Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Apache Ranger : Issues in Syncing the UI policy to beeline and setting up of metastore plugin

Labels:
avatar
author-rank sriram_rangaraj
Explorer

Created ‎11-28-2016 05:31 AM

I am trying to implement the following :

1) Ranger Hive plugin

2) Set up ranger plugin for metastore

using HDP 2.5, ranger 0.6.0

Below are some of the settings in hive-site.xml :

hive.metastore.pre.event.listeners=org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener hive.security.metastore.authorization.manager=org.apache.hadoop.hive.ql.security.authorization.DefaultHiveMetastoreAuthorizationProvider

hive.users.in.admin.role=admin,root

hive.server2.enable.doAs=true hive.security.authorization.enabled=true hive.security.authorization.manager=org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator hive.conf.restricted.list=hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager

Following are the questions that I have for the above implementation :

1) When I create a policy in the Ranger Policy Manger UI and try to test it out from beeline, it is not working. Are the above settings in the hive-site.xml correct?

2) If I create a new role and set it to user from hive CLI, will i be able to see that in the Ranger Policy Manager UI ->HiveService->SERVICE_NAME

3) Is HDFS plugin mandatory for the above set-up? i.e can I set policies from UI and hive CLI without using HDFS policy and HDFS plugin setup?

4) is Solr installation mandatory for setting up the ranger-hive-plugin?(in my current set-up, i dont have the solr setup)

3,148 Views
0 Kudos
0
1 ACCEPTED SOLUTION

avatar
author-rank rmani author-rank
Super Collaborator

Created ‎11-28-2016 05:11 PM

@Sriram Rangarajan

Apache Ranger doesn't have a plugin for Hive Metastore as such. Ranger Plugin which is there is for HiveServer2. Please refer this doc for the supported plugins https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_installing_manually_book/content/install....

If you are specifically looking for Ranger Hive Metastore plugin it is in design stage and refer this https://cwiki.apache.org/confluence/display/RANGER/Design+Proposal+for+Hive+Metastore+Plugin

Regarding your questions

Q 1) Test connection config for Hive Plugin Please refer https://community.hortonworks.com/questions/25115/ranger-hive-repository-test-connection-fails-in-ke...

Q 2 ) No, you wont be able to see those Roles, its not supported in Ranger hive Plugin. In Ranger UI when you create policy you will see the Privileges like "select", "insert", "update", "delete" that you can assign to the user in the form of Permissions. But if you are creating a role say for example "marketing" and "finance" these won't appear in Ranger UI.

Q 3) No, HDFS plugin is not mandatory for hive plugin to work.

Q 4) Solr in ranger is used for storing the audit for the authorization done, it not mandatory, although you won't be able to avail the auditing feature in the ranger.

View solution in original post

2,488 Views
0
3 REPLIES 3

avatar
author-rank rmani author-rank
Super Collaborator

Created ‎11-28-2016 05:11 PM

@Sriram Rangarajan

Apache Ranger doesn't have a plugin for Hive Metastore as such. Ranger Plugin which is there is for HiveServer2. Please refer this doc for the supported plugins https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_installing_manually_book/content/install....

If you are specifically looking for Ranger Hive Metastore plugin it is in design stage and refer this https://cwiki.apache.org/confluence/display/RANGER/Design+Proposal+for+Hive+Metastore+Plugin

Regarding your questions

Q 1) Test connection config for Hive Plugin Please refer https://community.hortonworks.com/questions/25115/ranger-hive-repository-test-connection-fails-in-ke...

Q 2 ) No, you wont be able to see those Roles, its not supported in Ranger hive Plugin. In Ranger UI when you create policy you will see the Privileges like "select", "insert", "update", "delete" that you can assign to the user in the form of Permissions. But if you are creating a role say for example "marketing" and "finance" these won't appear in Ranger UI.

Q 3) No, HDFS plugin is not mandatory for hive plugin to work.

Q 4) Solr in ranger is used for storing the audit for the authorization done, it not mandatory, although you won't be able to avail the auditing feature in the ranger.

2,489 Views
0

avatar
author-rank sriram_rangaraj
Explorer

Created ‎11-29-2016 07:15 AM

Thanks for the reply Ramesh. One more question is the hive plugin compatible with Spark thrift server (i.e) Can it be used with spark thrift server?

2,488 Views
0 Kudos

avatar
author-rank rmani author-rank
Super Collaborator

Created ‎11-30-2016 10:10 PM

Hive ranger plugin is only for HiveServer2 and not for Spark thrift Server. LLAP in HDP2.5 Tech preview would be another option for it.

2,488 Views
0 Kudos
Announcements
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
What's New @ Cloudera
[RELEASED] Cloudera Streams Messaging - Kubernetes Operator ...
Community Announcements
February 2025 Community Highlights
What's New @ Cloudera
3 Benefits of External IDE Connectivity, Now Available in Cl...
What's New @ Cloudera
Performance comparison of Spark3 on YARN with S3 Standard VS...
View More Announcements