Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Beeline throws Error while trying to create a table by the owner of the database

Beeline throws Error while trying to create a table by the owner of the database

Contributor

Env: Ranger Enabled + Kerberos

HDP 2.3.2

Create a database and assign owner from hive cli.

create ranger policy for the database directory.

create table in the DB via hive cli works.

same doesn't work via Beeline or Hue.

Describe database <dbname> lists the owner same as the user trying to create table.

I know for HDFS if a policy doesn't exist the next level is to check for ACL's and POSIX permissions.

Doesn't that apply for hive ?

3 REPLIES 3

Re: Beeline throws Error while trying to create a table by the owner of the database

Contributor

Had to give * permissions for public.

still have questions:

1) Does beeline respect the hive database ownership permissions as a next level of check if it doesn't find any ranger policies?

2) Do we need to define a policy for each user for providing them access via beeline or hue or any other tool that connects via hiveserver2?

Re: Beeline throws Error while trying to create a table by the owner of the database

Expert Contributor

@Sundara Palanki Ranger Hive Plugin only applies to HS2; Hive CLI would not honor Policies defined in Ranger.

"The best way to protect Hive CLI would be to enable permissions for HDFS files/folders mapped to the Hive database and tables. In order to secure metastore, it is also recommended to turn on storage-based authorization."

You should define either User/Group permissions for Hive Resources via Ranger while connecting from HS2.

Re: Beeline throws Error while trying to create a table by the owner of the database

Contributor

@nyakkanti

Thanks for your explanation and yeah ranger applies only to hs2.

What I am looking for is why do I need to create a policy for an user with create/all permission on his own database ?

When ranger plugin is enabled for hdfs, the check goes beyond just ranger and check for acl's and posix permissions.

Why don't hive plugin behave the same way ?