Posts: 14
Registered: ‎11-05-2018

Personal DB's for users within same LDAP group

[ Edited ]



We have a cluster Kerberized cluster with CDH 5.15.0 with Sentry enabled, Integrated with LDAP, using Kerberos that exist on or managed by the LDAP/AD. 


I am trying to create personal Hive DB's for which only that user has access to objects under that DB. Facing problem when providing/restricting access to a single user in same LDAP group.


In Hue user admin, am only able to grant/restrict permission for a LDAP group and not for an individual user. 


We have 4-5 users in same LDAP group for whom I am trying to create personal Hive DB's under their own HDFS home directory as default location (/user/user1). 



1. Created a group caled (user1_group) in Hue Admin Groups (for user1).

2. Selected all permissions except useradmin.access  and user1 as member.

3. Created a role in Hue --> Security --> Hive tabled --> Roles and selected user1_group which only has 1 user in it.

3. Created a new Hive DB (user1db) with default location as /user/user1 (HDFS path)

4.  Added privelages - for the above role (from #3) with db=user1db --> table=ALL


Just with above steps, user1 should be able to see the newly created DB under their Hue/Hive or Impala (after metadata refresh). But, they are not able to. 


So, I changed the role (from #3) to reflect the LDAP group (ldap_group1) which user1 belongs to. Then, user1 is able to view the DB.


5. When the user tried to create a table - he/she gets the below error.

user=hive, access=WRITE, inode="/user/user1":user1:user1:drwxr-xr-x ...."

6. Executed the below command so that hive gets access to inode above.

hdfs dfs -setfacl -R -m user:hive:rwx /user/user1

7. User1 is able to create the table and perform various operations. 



The problem here is, any user under LDAP group (ldap_group1) who has permission to impersonate as hive or impala is able to create/delete tables in db_user1. 


How can I restrict access to personal DB's only to that user without others having access to it?

What am I doing incorrectly in the above steps?


Thanks for the input/pointers.