Reply
Highlighted
New Contributor
Posts: 1
Registered: ‎11-05-2018

Personal DB's for users within same LDAP group

[ Edited ]

Hello

 

We have a cluster Kerberized cluster with CDH 5.15.0 with Sentry enabled, Integrated with LDAP, using Kerberos that exist on or managed by the LDAP/AD. 

 

I am trying to create personal Hive DB's for which only that user has access to objects under that DB. Facing problem when providing/restricting access to a single user in same LDAP group.

 

In Hue user admin, am only able to grant/restrict permission for a LDAP group and not for an individual user. 

 

We have 4-5 users in same LDAP group for whom I am trying to create personal Hive DB's under their own HDFS home directory as default location (/user/user1). 

 

Steps:

1. Created a group caled (user1_group) in Hue Admin Groups (for user1).

2. Selected all permissions except useradmin.access  and user1 as member.

3. Created a role in Hue --> Security --> Hive tabled --> Roles and selected user1_group which only has 1 user in it.

3. Created a new Hive DB (user1db) with default location as /user/user1 (HDFS path)

4.  Added privelages - for the above role (from #3) with db=user1db --> table=ALL

 

Just with above steps, user1 should be able to see the newly created DB under their Hue/Hive or Impala (after metadata refresh). But, they are not able to. 

 

So, I changed the role (from #3) to reflect the LDAP group (ldap_group1) which user1 belongs to. Then, user1 is able to view the DB.

 

5. When the user tried to create a table - he/she gets the below error.

user=hive, access=WRITE, inode="/user/user1":user1:user1:drwxr-xr-x ...."

6. Executed the below command so that hive gets access to inode above.

hdfs dfs -setfacl -R -m user:hive:rwx /user/user1

7. User1 is able to create the table and perform various operations. 

 

 

The problem here is, any user under LDAP group (ldap_group1) who has permission to impersonate as hive or impala is able to create/delete tables in db_user1. 

 

How can I restrict access to personal DB's only to that user without others having access to it?

What am I doing incorrectly in the above steps?

 

Thanks for the input/pointers. 

 

 

 

 

Announcements