Archives of Support Questions (Read Only)

sriramhadoop27 · ‎07-24-2018

Hi All,

Ranger plugin is enabled for hive and policy is created in hive for a particular user to get access only on 2 databases.

When the same user logs in to Zeppelin notebook and executes show databases command he could see all databases.

Below 2 lines are executed in zeppelin notebook:

%jdbc(hive)

show databases

The user can see all databases and he can create new database too!!!

How can we enforce ranger policy for a user when zeppelin notebook is used?

Thanks a lot for your time.

falbani · ‎07-24-2018

@Sriram So to summarize in order for impersonation to work in non-kerberized environment for zeppelin jdbc (hive) please follow the following steps:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

No need to enable the global settings, just with the defaults follow the steps listed above. I just tested this in my environment and is working fine.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

View solution in original post

sriramhadoop27 · ‎07-24-2018

I could see below line:

If Kerberos is not enabled on the cluster, no additional configuration steps are required.

Hence, I believe default configuration should work properly but it is in conflict with hive user in jdbc connector.

sriramhadoop27 · ‎07-24-2018

Also, hive.server2.enable.doAs is set to true.

falbani · ‎07-24-2018

@Sriram So to summarize in order for impersonation to work in non-kerberized environment for zeppelin jdbc (hive) please follow the following steps:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

No need to enable the global settings, just with the defaults follow the steps listed above. I just tested this in my environment and is working fine.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

falbani · ‎07-24-2018

@Sriram Did it work? Please keep me posted 🙂

sriramhadoop27 · ‎07-25-2018

@Felix Albani many many thanks for your continuous support. I will keep you posted, once after Ranger issue is resolved.

Thanks again.

sriramhadoop27 · ‎07-25-2018

Thanks a lot @Felix Albani...you solved my issue.

sriramhadoop27 · ‎07-25-2018

@Felix Albani...Yes your help is valuable and it worked but with one final question.

Do I need to modify credentials for each and every user? How to make it generic for all users at one go?

I am forced to modify credentials for testuser2.

zeppelinissue.jpg

sriramhadoop27 · ‎07-25-2018

@Felix Albani

I could see below lines from Zeppelin documentation.

In the Zeppelin UI, navigate to the %jdbc section of the Interpreter page.
Click edit, then add a hive.proxy.user.property property and set its value to hive.server2.proxy.user.
Click Save, then click restart to restart the JDBC interpreter.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_zeppelin-component-guide/content/config-...

I believe above should be sufficient enough.

As of now because of some issues we did disable plugin for Ranger and need to test it after 1-2 days once after ranger plugin is enabled.

I could not see any job being executed with Zeppelin user login ID even after adding above property.

Cloudera Community

Archives of Support Questions (Read Only)

Ranger policy not enforced in Zeppelin notebook - Using %jdbc(hive) displays all databases and tables.