https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-should-support-column-based-ACL-in-case-quot-Run-as/m-p/102738#M15171 <P>Hi <A rel="user" href="https://community.cloudera.com/users/790/joda.html" nodeid="790">@Junichi Oda</A> - This is expected behaviour and it is the reason why it is recommended to have all hive processes run as hive user when you secure Hive with ranger.</P><P>There are two options in order to secure access to hive with Ranger :</P><P><STRONG>Solution 1</STRONG></P><P>Use both a repository HDFS and Hive to handle rights </P><P> Keep "run as end user instead of hive" (hive.server2.enable.doAs=true) </P><P>This means the dual maintenance that you describe</P><P><STRONG>Solution 2</STRONG></P><P>Give rights to the hive user on the /apps/hive/warehouse arborescence in Ranger HDFS repository </P><P>Lock down filesystem permissions on HDFS (for example, chmod 750) </P><P>Use the Ranger Hive repository to handle rights on Hive tables </P><P>Run as hive instead of end user (hive.server2.enable.doAs=false)</P><P>---</P><P>Solution 2 is the way to go. You may be concerned about auditability, but the Hive audits in Ranger will show the correct user. The HDFS audits and the YARN audits will still show "hive" yes, but you will be able to tell who ran the query.</P> Fri, 15 Jan 2016 17:38:58 GMT agillan 2016-01-15T17:38:58Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-should-support-column-based-ACL-in-case-quot-Run-as/m-p/102737#M15170 <P>When I allow user1 to read the col1 column in the table on Hive, I will add the following policy to Hive service in Ranger.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1381-スクリーンショット-2016-01-15-165038.png" style="width: 902px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/23690iD39A08661B6086B2/image-size/medium?v=v2&amp;px=400" role="button" title="1381-スクリーンショット-2016-01-15-165038.png" alt="1381-スクリーンショット-2016-01-15-165038.png" /></span></P><P>However, this is not enough in case "Run as end user instead of Hive user = true".</P><P>I have to add the policy to HDFS service in Ranger.</P><P>The following table shows the policies at each ACL layer.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1382-スクリーンショット-2016-01-15-165544.png" style="width: 1776px;"><img src="https://community.cloudera.com/t5/image/serverpage/image-id/23691iC1AB906509C15A70/image-size/medium?v=v2&amp;px=400" role="button" title="1382-スクリーンショット-2016-01-15-165544.png" alt="1382-スクリーンショット-2016-01-15-165544.png" /></span></P><P>In this case, user1 can access to the entire table data by hdfs command or hive command without hiveserver2.</P><P>I think that Ranger support column based ACL in case when "Run as end user instead of Hive user" is true.</P> Mon, 19 Aug 2019 12:13:24 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-should-support-column-based-ACL-in-case-quot-Run-as/m-p/102737#M15170 joda 2019-08-19T12:13:24Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-should-support-column-based-ACL-in-case-quot-Run-as/m-p/102738#M15171 <P>Hi <A rel="user" href="https://community.cloudera.com/users/790/joda.html" nodeid="790">@Junichi Oda</A> - This is expected behaviour and it is the reason why it is recommended to have all hive processes run as hive user when you secure Hive with ranger.</P><P>There are two options in order to secure access to hive with Ranger :</P><P><STRONG>Solution 1</STRONG></P><P>Use both a repository HDFS and Hive to handle rights </P><P> Keep "run as end user instead of hive" (hive.server2.enable.doAs=true) </P><P>This means the dual maintenance that you describe</P><P><STRONG>Solution 2</STRONG></P><P>Give rights to the hive user on the /apps/hive/warehouse arborescence in Ranger HDFS repository </P><P>Lock down filesystem permissions on HDFS (for example, chmod 750) </P><P>Use the Ranger Hive repository to handle rights on Hive tables </P><P>Run as hive instead of end user (hive.server2.enable.doAs=false)</P><P>---</P><P>Solution 2 is the way to go. You may be concerned about auditability, but the Hive audits in Ranger will show the correct user. The HDFS audits and the YARN audits will still show "hive" yes, but you will be able to tell who ran the query.</P> Fri, 15 Jan 2016 17:38:58 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-should-support-column-based-ACL-in-case-quot-Run-as/m-p/102738#M15171 agillan 2016-01-15T17:38:58Z https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-should-support-column-based-ACL-in-case-quot-Run-as/m-p/102739#M15172 <P>Thank you very much for your reply and very helpful solutions.</P><P>I'd rather not manage both a repository HDFS and Hive if I can avoid it.</P><P>However, we manage Hadoop resources by the YARN queue assigned to each user.</P><P>For this reason I would like to keep "run as end user instead of hive"(hive.server2.enable.doAs=true).</P> Sat, 16 Jan 2016 20:23:59 GMT https://community.cloudera.com/t5/Archives-of-Support-Questions/Ranger-should-support-column-based-ACL-in-case-quot-Run-as/m-p/102739#M15172 joda 2016-01-16T20:23:59Z