问题记录:hive3.x ,管理员hadoop用户拥有创建database权限,创建guest_tmp 数据库并赋all权限后,使用其他用户登录无法建表报错:Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: Principal [name=guest, type=USER] does not have
following privileges for operation CREATETABLE [[OBJECT OWNERSHIP] on Object [type=DATABASE, name=guest_tmp]] (state=42000,code=40000)
如下:1. 使用hadoop用户登录beeline:
set role admin;
grant all on database guest_tmp to user guest;
show grant user guest on database guest_tmp;
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| database | table | partition | column | principal_name | principal_type | privilege | grant_option | grant_time | grantor |
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
| guest_tmp | | | | guest | USER | DELETE | false | 1629294254000 | hadoop |
| guest_tmp | | | | guest | USER | INSERT | false | 1629294254000 | hadoop |
| guest_tmp | | | | guest | USER | SELECT | false | 1629294254000 | hadoop |
| guest_tmp | | | | guest | USER | UPDATE | false | 1629294254000 | hadoop |
+------------+--------+------------+---------+-----------------+-----------------+------------+---------------+----------------+----------+
2. 使用guest用户登录beeline,执行建表语句报错
0: jdbc:hive2://172-16-16-239:10000> create table guest_tmp.test1(id int) ;
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: Principal [name=guest, type=USER] does not have
following privileges for operation CREATETABLE [[OBJECT OWNERSHIP] on Object [type=DATABASE, name=guest_tmp]] (state=42000,code=40000)
以为是hdfs目录权限问题,改变属组后仍然同样错误。
修改数据库guest_tmp的OWNER
ALTER DATABASE guest_tmp SET OWNER user guest;
再次使用guset用户建表成功,问题解决!!
另外,将表的owner设置为guest后hadoop用户却没有权限,
优雅解决方式,可创建guest_tmp_role组,
将hadoop和guset用户加入组中:
GRANT ROLE role_name TO USER user1 ;
并将数据库guest_tmp的role设置成guest_tmp_role后,2个用户都有建表权限:
ALTER DATABASE guest_tmp SET OWNER role guest_tmp_role;