Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

All hive databases are showing on show databases command, although access is not granted from ranger

Labels:
avatar
author-rank Kkalita
Rising Star

Created ‎02-07-2017 12:58 PM

I am working with ranger hive policies and seeing a wired behaviour.

We have granted access to a group only to specific databases but users of the group can see all database, although they see them with no tables as they don't have access to them. Configuration on Ranger seems to be fine.

Is it expected behaviur in ranger or we can restrict from viewing the database?

thanks

7,574 Views
0
1 ACCEPTED SOLUTION

avatar
author-rank pminovic author-rank
Master Guru

Created ‎03-01-2017 08:53 AM

Check have you given to that user UDF permission on all databases, either by user or by his group. I've just discovered that in HDP-2.5.3 if I give UDF permission to u1 on all databases using his group, then u1 can list all databases, and can even do "use db1" even if he has no "table" permission on db1, but "show tables" returns empty list. When I remove his group from UDF policy then it works as expected.

View solution in original post

5,906 Views
0
5 REPLIES 5

avatar
author-rank mqureshi
Super Guru

Created ‎02-07-2017 02:11 PM

According to following link, this is the expected behavior (notice, show database is not mapped to Ranger)

https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping

5,906 Views

avatar
author-rank rmani author-rank
Super Collaborator

Created ‎02-07-2017 06:34 PM

We shall update the doc. I see that show databases is not there

5,906 Views
0 Kudos

avatar
author-rank rmani author-rank
Super Collaborator

Created ‎02-07-2017 06:28 PM

@khireswar Kalita what HDP version you are using? "Show Databases" when ranger is enabled will show only those databases which the user / group has access. Do you see the audits for your operation in ranger?

5,906 Views

avatar
author-rank Kkalita
Rising Star

Created ‎02-08-2017 12:24 PM

I am using HDP 2.4.

Also I noticed that when permission is granted it shows the database with tables, but when permision is revoked databases are shown with no tables.

5,906 Views
0 Kudos

avatar
author-rank pminovic author-rank
Master Guru

Created ‎03-01-2017 08:53 AM

Check have you given to that user UDF permission on all databases, either by user or by his group. I've just discovered that in HDP-2.5.3 if I give UDF permission to u1 on all databases using his group, then u1 can list all databases, and can even do "use db1" even if he has no "table" permission on db1, but "show tables" returns empty list. When I remove his group from UDF policy then it works as expected.

5,907 Views
0
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements