Env: Ranger Enabled + Kerberos
Create a database and assign owner from hive cli.
create ranger policy for the database directory.
create table in the DB via hive cli works.
same doesn't work via Beeline or Hue.
Describe database <dbname> lists the owner same as the user trying to create table.
I know for HDFS if a policy doesn't exist the next level is to check for ACL's and POSIX permissions.
Doesn't that apply for hive ?
Had to give * permissions for public.
still have questions:
1) Does beeline respect the hive database ownership permissions as a next level of check if it doesn't find any ranger policies?
2) Do we need to define a policy for each user for providing them access via beeline or hue or any other tool that connects via hiveserver2?
@Sundara Palanki Ranger Hive Plugin only applies to HS2; Hive CLI would not honor Policies defined in Ranger.
"The best way to protect Hive CLI would be to enable permissions for HDFS files/folders mapped to the Hive database and tables. In order to secure metastore, it is also recommended to turn on storage-based authorization."
You should define either User/Group permissions for Hive Resources via Ranger while connecting from HS2.
Thanks for your explanation and yeah ranger applies only to hs2.
What I am looking for is why do I need to create a policy for an user with create/all permission on his own database ?
When ranger plugin is enabled for hdfs, the check goes beyond just ranger and check for acl's and posix permissions.
Why don't hive plugin behave the same way ?