Community Articles
Find and share helpful community-sourced technical articles
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
Contributor

We can configure Hive View 2.0 to view Ranger Policies associated with any Table. It will not be configured by default (as of HDP 2.6.3) and we need to follow the below steps:

1. Go to Ambari Dasboard -> admin -> Manage Ambari

2. In the Manage Ambari page under Views section, expand Hive and then click on Hive View 2.0

3. Under the setting section, please provide the details as below:

50386-hive-view-1.png

- Ranger Service Name: Go to Ranger Admin UI and check the Ranger Service Name which is configured for Hive (shown as below). Here it is tsk_hive

50387-hive-view-2.png

- Provide the Ranger Admin username and password as you have configured

- WebHDFS Authentication for kerberos enabled cluster: auth=KERBEROS;proxyuser=<proxyuser>

Provide the ambari user principal name in place of <proxyuser>

4. After adding the above details, click on "Save". Leave the other settings as default.

Additional Steps (only when you are not using local cluster):

- If you are using the Local Cluster, then it is not required to change any parameters in "cluster configuration" section.

- If you are using custom settings, then please provide the details as below:

50389-hive-view-3.png

Once you provide the details, follow the below steps:

5. Go to Hive View 2.0 -> Tables -> click on the Table for which you want to view the Ranger Policies

6. Then click on "Authorization" Tab to view the Ranger Policies as below:

50390-hive-view4.png

1,408 Views
Comments
Explorer

Thanks for documenting this Tamil. I find this feature quite useful when viewing permissions structures for DB instances and associated tables.

Explorer

Thanks a lot Tamil Selvan K for this article, it's very useful. I have a question please and I hope find the best answer, I should do a permission to a database and not a tables. I have not kerberos cluster Hadoop. I manage the permission hive, hdfs via Ranger. The Resource Path in Ranger for HDFS are:

/user/myLogin
/apps/hive/warehouse/mylogin_*
/apps/hive/warehouse
I can create a database in hive ( via console) also in Ambari. But when I remove the permission /apps/hive/warehouse I can't create a database in Hive (Console) but in Ambari I can create it.
This following the error:
hive> create database database_tesst;
FAILED: Execution Error, return code 1 from org.apache.hadoop.hive.ql.exec.DDLTa                                                                                                                               sk. MetaException(message:org.apache.hadoop.security.AccessControlException: 
Permission denied: user=AAAAA, access=EXECUTE, 
inode="/apps/hive/warehouse/database_tesst.db":hdfs:hdfs:d---------
at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPe  

How can I create a database or runing a request in hive (console) without the permission /apps/hive/warehouse ? Because I should remove this permission from Ranger to allow access users only to there data. 

Contributor

@SMACH H

You can follow the below:

1. lock down the location in HDFS: set permission 700 to /apps/hive/warehouse
2. add policy to Ranger/Hive for database: *, allowing users to create databases.
(note that the ambari-qa user also needs access to database: * to complete the service check)

3. Allow access to individual databases via Ranger/Hive policies.

This blog post may be of interest: http://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/

Also you may explore the options with "hive.server2.enable.doAs"

Don't have an account?
Coming from Hortonworks? Activate your account here
Version history
Revision #:
2 of 2
Last update:
‎08-17-2019 09:25 AM
Updated by:
Contributor tsk Contributor
 
Contributors
Top Kudoed Authors