Develop Reference

Adding permissions to create scheduled queries on Hive failing

I am having an issue trying to create some scheduled queries in Hive and I don't find what permission to add, I have tried to grant ALL on the database and nothing is changing.
My command is:
create scheduled query query_1_stream_1 cron '0 */1 * * * ? *' as
insert into stream_db.kafka_5m partition (st, hr)
...
Error:
Error while compiling statement: FAILED: SemanticException Permission denied: Principal [name=hive, type=USER] does not have following privileges for operation CREATE_SCHEDULED_QUERY [ADMIN PRIVILEGE on INPUT, ADMIN PRIVILEGE on OUTPUT]
Any idea what is the specific permission, as I said, I tried to add ALL permissions and the error persists.

The create_scheduled_query, as well as other similar hive operations, are privileges reserved for the hive's admins, this means that you need to assign the admin role to the user or users that you want to execute those privileged operations.
This is the configuration that you need:
hive.server2.enable.doAs=false
hive.security.authorization.enabled=true
hive.security.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory
hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator
hive.users.in.admin.role=<admin user>
Let's talk about the configuration a little:
The hive.server2.enable.doAs will make your queries run as hive, this is the Hive impersonation feature, it is not really required for this role addition, but usually you want the user hive to the admin.
The 2nd, 3rd and 4th are not mandatory and you might have other values in them.
The 5th is the magic one, this indicates which users are admins, you need to list the users that you want to have those privileges here as follows:
hive.users.in.admin.role=hive
Then, open up your hive CLI or beeline and run the following:
set role admin;
This set is required even if your user is admin in the configuration, the hive user is not running as admin automatically never, you need to 1. have the role, and 2. enable the role in the CLI.
At this point, you should be able to create your schedules, alter them, drop them, etc.

Hive permission denied for user anonymous using beeline shell

I created a 3 node Hadoop cluster with 1 namenode and 2 datanode.
I can perform a read/write query from Hive shell, but not beeline.
I found many suggestions and answers related to this issue.
In every suggestion it was mentioned to give the permission for the userX for each individual table.
But I don't know how to set the permission for an anonymous user once and for all.
Why I am getting the user anonymous while accessing the data from beeline or from a Java program?
I am able to read the data from the both beeline shell and using Java JDBC connection.
But I can't insert the data in the table.
This is my jdbc connection : jdbc:hive2://hadoop01:10000.
Below is the error i am getting while on insert request:
Permission denied: user=anonymous, access=WRITE, inode="/user/hive/warehouse/test_log/.hive-staging_hive_2017-10-07_06-54-36_347_6034469031019245441-1":hadoop:supergroup:drwxr-xr-x

Beeline syntax is
beeline -n username -u "url"
I assume you are missing the username. Also, no one but the hadoop user has WRITE access to that table anyway
If you don't have full control over the table permissions, you can try relocating the staging directory with the setting hive.exec.stagingdir

If no database is specified in the connection URL to connect, like
jdbc:hive2://hadoop01:10000/default
then beeline connects to the database DEFAULT , and while inserting the data into the table - first the data is loaded to a temporary table in default database and then loaded to the actual table.
So, you need to give the user access to the DEFAULT database also, or you can connect to the databases where you have access to.
jdbc:hive2://hadoop01:10000/your_db

pg_dump: [archiver (db)] query failed: ERROR: permission denied for relation abouts

I'm trying to dump my pg db but got these errors please suggest
pg_dump: [archiver (db)] query failed: ERROR: permission denied for relation abouts
pg_dump: [archiver (db)] query was: LOCK TABLE public.abouts IN ACCESS SHARE MODE

The user which you're performing your pg_dump as doesn't have permissions on the public schema.
Add permissions if allowed:
GRANT USAGE ON SCHEMA public TO <user>;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO <user>;

This can be a common error, when using a ROLE (user) that could not open the objects to dump them.
Like said before, you can grant to the specific schema that you want to dump, or even use a ROLE with SUPERUSER attribute.
Note that when you are dealing with some cloud database providers, like AWS/RDS you will not receive a user with the SUPERUSER attribute, so you will need to manage to make sure that the one used to dump will have all access needed.
https://www.postgresql.org/docs/current/static/sql-grant.html will show how give GRANT to many objects on your database, but also remember that when restoring you will need to create the database first. Only if you are using pg_dumpall that is not necessary, but you also need to dump the ROLES.

Change the permission to the user: login as sudo user by using following cmd
sudo -u postgres psql
Alter the user role
alter role <user-name> superuser;

Hive User Impersonation

I need some information on Hive user impersonation. I did some research on it and found that by default HiveServer2 performs a query processing as the user who submitted query but if hive.server2.enable.doAs set it to false then query will be run as user who started hiveserver2 process.
I need to a create jdbc/thirft connection with hiveserver2 with service account (let’s say with user ‘ABC’ is logged in) but would like to run my hive statement with user that I pass , for example with user ‘XYZ’.
Let me know if anyone has done this before.
Is it possible to do this for Hive ?

With Hive impersonation enabled , you can run your queries that you will pass along with connection string .
For Example
jdbc:hive2://localhost:10000/default,username,password
In this case , your job will run with username that you are passing instead of hive user.
hope this helps.

Unable to update hive table via JDBC

I am unable to do an Update to my hive table via JDBC. I able to Select, but not Update.
Connecting to the hive database:
Connection connection =
DriverManager.getConnection("jdbc:hive2://localhost:10000/db", "", "");
My query:
ResultSet resultSet = statement.executeQuery("update db.test set name='yo yo' where id=1");
Stacktrace:
java.sql.SQLException: Error while processing statement: FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.MoveTask
at org.apache.hive.jdbc.HiveStatement.execute(HiveStatement.java:275)
at org.apache.hive.jdbc.HiveStatement.executeQuery(HiveStatement.java:355)
at com.spnotes.hive.App.main(App.java:63)
Again, I am able to Select but not Update via JDBC. I am however, able to Update my table via the hive shell only. I believe this is a user permissions issue. I have seen other problems where an HDFS directory needed to be granted permissions before it could be written to.
I had to invoke my hive shell with my HDFS user as so:
sudo -u hdfs hive
Can I somehow pass a "hfds" user via JDBC? It does not look like this is possible. This is how I'm thinking the exception will not happen anymore.
Here is the "secure way" of passing in a username and password as so:
Connection con = DriverManager.getConnection("jdbc:hive2:/hiveserver.domain.com:10000/default;user=username;password=password");
BUT this is NOT the same thing as passing the user hdfs. Perhaps it is possible to link the "username" with permissions to update the hive table?
Any help is welcome. Thanks!

You are trying to pass a update statement in a executeQuery()
For security reasons, any update statement will fail when using this method. Change it to executeUpdate()
Also, instead of using queries like this, I suggest using Prepared Statements, since by using parameters you make it less vulnerable to SQL Injections