question Use Hive policies as access to database and ignore HDFS permissions to database file in Support Questions

Use Hive policies as access to database and ignore HDFS permissions to database file

frank93 — Fri, 04 Mar 2016 22:34:46 GMT

I use ambari v 2.1.1 and HDP 2.3. I would like to ask if there is a possibility to use Hive policies instead of HDFS policies to access a database in Hive. When I try to use select on any table in database I receive the following error:

FAILED: SemanticException Unable to determine if hdfs://MY_CLUSTER/apps/hive/warehouse/db_name.db/table_name is encrypted: org.apache.hadoop.security.AccessControlException: Permission denied: user=my_user (not hive), access=EXECUTE, inode="/apps/hive/warehouse/db_name.db/table_name":hive:hdfs:drwx------

I set hive.server2.enable.doAs to false, and any user should be interpreted as hive (in accessing to database) but is still interpreted as the user who calls to it. I would like users not to have access to databases (to prevent copying them or any other security reason) as a files in HDFS but their access should be configured in Ranger Hive policies only.

Could somebody help me to configure that? Thank you in advance.

Re: Use Hive policies as access to database and ignore HDFS permissions to database file

umair_khan — Sat, 05 Mar 2016 04:45:31 GMT

You are correct there setting hive.server2.enable.doAs = false should run hive jobs as 'hive' user or the owner of hive daemon. After you make this change, you will need to restart hive service. Steps:

http://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/

Some additional information: Do you have Ranger up and running? Are Ranger hdfs and hive plugins enabled?

Re: Use Hive policies as access to database and ignore HDFS permissions to database file

nsabharwal — Sat, 05 Mar 2016 10:26:04 GMT

@Edgar Daeds

FAILED:SemanticExceptionUnable to determine if hdfs://MY_CLUSTER/apps/hive/warehouse/db_name.db/table_name is encrypted:

Permission denied: user=my_user (not hive), access=EXECUTE, inode="/apps/hive/warehouse/db_name.db/table_name"

Do you have encryption in place?

my_user does not have x on that table

https://community.hortonworks.com/articles/10367/apache-ranger-and-hive-column-level-security.html

Re: Use Hive policies as access to database and ignore HDFS permissions to database file

frank93 — Mon, 07 Mar 2016 16:24:23 GMT

Thank you guys for answers,

The problem occurs when I use Hive CLI. If I use Beeline CLI it works very well. So is it normal behavior and should I stop using Hive?

Re: Use Hive policies as access to database and ignore HDFS permissions to database file

nsabharwal — Mon, 07 Mar 2016 16:31:25 GMT

@Edgar Daeds

The best practice is to stop using Hive CLI. For example: Ranger and Hive works with beeline. Hive CLI does not work with Ranger Hive policies

Re: Use Hive policies as access to database and ignore HDFS permissions to database file

frank93 — Mon, 07 Mar 2016 18:01:14 GMT

Och, now I understand, thank you! And how about Hue, is it also using beeline?

Re: Use Hive policies as access to database and ignore HDFS permissions to database file

nsabharwal — Mon, 07 Mar 2016 18:10:19 GMT

@Edgar Daeds I used Hue was a year ago because of Ambari views

http://docs.hortonworks.com/HDPDocuments/Ambari-2.2.1.0/bk_ambari_views_guide/content/ch_using_hive_view.html

Re: Use Hive policies as access to database and ignore HDFS permissions to database file

frank93 — Mon, 07 Mar 2016 18:23:22 GMT

Thanks! I did not hear about Ambari views. I am going into it

Re: Use Hive policies as access to database and ignore HDFS permissions to database file

nsabharwal — Mon, 07 Mar 2016 18:30:11 GMT

@Edgar Daeds See this https://community.hortonworks.com/content/kbentry/2947/new-visualization-feature-in-hive-view.html

Re: Use Hive policies as access to database and ignore HDFS permissions to database file

nsabharwal — Mon, 07 Mar 2016 18:31:00 GMT

@Edgar Daeds Please do accept the best answer to close this