Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Hive policy in ranger is not working

Labels:
avatar
author-rank Jacqueline
Contributor

Created ‎02-07-2017 07:06 PM

hive-ranger-policy-issuertfd.zipHi Hive policy setup using Ranger is not working. I am not using LDAP or kerberos.

I created one OS user called test2 and want to get read and read write on hive tables. It is not working. For hbase is works fine.

Policy was set without error. Please see the screen shot for policy

Your help is need please , to setup Hive - Ranger policy

Thanks

JJ

hive-ranger-policy-issuertfd.zip
4,319 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank pvillard author-rank
Guru

Created ‎02-07-2017 08:55 PM

Just did the following in my env -

Installed Ranger, enabled Hive plugin, created a table student with a single column name, created a user "test" and created a /user/test directory in HDFS, created a rule in Ranger to only allow read access (select) to the table student for user test.

And here are my commands:

https://gist.github.com/pvillard31/528d0d186d05422b0b9d1f3b94a85a02

It seems to be working as expected. In Audit / Plugins, can you check that the policies have been correctly synced with Hive?

View solution in original post

3,223 Views
0 Kudos
6 REPLIES 6

avatar
author-rank pvillard author-rank
Guru

Created ‎02-07-2017 07:13 PM

Hi @Jacqualin jasmin,

Why are you saying the policy does not work?

Please keep in mind, that Ranger policies on Hive are only applied if you access Hive through the Hive server (JDBC/ODBC connections, Beeline CLI, etc). If you are using the Hive CLI, then only the Ranger policies on HDFS are applied.

3,223 Views
0 Kudos

avatar
author-rank Jacqueline
Contributor

Created ‎02-07-2017 07:20 PM

Pierre,

I am using Beeline , and still policy is not gettting implemented / kicked off;

3,223 Views
0 Kudos

avatar
author-rank pvillard author-rank
Guru

Created ‎02-07-2017 07:25 PM

Could you share a screenshot or logs showing which user is launching beeline, what is the request you execute and what is the result of the command? Also is the Hive plugin for Ranger enabled in Ambari?

3,223 Views
0 Kudos

avatar
author-rank Jacqueline
Contributor

Created ‎02-07-2017 07:55 PM

executed command are as below . Please see the screen shot for the setuphive-ranger-policy-issuertfd.zip

*************

[test2@node01 ~]$ id

uid=513(test2) gid=504(hadoop) groups=504(hadoop)

[test2@node01 ~]$ beeline

WARNING: Use "yarn jar" to launch YARN applications.

Beeline version 1.2.1000.2.4.2.0-258 by Apache Hive

beeline> !connect jdbc:hive2://

Connecting to jdbc:hive2://

Enter username for jdbc:hive2://: test2

Enter password for jdbc:hive2://: *****

Connected to: Apache Hive (version 1.2.1000.2.4.2.0-258)

Driver: Hive JDBC (version 1.2.1000.2.4.2.0-258)

Transaction isolation: TRANSACTION_REPEATABLE_READ

0: jdbc:hive2://> INSERT INTO TABLE students VALUES ('fred flintstone', 35, 1.28);

17/02/07 19:39:56 [main]: ERROR hdfs.KeyProviderCache: Could not find uri with key [dfs.encryption.key.provider.uri] to create a keyProvider !!

Query ID = test2_20170207193955_e8c97ad8-f12b-4f04-91ae-eb0a9064bb27

Total jobs = 1

Launching Job 1 out of 1

17/02/07 19:40:05 [HiveServer2-Background-Pool: Thread-27]: WARN tez.DagUtils: hive.tez.java.opts will be ignored because hive.tez.container.size is not set!

17/02/07 19:40:05 [HiveServer2-Background-Pool: Thread-27]: WARN tez.DagUtils: hive.tez.java.opts will be ignored because hive.tez.container.size is not set!

Status: Running (Executing on YARN cluster with App id application_1486082581831_0025)

--------------------------------------------------------------------------------

VERTICES STATUS TOTAL COMPLETED RUNNING PENDING FAILED KILLED

--------------------------------------------------------------------------------

Map 1 .......... SUCCEEDED 1 1 0 0 0 0

Reducer 2 ...... SUCCEEDED 2 2 0 0 0 0

--------------------------------------------------------------------------------

VERTICES: 02/02 [==========================>>] 100% ELAPSED TIME: 9.01 s

--------------------------------------------------------------------------------

Loading data to table default.students

Table default.students stats: [numFiles=30, numRows=22, totalSize=10236, rawDataSize=4716]

OK

No rows affected (20.948 seconds)

0: jdbc:hive2://>

***************

hive-ranger-policy-issuertfd.zip
3,223 Views
0 Kudos

avatar
author-rank pvillard author-rank
Guru

Created ‎02-07-2017 08:55 PM

Just did the following in my env -

Installed Ranger, enabled Hive plugin, created a table student with a single column name, created a user "test" and created a /user/test directory in HDFS, created a rule in Ranger to only allow read access (select) to the table student for user test.

And here are my commands:

https://gist.github.com/pvillard31/528d0d186d05422b0b9d1f3b94a85a02

It seems to be working as expected. In Audit / Plugins, can you check that the policies have been correctly synced with Hive?

3,224 Views
0 Kudos

avatar
author-rank Jacqueline
Contributor

Created ‎02-07-2017 11:10 PM

Hi Pierre,

Could able to find the issue with

1) from beeline , if we connect just with < !connect jdbc:hive2:// > it just prompts for user name / password. Now policy is not working

2) if we connect with complete string like : !connect jdbc:hive2://<hiveserver2>:10000/default test2 test2 , now the policy is enforced

3,223 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements