11-05-2018 11:03 AM - last edited on 11-05-2018 01:50 PM by cjervis
We have a cluster Kerberized cluster with CDH 5.15.0 with Sentry enabled, Integrated with LDAP, using Kerberos that exist on or managed by the LDAP/AD.
I am trying to create personal Hive DB's for which only that user has access to objects under that DB. Facing problem when providing/restricting access to a single user in same LDAP group.
In Hue user admin, am only able to grant/restrict permission for a LDAP group and not for an individual user.
We have 4-5 users in same LDAP group for whom I am trying to create personal Hive DB's under their own HDFS home directory as default location (/user/user1).
1. Created a group caled (user1_group) in Hue Admin Groups (for user1).
2. Selected all permissions except useradmin.access and user1 as member.
3. Created a role in Hue --> Security --> Hive tabled --> Roles and selected user1_group which only has 1 user in it.
3. Created a new Hive DB (user1db) with default location as /user/user1 (HDFS path)
4. Added privelages - for the above role (from #3) with db=user1db --> table=ALL
Just with above steps, user1 should be able to see the newly created DB under their Hue/Hive or Impala (after metadata refresh). But, they are not able to.
So, I changed the role (from #3) to reflect the LDAP group (ldap_group1) which user1 belongs to. Then, user1 is able to view the DB.
5. When the user tried to create a table - he/she gets the below error.
user=hive, access=WRITE, inode="/user/user1":user1:user1:drwxr-xr-x ...."
6. Executed the below command so that hive gets access to inode above.
hdfs dfs -setfacl -R -m user:hive:rwx /user/user1
7. User1 is able to create the table and perform various operations.
The problem here is, any user under LDAP group (ldap_group1) who has permission to impersonate as hive or impala is able to create/delete tables in db_user1.
How can I restrict access to personal DB's only to that user without others having access to it?
What am I doing incorrectly in the above steps?
Thanks for the input/pointers.