Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Disable Hive shell for user and provide access to the AD Group

Solved Go to solution
Highlighted

Disable Hive shell for user and provide access to the AD Group

Explorer

Hi,

I want to disable the Hive shell for the users and provide access at the AD Group level,

if [ "$SERVICE" = "cli" ] && [ "$USER" != "samba" ]; then 
echo "Sorry! We have disabled hive-shell contact Admin" exit 1 
fi

This works good at the user level access but then i want to provide access at the AD group level. I tried with groups instead of user but then it didn't work out,

Can some one help me out on this.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Re: Disable Hive shell for user and provide access to the AD Group

Expert Contributor

Well, the hive-env.sh is just a shell script, so you could do some bash magic to see if user is in group. Something like the following (I am sure someone could do it more simply!). Note that this assumes that your groups are synced with linux using sssd, centrify, etc.

NOTE: While not officially deprecated, using the hive cli command is discouraged in favor of beeline. Hive CLI doesn't take advantage of Ranger security. In HDP 3.x it is being rewritten as a wrapper around Hiveserver2.

G=`groups $USER` 
IFS=', ' read -r -a mygroups <<< "$G" 
found=0 
searchGroup="admin" 
if (printf '%s\n' "${mygroups[@]}" | grep -xq $searchGroup); then 
  found=1 
  # Logic to allow Hive here.
fi 
echo $found

View solution in original post

1 REPLY 1
Highlighted

Re: Disable Hive shell for user and provide access to the AD Group

Expert Contributor

Well, the hive-env.sh is just a shell script, so you could do some bash magic to see if user is in group. Something like the following (I am sure someone could do it more simply!). Note that this assumes that your groups are synced with linux using sssd, centrify, etc.

NOTE: While not officially deprecated, using the hive cli command is discouraged in favor of beeline. Hive CLI doesn't take advantage of Ranger security. In HDP 3.x it is being rewritten as a wrapper around Hiveserver2.

G=`groups $USER` 
IFS=', ' read -r -a mygroups <<< "$G" 
found=0 
searchGroup="admin" 
if (printf '%s\n' "${mygroups[@]}" | grep -xq $searchGroup); then 
  found=1 
  # Logic to allow Hive here.
fi 
echo $found

View solution in original post

Don't have an account?
Coming from Hortonworks? Activate your account here