[Bug report] Hive metastore authentication failed when creating a role #4960
Comments
|
|
yangyuxia
pushed a commit
to yangyuxia/gravitino_from_apache
that referenced
this issue
Sep 19, 2024
yangyuxia
pushed a commit
to yangyuxia/gravitino_from_apache
that referenced
this issue
Sep 20, 2024
…checking whether securable object exists in createRole() method
yangyuxia
pushed a commit
to yangyuxia/gravitino_from_apache
that referenced
this issue
Sep 20, 2024
…checking whether securable object exists in createRole() method
jerryshao
pushed a commit
that referenced
this issue
Sep 20, 2024
…ng whether securable object exists in createRole() method (#4971) ### What changes were proposed in this pull request? put the check code into the code block Utils.doAs. ### Why are the changes needed? Fix: #4960 ### Does this PR introduce _any_ user-facing change? Passing identity authentication information when checking hive resource ### How was this patch tested? yes,finish functional test By hand, based on the hive meatasotre with kerberos authentication enabled Co-authored-by: yangyx <[email protected]>
jerryshao
pushed a commit
to jerryshao/gravitino
that referenced
this issue
Sep 21, 2024
…checking whether securable object exists in createRole() method (apache#4971) ### What changes were proposed in this pull request? put the check code into the code block Utils.doAs. ### Why are the changes needed? Fix: apache#4960 ### Does this PR introduce _any_ user-facing change? Passing identity authentication information when checking hive resource ### How was this patch tested? yes,finish functional test By hand, based on the hive meatasotre with kerberos authentication enabled Co-authored-by: yangyx <[email protected]>
yuqi1129
pushed a commit
that referenced
this issue
Sep 21, 2024
…ng whether securable object exists in createRole() method (#4978) ### What changes were proposed in this pull request? put the check code into the code block Utils.doAs. ### Why are the changes needed? Fix: #4960 ### Does this PR introduce _any_ user-facing change? Passing identity authentication information when checking hive resource ### How was this patch tested? yes,finish functional test By hand, based on the hive meatasotre with kerberos authentication enabled. Co-authored-by: yangyuxia <[email protected]> Co-authored-by: yangyx <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version
main branch
Describe what's wrong
Failed to create the role, hive metastore reported the following error:
Error message and/or stacktrace
2024-09-19T11:01:38,837 INFO [pool-8-thread-198]: metastore.HiveMetaStore (HiveMetaStore.java:logInfo(895)) - 28: get_database: abc
2024-09-19T11:01:38,837 INFO [pool-8-thread-198]: HiveMetaStore.audit (HiveMetaStore.java:logAuditEvent(347)) - ugi=anonymous ip=10.19.28.17 cmd=get_database: abc
2024-09-19T11:01:38,839 INFO [pool-8-thread-198]: metastore.HiveMetaStore (HiveMetaStore.java:newRawStoreForConf(717)) - 28: Opening raw store with implementation class:org.apache.hadoop.hive.metastore.ObjectStore
2024-09-19T11:01:38,995 INFO [pool-8-thread-198]: metastore.ObjectStore (ObjectStore.java:initializeHelper(481)) - ObjectStore, initialize called
2024-09-19T11:01:39,003 INFO [pool-8-thread-198]: metastore.MetaStoreDirectSql (MetaStoreDirectSql.java:(186)) - Using direct SQL, underlying DB is MYSQL
2024-09-19T11:01:39,003 INFO [pool-8-thread-198]: metastore.ObjectStore (ObjectStore.java:setConf(396)) - Initialized ObjectStore
2024-09-19T11:01:39,039 ERROR [pool-8-thread-198]: metastore.RetryingHMSHandler (RetryingHMSHandler.java:invokeInternal(197)) - MetaException(message:java.lang.reflect.InvocationTargetException)
at org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener.metaException(AuthorizationPreEventListener.java:430)
at org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener.authorizeReadDatabase(AuthorizationPreEventListener.java:214)
at org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener.onEvent(AuthorizationPreEventListener.java:153)
at org.apache.hadoop.hive.metastore.HiveMetaStore$HMSHandler.firePreEvent(HiveMetaStore.java:3220)
at org.apache.hadoop.hive.metastore.HiveMetaStore$HMSHandler.get_database(HiveMetaStore.java:1351)
at sun.reflect.GeneratedMethodAccessor9.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.hadoop.hive.metastore.RetryingHMSHandler.invokeInternal(RetryingHMSHandler.java:147)
at org.apache.hadoop.hive.metastore.RetryingHMSHandler.invoke(RetryingHMSHandler.java:108)
at com.sun.proxy.$Proxy31.get_database(Unknown Source)
at org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Processor$get_database.getResult(ThriftHiveMetastore.java:14424)
at org.apache.hadoop.hive.metastore.api.ThriftHiveMetastore$Processor$get_database.getResult(ThriftHiveMetastore.java:14408)
at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor$1.run(HadoopThriftAuthBridge.java:636)
at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor$1.run(HadoopThriftAuthBridge.java:631)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1762)
at org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge$Server$TUGIAssumingProcessor.process(HadoopThriftAuthBridge.java:631)
at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.hadoop.hive.ql.metadata.HiveException: java.lang.reflect.InvocationTargetException
at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:415)
at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:373)
at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:346)
at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.authorize(StorageBasedAuthorizationProvider.java:154)
at org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener.authorizeReadDatabase(AuthorizationPreEventListener.java:208)
... 23 more
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.GeneratedMethodAccessor13.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.hadoop.hive.shims.Hadoop23Shims.checkFileAccess(Hadoop23Shims.java:927)
at org.apache.hadoop.hive.common.FileUtils.checkFileAccessWithImpersonation(FileUtils.java:402)
at org.apache.hadoop.hive.common.FileUtils.checkFileAccessWithImpersonation(FileUtils.java:370)
at org.apache.hadoop.hive.ql.security.authorization.StorageBasedAuthorizationProvider.checkPermissions(StorageBasedAuthorizationProvider.java:408)
... 27 more
Caused by: org.apache.hadoop.ipc.RemoteException(org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException): Permission denied: user=anonymous, access=READ, inode="/warehouse/tablespace/managed/hive/abc.db"
at org.apache.ranger.authorization.hadoop.RangerHdfsAuthorizer$RangerAccessControlEnforcer.checkPermission(RangerHdfsAuthorizer.java:466)
at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:241)
at org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:1909)
at org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:1893)
at org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPathAccess(FSDirectory.java:1843)
at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.checkAccess(FSNamesystem.java:8367)
at org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.checkAccess(NameNodeRpcServer.java:2331)
at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.checkAccess(ClientNamenodeProtocolServerSideTranslatorPB.java:1752)
at org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java)
at org.apache.hadoop.ipc.ProtobufRpcEngine2$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine2.java:532)
at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:1070)
at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:1020)
at org.apache.hadoop.ipc.Server$RpcCall.run(Server.java:948)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:422)
at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1845)
at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2952)
How to reproduce
0.6.0
Additional context
curl -X POST -H "Accept: application/vnd.gravitino.v1+json" -H "Content-Type: application/json"
-H "Authorization: Bearer ${access_token}" -d '{
"name": "role1",
"properties": {"k1": "v1"},
"securableObjects": [
{
"fullName": "dp_hive.abc",
"type": "SCHEMA",
"privileges": [
{
"name": "USE_SCHEMA",
"condition": "ALLOW"
}
]
}
]
}' http://localhost:8090/api/metalakes/test/roles
The text was updated successfully, but these errors were encountered: