Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Apache Ranger : Issues in Syncing the UI policy to beeline and setting up of metastore plugin

Labels:
avatar
author-rank sriram_rangaraj
Explorer

Created ‎11-28-2016 05:31 AM

I am trying to implement the following :

1) Ranger Hive plugin

2) Set up ranger plugin for metastore

using HDP 2.5, ranger 0.6.0

Below are some of the settings in hive-site.xml :

hive.metastore.pre.event.listeners=org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener hive.security.metastore.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider

hive.users.in.admin.role=admin,root

hive.server2.enable.doAs=true hive.security.authorization.enabled=true hive.security.authorization.manager=org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator hive.conf.restricted.list=hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager

Following are the questions that I have for the above implementation :

1) When I create a policy in the Ranger Policy Manger UI and try to test it out from beeline, it is not working. Are the above settings in the hive-site.xml correct?

2) If I create a new role and set it to user from hive CLI, will i be able to see that in the Ranger Policy Manager UI ->HiveService->SERVICE_NAME

3) Is HDFS plugin mandatory for the above set-up? i.e can I set policies from UI and hive CLI without using HDFS policy and HDFS plugin setup?

4) is Solr installation mandatory for setting up the ranger-hive-plugin?(in my current set-up, i dont have the solr setup)

2,535 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank rmani author-rank
Super Collaborator

Created ‎11-28-2016 05:11 PM

@Sriram Rangarajan

Apache Ranger doesn't have a plugin for Hive Metastore as such. Ranger Plugin which is there is for HiveServer2. Please refer this doc for the supported plugins https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_installing_manually_book/content/install....

If you are specifically looking for Ranger Hive Metastore plugin it is in design stage and refer this https://cwiki.apache.org/confluence/display/RANGER/Design+Proposal+for+Hive+Metastore+Plugin

Regarding your questions

Q 1) Test connection config for Hive Plugin Please refer https://community.hortonworks.com/questions/25115/ranger-hive-repository-test-connection-fails-in-ke...

Q 2 ) No, you wont be able to see those Roles, its not supported in Ranger hive Plugin. In Ranger UI when you create policy you will see the Privileges like "select", "insert", "update", "delete" that you can assign to the user in the form of Permissions. But if you are creating a role say for example "marketing" and "finance" these won't appear in Ranger UI.

Q 3) No, HDFS plugin is not mandatory for hive plugin to work.

Q 4) Solr in ranger is used for storing the audit for the authorization done, it not mandatory, although you won't be able to avail the auditing feature in the ranger.

View solution in original post

1,875 Views
3 REPLIES 3

avatar
author-rank rmani author-rank
Super Collaborator

Created ‎11-28-2016 05:11 PM

@Sriram Rangarajan

Apache Ranger doesn't have a plugin for Hive Metastore as such. Ranger Plugin which is there is for HiveServer2. Please refer this doc for the supported plugins https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_installing_manually_book/content/install....

If you are specifically looking for Ranger Hive Metastore plugin it is in design stage and refer this https://cwiki.apache.org/confluence/display/RANGER/Design+Proposal+for+Hive+Metastore+Plugin

Regarding your questions

Q 1) Test connection config for Hive Plugin Please refer https://community.hortonworks.com/questions/25115/ranger-hive-repository-test-connection-fails-in-ke...

Q 2 ) No, you wont be able to see those Roles, its not supported in Ranger hive Plugin. In Ranger UI when you create policy you will see the Privileges like "select", "insert", "update", "delete" that you can assign to the user in the form of Permissions. But if you are creating a role say for example "marketing" and "finance" these won't appear in Ranger UI.

Q 3) No, HDFS plugin is not mandatory for hive plugin to work.

Q 4) Solr in ranger is used for storing the audit for the authorization done, it not mandatory, although you won't be able to avail the auditing feature in the ranger.

1,876 Views

avatar
author-rank sriram_rangaraj
Explorer

Created ‎11-29-2016 07:15 AM

Thanks for the reply Ramesh. One more question is the hive plugin compatible with Spark thrift server (i.e) Can it be used with spark thrift server?

1,875 Views
0 Kudos

avatar
author-rank rmani author-rank
Super Collaborator

Created ‎11-30-2016 10:10 PM

Hive ranger plugin is only for HiveServer2 and not for Spark thrift Server. LLAP in HDP2.5 Tech preview would be another option for it.

1,875 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements