Support Questions

Find answers, ask questions, and share your expertise

All hive databases are showing on show databases command, although access is not granted from ranger

avatar
Rising Star

I am working with ranger hive policies and seeing a wired behaviour.

We have granted access to a group only to specific databases but users of the group can see all database, although they see them with no tables as they don't have access to them. Configuration on Ranger seems to be fine.

Is it expected behaviur in ranger or we can restrict from viewing the database?

thanks

1 ACCEPTED SOLUTION

avatar
Master Guru

Check have you given to that user UDF permission on all databases, either by user or by his group. I've just discovered that in HDP-2.5.3 if I give UDF permission to u1 on all databases using his group, then u1 can list all databases, and can even do "use db1" even if he has no "table" permission on db1, but "show tables" returns empty list. When I remove his group from UDF policy then it works as expected.

View solution in original post

5 REPLIES 5

avatar
Super Guru

According to following link, this is the expected behavior (notice, show database is not mapped to Ranger)

https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping

avatar
Super Collaborator

We shall update the doc. I see that show databases is not there

avatar
Super Collaborator

@khireswar Kalita what HDP version you are using? "Show Databases" when ranger is enabled will show only those databases which the user / group has access. Do you see the audits for your operation in ranger?

avatar
Rising Star

I am using HDP 2.4.

Also I noticed that when permission is granted it shows the database with tables, but when permision is revoked databases are shown with no tables.

avatar
Master Guru

Check have you given to that user UDF permission on all databases, either by user or by his group. I've just discovered that in HDP-2.5.3 if I give UDF permission to u1 on all databases using his group, then u1 can list all databases, and can even do "use db1" even if he has no "table" permission on db1, but "show tables" returns empty list. When I remove his group from UDF policy then it works as expected.