https://community.cloudera.com/t5/Support-Questions/How-to-prevent-access-to-hive-database-via-hivecontext/m-p/199583#M161616 <A rel="user" href="https://community.cloudera.com/users/44533/pee.html" nodeid="44533">@Pee Tankulrat</A><P>Yes, the policy usually denied all except when there's an access policy for it. This should be ok.</P> Wed, 07 Feb 2018 08:09:27 GMT sandyy006 2018-02-07T08:09:27Z https://community.cloudera.com/t5/Support-Questions/How-to-prevent-access-to-hive-database-via-hivecontext/m-p/199580#M161613 <P>I've set up ranger on my cluster to enforce permission on databases. It works fantastically with ODBC connections. However, I also have a pyspark kernel for Jupyter Notebook running on the server, which completely bypass any policies applied i.e. by calling HiveContext any users access any database regardless of the permissions I setup on Ranger Hive.</P><P>Hive authorization is my primary goal but SparkContext on my Jupyter Notebook would be invaluable as well. Any pointers on how to set this up correctly is highly appreciated.</P><P>Thank you.</P> Thu, 01 Feb 2018 12:34:31 GMT https://community.cloudera.com/t5/Support-Questions/How-to-prevent-access-to-hive-database-via-hivecontext/m-p/199580#M161613 pee 2018-02-01T12:34:31Z https://community.cloudera.com/t5/Support-Questions/How-to-prevent-access-to-hive-database-via-hivecontext/m-p/199581#M161614 <P><A rel="user" href="https://community.cloudera.com/users/44533/pee.html" nodeid="44533">@Pee Tankulrat</A>, As of now Spark will not honour hive acl's. One thing you can do is to add rules for the underlying HDFS directory of a hive db and precent users to access it. </P> Fri, 02 Feb 2018 09:23:34 GMT https://community.cloudera.com/t5/Support-Questions/How-to-prevent-access-to-hive-database-via-hivecontext/m-p/199581#M161614 sandyy006 2018-02-02T09:23:34Z https://community.cloudera.com/t5/Support-Questions/How-to-prevent-access-to-hive-database-via-hivecontext/m-p/199582#M161615 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="56554-ranger.png" style="width: 1883px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/17629iB5A29561F1BBFCDC/image-size/medium?v=v2&amp;px=400" role="button" title="56554-ranger.png" alt="56554-ranger.png" /></span></P><P>Thank you <a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/18329">@Sandeep</a> Nemuri for your tips. But, I went over to my Ranger's HDFS policy and saw that currently the users do not have direct access to the hive directory? As the policy is usually deny all except when there's an access policy for it?</P><P>Do I have to modify this policy?</P> Sun, 18 Aug 2019 05:53:11 GMT https://community.cloudera.com/t5/Support-Questions/How-to-prevent-access-to-hive-database-via-hivecontext/m-p/199582#M161615 pee 2019-08-18T05:53:11Z https://community.cloudera.com/t5/Support-Questions/How-to-prevent-access-to-hive-database-via-hivecontext/m-p/199583#M161616 <A rel="user" href="https://community.cloudera.com/users/44533/pee.html" nodeid="44533">@Pee Tankulrat</A><P>Yes, the policy usually denied all except when there's an access policy for it. This should be ok.</P> Wed, 07 Feb 2018 08:09:27 GMT https://community.cloudera.com/t5/Support-Questions/How-to-prevent-access-to-hive-database-via-hivecontext/m-p/199583#M161616 sandyy006 2018-02-07T08:09:27Z https://community.cloudera.com/t5/Support-Questions/How-to-prevent-access-to-hive-database-via-hivecontext/m-p/199584#M161617 <A rel="user" href="https://community.cloudera.com/users/44533/pee.html" nodeid="44533">@Pee Tankulrat</A><P>Also make sure that it is not failing back to POSIX permission.</P><P>Remove all POSIX permission from the directory using hdfs dfs -chmod</P> Wed, 07 Feb 2018 08:18:15 GMT https://community.cloudera.com/t5/Support-Questions/How-to-prevent-access-to-hive-database-via-hivecontext/m-p/199584#M161617 rpathak 2018-02-07T08:18:15Z https://community.cloudera.com/t5/Support-Questions/How-to-prevent-access-to-hive-database-via-hivecontext/m-p/199585#M161618 <P>Thanks <A rel="user" href="https://community.cloudera.com/users/10159/snemuri.html" nodeid="10159">@Sandeep Nemuri</A> and <A rel="user" href="https://community.cloudera.com/users/10322/rpathak.html" nodeid="10322">@Rahul Pathak</A></P><P>I think the POSIX permission is most likely what's bypassing this. I'll give it a try and let you know again.</P><P>Since then I have spotted another problem with group policy in Ranger. </P><P>It appears that users' group doesn't seems to be working for us (allowing a group that the user is a member of, does not grant access). I've try setting hive group based policy (Authenticated with LDAP), but none seems to be working (User based policy works flawlessly). Am I missing anything?</P> Wed, 07 Feb 2018 09:56:05 GMT https://community.cloudera.com/t5/Support-Questions/How-to-prevent-access-to-hive-database-via-hivecontext/m-p/199585#M161618 pee 2018-02-07T09:56:05Z https://community.cloudera.com/t5/Support-Questions/How-to-prevent-access-to-hive-database-via-hivecontext/m-p/199586#M161619 <P><A rel="user" href="https://community.cloudera.com/users/44533/pee.html" nodeid="44533">@Pee Tankulrat</A>, As Rahul mentioned you need to make sure that policy is not failing back to POSIX permission. And for group policy issue, you may ask another question with more details.</P> Thu, 08 Feb 2018 13:53:39 GMT https://community.cloudera.com/t5/Support-Questions/How-to-prevent-access-to-hive-database-via-hivecontext/m-p/199586#M161619 sandyy006 2018-02-08T13:53:39Z