https://community.cloudera.com/t5/Support-Questions/Ranger-implementation-Hive-impersonation-false/m-p/96268#M59596 <P><A rel="user" href="https://community.cloudera.com/users/140/nsabharwal.html" nodeid="140">@Neeraj Sabharwal</A>, I'm a bit confused on this impersonation concept. I understand the resource reuse benefits part. But, if I have different users running Hive queries and they all run as the "hive" user, then what is to prevent one user's "insert overwrite directory "some_relative_dir" select from ...." results from overwriting some other users query that just happens to pick the same directory path? If a relative path is supplied, then Hive will write the results to "/user/hive/some_relative_dir".</P><P>I tried to read the best practices link at the end of this post but the page is not loading.</P> Tue, 03 May 2016 04:27:26 GMT Mark_Petronic 2016-05-03T04:27:26Z https://community.cloudera.com/t5/Support-Questions/Ranger-implementation-Hive-impersonation-false/m-p/96263#M59591 <P>Customer wants Hive column level ACLs to be set up in Ranger, so we suggested to set Hive doAs property to 'false' to impersonate as hive user and set Hive Column level ACLs in ranger. In this case all the jobs will be shown as to run as 'hive' user in Resource manager. At the same time, customer wants to know the resource utilization at the user level. Which is not possible because all the jobs will be run as hive user. Is there a way out to satisfy customer's requirement ? Thanks</P> Fri, 30 Oct 2015 01:59:20 GMT https://community.cloudera.com/t5/Support-Questions/Ranger-implementation-Hive-impersonation-false/m-p/96263#M59591 hrongali 2015-10-30T01:59:20Z https://community.cloudera.com/t5/Support-Questions/Ranger-implementation-Hive-impersonation-false/m-p/96264#M59592 <P>Set enable.doAs to "False"...This is really good explanation <A target="_blank" href="http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.3.2/bk_performance_tuning/bk_performance_tuning-20150930.pdf">Link</A></P><P>When set to "false," the Hive user identity is used instead of the individual user identities for YARN. <STRONG>This setting enhances security and reuse</STRONG>:</P><P> hive.server2.enable.doAs=false </P><P>Note When doAs is set to false, queries execute as the Hive user and not the end user. When multiple queries run as the Hive user, they can share resources. Otherwise, YARN does not allow resources to be shared across different users. When the Hive user executes all of the queries, a Tez session opened for one query and is holding onto resources can use those resources for the next query without re-allocation.</P> Fri, 30 Oct 2015 02:27:21 GMT https://community.cloudera.com/t5/Support-Questions/Ranger-implementation-Hive-impersonation-false/m-p/96264#M59592 nsabharwal 2015-10-30T02:27:21Z https://community.cloudera.com/t5/Support-Questions/Ranger-implementation-Hive-impersonation-false/m-p/96265#M59593 <P>In that case, if the admin wants to see how much resources (lets say number of containers &amp; vcores) used by a particular user 'user1', how can he get those statistics ?</P> Fri, 30 Oct 2015 02:40:11 GMT https://community.cloudera.com/t5/Support-Questions/Ranger-implementation-Hive-impersonation-false/m-p/96265#M59593 hrongali 2015-10-30T02:40:11Z https://community.cloudera.com/t5/Support-Questions/Ranger-implementation-Hive-impersonation-false/m-p/96266#M59594 <P>This is applicable to Hive only. Non-Hive/Yarn jobs will be coming from users running the job. </P><P><A href="http://community.hortonworks.com/questions/2408/ranger-implementation-hive-impersonation-false.html#">@hrongali@hortonworks.com</A></P> Fri, 30 Oct 2015 03:10:36 GMT https://community.cloudera.com/t5/Support-Questions/Ranger-implementation-Hive-impersonation-false/m-p/96266#M59594 nsabharwal 2015-10-30T03:10:36Z https://community.cloudera.com/t5/Support-Questions/Ranger-implementation-Hive-impersonation-false/m-p/96267#M59595 <P>The below Blog provides very good guideline too:</P><P><A href="https://urldefense.proofpoint.com/v2/url?u=http-3A__hortonworks.com_blog_best-2Dpractices-2Dfor-2Dhive-2Dauthorization-2Dusing-2Dapache-2Dranger-2Din-2Dhdp-2D2-2D2_&amp;d=CwMFEA&amp;c=lcVbikor4usg5Rj5OmznbA&amp;r=vi0LsQLuHXrgYMtd-7XTWvucjwoxEpBfsGKa6LO3nQw&amp;m=VTBTasxxfALhDNl54i7nVRklLidkeCFhgCRAUtt8oUw&amp;s=1NM1bkcUBmvlIQZ5-K9p5loO3aryBVP6yPVmI0aLsZo&amp;e=">http://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/</A></P> Tue, 10 Nov 2015 00:58:06 GMT https://community.cloudera.com/t5/Support-Questions/Ranger-implementation-Hive-impersonation-false/m-p/96267#M59595 hrongali 2015-11-10T00:58:06Z https://community.cloudera.com/t5/Support-Questions/Ranger-implementation-Hive-impersonation-false/m-p/96268#M59596 <P><A rel="user" href="https://community.cloudera.com/users/140/nsabharwal.html" nodeid="140">@Neeraj Sabharwal</A>, I'm a bit confused on this impersonation concept. I understand the resource reuse benefits part. But, if I have different users running Hive queries and they all run as the "hive" user, then what is to prevent one user's "insert overwrite directory "some_relative_dir" select from ...." results from overwriting some other users query that just happens to pick the same directory path? If a relative path is supplied, then Hive will write the results to "/user/hive/some_relative_dir".</P><P>I tried to read the best practices link at the end of this post but the page is not loading.</P> Tue, 03 May 2016 04:27:26 GMT https://community.cloudera.com/t5/Support-Questions/Ranger-implementation-Hive-impersonation-false/m-p/96268#M59596 Mark_Petronic 2016-05-03T04:27:26Z