Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

All hive databases are showing on show databases command, although access is not granted from ranger

Solved Go to solution

All hive databases are showing on show databases command, although access is not granted from ranger

Contributor

I am working with ranger hive policies and seeing a wired behaviour.

We have granted access to a group only to specific databases but users of the group can see all database, although they see them with no tables as they don't have access to them. Configuration on Ranger seems to be fine.

Is it expected behaviur in ranger or we can restrict from viewing the database?

thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: All hive databases are showing on show databases command, although access is not granted from ranger

Check have you given to that user UDF permission on all databases, either by user or by his group. I've just discovered that in HDP-2.5.3 if I give UDF permission to u1 on all databases using his group, then u1 can list all databases, and can even do "use db1" even if he has no "table" permission on db1, but "show tables" returns empty list. When I remove his group from UDF policy then it works as expected.

5 REPLIES 5

Re: All hive databases are showing on show databases command, although access is not granted from ranger

Super Guru

According to following link, this is the expected behavior (notice, show database is not mapped to Ranger)

https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping

Re: All hive databases are showing on show databases command, although access is not granted from ranger

Expert Contributor

We shall update the doc. I see that show databases is not there

Re: All hive databases are showing on show databases command, although access is not granted from ranger

Expert Contributor

@khireswar Kalita what HDP version you are using? "Show Databases" when ranger is enabled will show only those databases which the user / group has access. Do you see the audits for your operation in ranger?

Highlighted

Re: All hive databases are showing on show databases command, although access is not granted from ranger

Contributor

I am using HDP 2.4.

Also I noticed that when permission is granted it shows the database with tables, but when permision is revoked databases are shown with no tables.

Re: All hive databases are showing on show databases command, although access is not granted from ranger

Check have you given to that user UDF permission on all databases, either by user or by his group. I've just discovered that in HDP-2.5.3 if I give UDF permission to u1 on all databases using his group, then u1 can list all databases, and can even do "use db1" even if he has no "table" permission on db1, but "show tables" returns empty list. When I remove his group from UDF policy then it works as expected.