Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Can we check Atlas-Ranger based feature using beeline?

Solved Go to solution

Can we check Atlas-Ranger based feature using beeline?

Rising Star

Hello Guys,

I have used hive-view for seeing data lineage part in atlas but you know that,we have Atlas and Ranger integration which is mainly talks about "Tag based Policy".I have attached a link which explains demo of "Tag based policy".

Link------>

http://hortonworks.com/hadoop-tutorial/tag-based-policies-atlas-ranger/

In that demo they have used hive view to see/cross check whether security policy is really working or not?

Instead of using "Hive view",can we cross check the same flow/policy with the beeline?.I meant,

can we do something like, login to beeline with hr_user/hr_admin user and check the Atlas-Ranger tag based policy?.

Please tell me is it possible on Atlas-Ranger tech review machine.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Can we check Atlas-Ranger based feature using beeline?

Hi @Manoj Dhake

Both Hive View and Beeline utilize HiveServer2 (which both adhere to Ranger/Atlas tag based policies). Are you able to login through Hive and see these policies being followed?

5 REPLIES 5

Re: Can we check Atlas-Ranger based feature using beeline?

Hi @Manoj Dhake

Both Hive View and Beeline utilize HiveServer2 (which both adhere to Ranger/Atlas tag based policies). Are you able to login through Hive and see these policies being followed?

Re: Can we check Atlas-Ranger based feature using beeline?

Rising Star

Thanks to see you again Ryan,

Did you mean I can login to beeline client console with(hr_user/hr_admin)user credentials and able to see same error(hr_user does not have permission to access ssn and location column) which I was getting in hive veiw right?

Questions

1)how to connect beeline using command line option for hr_user/hr_admin.

2)could you please post those commands for connecting to beeline?

Re: Can we check Atlas-Ranger based feature using beeline?

Hi @Manoj Dhake

Yes - you can login to beeline client console with hr_user/hr_admin. Type "beeline" in your shell and then:

!connect jdbc:hive2://localhost:10000/default hr_user hr_user

Re: Can we check Atlas-Ranger based feature using beeline?

Rising Star

Thanks Ryan for your response.

could you please my new question about tag base policy

link

https://community.hortonworks.com/questions/46131/atlas-ranger-tag-based-policy-not-working-for-my-o...

The demo which is given for Atlas-Ranger tag policy on hortonworks website,i have tried that one.

but now i want that tag base policy should be applicable for my own created tables,database and tags.

please help me.

Highlighted

Re: Can we check Atlas-Ranger based feature using beeline?

Contributor

@avatar imageManoj Dhake : To be able to create ur own DB/tables as a user say user1, you will first need an access policy in Ranger for user1 with create permission atleast. I am guessing you know this part.

Then you need to tag your Hive resources through Atlas UI. For that you would need an Atlas Ranger policy which will give appropriate permissions to the user used for tagging .

Once your resources are tagged, you can create a tag based policy in Ranger depending on your need.

Like, if you want user2 to be restricted from seeing any table, say table2 tagged with PII (Table level tag), you create a tag policy with Tag=PII, Under DENY CONDITIONS, put user=user2, and for Component Permissions, select Hive and the Hive operations the user should not be able to perform on the table.

Then add the tag service name in Hive Service by editing Hive service and using field: 'Select Tag Service'.

Now when you try to do any operation on table2 as user2, you will be denied access, even if there is an access policy granting all permissions to user2 on table2.

OR IF you want user2 access to ONLY tagged resources like table2, table3 tagged with 'user' tag, then make sure there is no access based policy for user2 or any of its groups and create a tag based policy with tag='user', in Allow conditions, put user='user2', and for Component Permissions, select Hive and the Hive operations the user should be able to perform on resources tagged with 'user' tag.

Hope this helps. The above 2 examples are typical usages of tag based policies.

Pls vote up if you find the answer useful.