Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

All hive databases are showing on show databases command, although access is not granted from ranger

Labels:
avatar
author-rank Kkalita
Rising Star

Created ‎02-07-2017 12:58 PM

I am working with ranger hive policies and seeing a wired behaviour.

We have granted access to a group only to specific databases but users of the group can see all database, although they see them with no tables as they don't have access to them. Configuration on Ranger seems to be fine.

Is it expected behaviur in ranger or we can restrict from viewing the database?

thanks

6,968 Views
1 ACCEPTED SOLUTION

avatar
author-rank pminovic author-rank
Master Guru

Created ‎03-01-2017 08:53 AM

Check have you given to that user UDF permission on all databases, either by user or by his group. I've just discovered that in HDP-2.5.3 if I give UDF permission to u1 on all databases using his group, then u1 can list all databases, and can even do "use db1" even if he has no "table" permission on db1, but "show tables" returns empty list. When I remove his group from UDF policy then it works as expected.

View solution in original post

5,300 Views
5 REPLIES 5

avatar
author-rank mqureshi
Super Guru

Created ‎02-07-2017 02:11 PM

According to following link, this is the expected behavior (notice, show database is not mapped to Ranger)

https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping

5,300 Views

avatar
author-rank rmani author-rank
Super Collaborator

Created ‎02-07-2017 06:34 PM

We shall update the doc. I see that show databases is not there

5,300 Views
0 Kudos

avatar
author-rank rmani author-rank
Super Collaborator

Created ‎02-07-2017 06:28 PM

@khireswar Kalita what HDP version you are using? "Show Databases" when ranger is enabled will show only those databases which the user / group has access. Do you see the audits for your operation in ranger?

5,300 Views

avatar
author-rank Kkalita
Rising Star

Created ‎02-08-2017 12:24 PM

I am using HDP 2.4.

Also I noticed that when permission is granted it shows the database with tables, but when permision is revoked databases are shown with no tables.

5,300 Views
0 Kudos

avatar
author-rank pminovic author-rank
Master Guru

Created ‎03-01-2017 08:53 AM

Check have you given to that user UDF permission on all databases, either by user or by his group. I've just discovered that in HDP-2.5.3 if I give UDF permission to u1 on all databases using his group, then u1 can list all databases, and can even do "use db1" even if he has no "table" permission on db1, but "show tables" returns empty list. When I remove his group from UDF policy then it works as expected.

5,301 Views
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements