0

I have not kerberos cluster Hadoop. I manage the permission hive, hdfs via Ranger. The Resource Path in Ranger for HDFS are:

/user/myLogin
/apps/hive/warehouse/mylogin_*
/apps/hive/warehouse

I can create a database in hive ( via console) also in Ambari. But when I remove the permission /apps/hive/warehouse I can't create a database in Hive (Console) but in Ambari I can create it.

This following the error:

hive> create database database_tesst;
FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTa                                                                                                                               sk. MetaException(message:org.apache.hadoop.security.AccessControlException: 
Permission denied: user=AAAAA, access=EXECUTE, 
inode="/apps/hive/warehouse/database_tesst.db":hdfs:hdfs:d---------
at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPe                                                                                                                               rmissionChecker.java:353)

How can I create a database or runing a request in hive (console) without the permission /apps/hive/warehouse ? Because I should remove this permission from Ranger to allow access users only to there data.

Thank you

Dennis Jaheruddin
  • 21,208
  • 8
  • 66
  • 122
vero
  • 1,005
  • 6
  • 16
  • 29
  • 1
    if you do not manage permission for /apps/hive/warehouse/ from Ranger then HDFS file permissions are applied and it can be noticed that permissions are hdfs:hdfs:d--------- , i.e. no permission for user AAAAA. – Shubhangi Feb 06 '18 at 14:42
  • 1
    If Kerberos is not enabled, then **anyone can pretend to be a super-user** -- hence Ranger is just a waste of time. Unless super-users are black-listed in Hive (and Ranger). Anyway, try `export HADOOP_USER_NAME=hdfs` or `=hive` then start a new Hive session. – Samson Scharfrichter Feb 07 '18 at 08:31
  • Shubhangi, I manage the permission for /apps/hive/warehouse/ from Ranger – vero Feb 07 '18 at 09:26
  • @Samon Thank you for your answer. Which you mean by a black-list ? – vero Feb 07 '18 at 09:29

0 Answers0