Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!
Solved Go to solution

Disable Hive shell for user and provide access to the AD Group

Labels:
avatar
author-rank Sambavi
Explorer

Created ‎10-30-2018 02:05 PM

Hi,

I want to disable the Hive shell for the users and provide access at the AD Group level, 

if [ "$SERVICE" = "cli" ] && [ "$USER" != "samba" ]; then 
echo "Sorry! We have disabled hive-shell contact Admin" exit 1 
fi

This works good at the user level access but then i want to provide access at the AD group level. I tried with groups instead of user but then it didn't work out,

Can some one help me out on this.

1,003 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank Jim_B author-rank
Expert Contributor

Created ‎10-30-2018 06:48 PM

Well, the hive-env.sh is just a shell script, so you could do some bash magic to see if user is in group. Something like the following (I am sure someone could do it more simply!). Note that this assumes that your groups are synced with linux using sssd, centrify, etc.

NOTE: While not officially deprecated, using the hive cli command is discouraged in favor of beeline. Hive CLI doesn't take advantage of Ranger security. In HDP 3.x it is being rewritten as a wrapper around Hiveserver2.

G=`groups $USER` 
IFS=', ' read -r -a mygroups <<< "$G" 
found=0 
searchGroup="admin" 
if (printf '%s\n' "${mygroups[@]}" | grep -xq $searchGroup); then 
  found=1 
  # Logic to allow Hive here.
fi 
echo $found

View solution in original post

938 Views
0 Kudos
1 REPLY 1

avatar
author-rank Jim_B author-rank
Expert Contributor

Created ‎10-30-2018 06:48 PM

Well, the hive-env.sh is just a shell script, so you could do some bash magic to see if user is in group. Something like the following (I am sure someone could do it more simply!). Note that this assumes that your groups are synced with linux using sssd, centrify, etc.

NOTE: While not officially deprecated, using the hive cli command is discouraged in favor of beeline. Hive CLI doesn't take advantage of Ranger security. In HDP 3.x it is being rewritten as a wrapper around Hiveserver2.

G=`groups $USER` 
IFS=', ' read -r -a mygroups <<< "$G" 
found=0 
searchGroup="admin" 
if (printf '%s\n' "${mygroups[@]}" | grep -xq $searchGroup); then 
  found=1 
  # Logic to allow Hive here.
fi 
echo $found
939 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements