks the configuration then references the group in sentry but the group will be applied authentically as a facl by sentry.

To get items working use the "hadoop fs -setfacl" command to add the user as a facl. To have make the user add authentically as files are deleted and created add them to the default ACL on the root folder. (Please note this was hit and miss for me, sometimes worked other times did not)

Example add to default ACL

hadoop fs -setfacl -m -R default:username:r-x /<path>

View solution in original post

venu123 · ‎07-27-2015

I think default ACLS's is the solution to inherit parent directory ACL's. Still not clear why GRANT ALL ON URI 'hdfs://data/payload_preprocessor/maptemp' TO ROLE admin_role; is not working 😞

Thanks,

Venu

Rusty M · ‎07-28-2015

Hey venu123,

Hive does not pass though sentry so it will not adhere to any rules you set directly in sentry, it only looks at facl's. To manage hdfs permissions with sentry you have to enable the plugin for hdfs/sentry sync and configure it appropriately. With the sync enabled hive checks the configuration then references the group in sentry but the group will be applied authentically as a facl by sentry.

To get items working use the "hadoop fs -setfacl" command to add the user as a facl. To have make the user add authentically as files are deleted and created add them to the default ACL on the root folder. (Please note this was hit and miss for me, sometimes worked other times did not)

Example add to default ACL

hadoop fs -setfacl -m -R default:username:r-x /<path>

Cloudera Community

Support Questions

hive user unable to access external table data after Sentry enabled

Hive create external table fails to load data

Data not inserting in hive table (CDP)

Is there a way to convert locally managed table to...

Enable DoAs option Hive to allow users to runs que...

External AWS Bucket Access in CDP Public Cloud

Handle the newline characters within the data in H...

Secured access to Hive using Zeppelin's jdbc(hive)...

Hive Locks with ACID Enabled

Cloudera Manager UI - External User Mappings API

Spark HiveContext - Querying External Hive Table