【Hive-权限】HiveAccessControlException Permission denied: CREATEFUNCTION

一.任务描述

 Error while compiling statement: FAILED:  HiveAccessControlException Permission denied: Principal [name=root, type=USER] does not have following privileges for operation 
 CREATEFUNCTION [ADMIN PRIVILEGE on INPUT, ADMIN PRIVILEGE on 
 OUTPUT]

问题表象:使用root用户通过hive创建udf函数时报没有admin的权限。

相关配置:

设置成false则,yarn作业获取到的hiveserver2用户都为hive用户。
设置成true则为实际的用户名

  <property>
     <name>hive.server2.enable.doAs</name>
     <value>false</value>
  </property>

  <property>
	<name>hive.users.in.admin.role</name>               
	<value>taiyi</value>
  </property>

看到设置了hive.users.in.admin.role=taiyi,但执行时却报没有admin权限。。。那admin权限如何正确的设置和使用呢?

 

二. 解决

hive官网描述了关于SQL Standard Based Hive Authorization,即hive对执行sql时的鉴权。

https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization#SQLStandardBasedHiveAuthorization-Troubleshooting

The SQL standards based authorization option (introduced in Hive 0.13) provides a third option for authorization in Hive. This is recommended because it allows Hive to be fully SQL compliant in its authorization model without causing backward compatibility issues for current users. As users migrate to this more secure model, the current default authorization could be deprecated.

hive对标准sql鉴权提供了新的鉴权选择。且这种方式不会出现向后兼容的问题。当用户设置了此安全模型,默认的鉴权将会被弃用。

看下官网如何配置的admin权限

For Hive 0.14 and Newer
在这里插入图片描述
这里我们只关注前两项,其中第二项:hive.users.in.admin.role 描述了,此值生效之后,属于admin角色的用户在获得admin角色的权限之前需要执行“set role”命令,因为默认情况下该角色不在当前角色中。

 
这里大概知道了是因为没有执行:set role admin; 导致admin角色用户没有生效。

进入hive终端之后,执行set role admin; ,再执行udf的创建:

set role admin;

create temporary function ip_get as 'xxx.xxx.IpRegionUdf'
using
jar 'hdfs://namenode:9000/home/user/etl-hive-functions-1.0.jar';

 
官网的Troubleshooting也描述了此问题
在这里插入图片描述

至此解决;
https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization

CREATE TEMPORARY FUNCTION UUIDUDF AS 'com.haierubic.bigdata.commons.udf.UUIDUDF' . . . . . . . . . . . . . . . . . > USING JAR 'oss://datalake-01.cn-beijing.oss-dls.aliyuncs.com/config/bigdata-hiveudf-2.1-jar-with-dependencies.jar'; Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [hdop_upbrain] does not have [TEMPUDFADMIN] privilege on [global=uuidudf] (state=42000,code=40000) 0: jdbc:hive2://10.204.11.45:10000> CREATE FUNCTION UUIDUDF AS 'com.haierubic.bigdata.commons.udf.UUIDUDF' . . . . . . . . . . . . . . . . . > USING JAR 'oss://datalake-01.cn-beijing.oss-dls.aliyuncs.com/config/bigdata-hiveudf-2.1-jar-with-dependencies.jar'; INFO : Compiling command(queryId=hive_20230602122812_92858e15-5136-4e7d-9f51-3020f864aef2): CREATE FUNCTION UUIDUDF AS 'com.haierubic.bigdata.commons.udf.UUIDUDF' USING JAR 'oss://datalake-01.cn-beijing.oss-dls.aliyuncs.com/config/bigdata-hiveudf-2.1-jar-with-dependencies.jar' INFO : Concurrency mode is disabled, not creating a lock manager INFO : Semantic Analysis Completed (retrial = false) INFO : Returning Hive schema: Schema(fieldSchemas:null, properties:null) INFO : Completed compiling command(queryId=hive_20230602122812_92858e15-5136-4e7d-9f51-3020f864aef2); Time taken: 0.067 seconds INFO : Concurrency mode is disabled, not creating a lock manager INFO : Executing command(queryId=hive_20230602122812_92858e15-5136-4e7d-9f51-3020f864aef2): CREATE FUNCTION UUIDUDF AS 'com.haierubic.bigdata.commons.udf.UUIDUDF' USING JAR 'oss://datalake-01.cn-beijing.oss-dls.aliyuncs.com/config/bigdata-hiveudf-2.1-jar-with-dependencies.jar' INFO : Starting task [Stage-0:FUNC] in serial mode INFO : Added [/tmp/b11e4544-4a21-4dcf-87c5-fff8d91021e9_resources/bigdata-hiveudf-2.1-jar-with-dependencies.jar] to class path INFO : Added resources: [oss://datalake-01.cn-beijing.oss-dls.aliyuncs.com/config/bigdata-hiveudf-2.1-jar-with-dependencies.jar] INFO : Completed executing command(queryId=hive_20230602122812_92858e15-5136-4e7d-9f51-3020f864aef2); Time taken: 0.789 seconds INFO : OK INFO : Concurrency mode is disabled, not creating a lock manager No rows affected (0.881 seconds)
06-03
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

roman_日积跬步-终至千里

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值