Support Questions

Find answers, ask questions, and share your expertise

Hive policy in ranger is not working

avatar
Contributor

hive-ranger-policy-issuertfd.zipHi Hive policy setup using Ranger is not working. I am not using LDAP or kerberos.

I created one OS user called test2 and want to get read and read write on hive tables. It is not working. For hbase is works fine.

Policy was set without error. Please see the screen shot for policy

Your help is need please , to setup Hive - Ranger policy

Thanks

JJ

1 ACCEPTED SOLUTION

avatar

Just did the following in my env -

Installed Ranger, enabled Hive plugin, created a table student with a single column name, created a user "test" and created a /user/test directory in HDFS, created a rule in Ranger to only allow read access (select) to the table student for user test.

And here are my commands:

https://gist.github.com/pvillard31/528d0d186d05422b0b9d1f3b94a85a02

It seems to be working as expected. In Audit / Plugins, can you check that the policies have been correctly synced with Hive?

View solution in original post

6 REPLIES 6

avatar

Hi @Jacqualin jasmin,

Why are you saying the policy does not work?

Please keep in mind, that Ranger policies on Hive are only applied if you access Hive through the Hive server (JDBC/ODBC connections, Beeline CLI, etc). If you are using the Hive CLI, then only the Ranger policies on HDFS are applied.

avatar
Contributor

Pierre,

I am using Beeline , and still policy is not gettting implemented / kicked off;

avatar

Could you share a screenshot or logs showing which user is launching beeline, what is the request you execute and what is the result of the command? Also is the Hive plugin for Ranger enabled in Ambari?

avatar
Contributor

executed command are as below . Please see the screen shot for the setuphive-ranger-policy-issuertfd.zip

*************

[test2@node01 ~]$ id

uid=513(test2) gid=504(hadoop) groups=504(hadoop)

[test2@node01 ~]$ beeline

WARNING: Use "yarn jar" to launch YARN applications.

Beeline version 1.2.1000.2.4.2.0-258 by Apache Hive

beeline> !connect jdbc:hive2://

Connecting to jdbc:hive2://

Enter username for jdbc:hive2://: test2

Enter password for jdbc:hive2://: *****

Connected to: Apache Hive (version 1.2.1000.2.4.2.0-258)

Driver: Hive JDBC (version 1.2.1000.2.4.2.0-258)

Transaction isolation: TRANSACTION_REPEATABLE_READ

0: jdbc:hive2://> INSERT INTO TABLE students VALUES ('fred flintstone', 35, 1.28);

17/02/07 19:39:56 [main]: ERROR hdfs.KeyProviderCache: Could not find uri with key [dfs.encryption.key.provider.uri] to create a keyProvider !!

Query ID = test2_20170207193955_e8c97ad8-f12b-4f04-91ae-eb0a9064bb27

Total jobs = 1

Launching Job 1 out of 1

17/02/07 19:40:05 [HiveServer2-Background-Pool: Thread-27]: WARN tez.DagUtils: hive.tez.java.opts will be ignored because hive.tez.container.size is not set!

17/02/07 19:40:05 [HiveServer2-Background-Pool: Thread-27]: WARN tez.DagUtils: hive.tez.java.opts will be ignored because hive.tez.container.size is not set!

Status: Running (Executing on YARN cluster with App id application_1486082581831_0025)

--------------------------------------------------------------------------------

VERTICES STATUS TOTAL COMPLETED RUNNING PENDING FAILED KILLED

--------------------------------------------------------------------------------

Map 1 .......... SUCCEEDED 1 1 0 0 0 0

Reducer 2 ...... SUCCEEDED 2 2 0 0 0 0

--------------------------------------------------------------------------------

VERTICES: 02/02 [==========================>>] 100% ELAPSED TIME: 9.01 s

--------------------------------------------------------------------------------

Loading data to table default.students

Table default.students stats: [numFiles=30, numRows=22, totalSize=10236, rawDataSize=4716]

OK

No rows affected (20.948 seconds)

0: jdbc:hive2://>

***************

avatar

Just did the following in my env -

Installed Ranger, enabled Hive plugin, created a table student with a single column name, created a user "test" and created a /user/test directory in HDFS, created a rule in Ranger to only allow read access (select) to the table student for user test.

And here are my commands:

https://gist.github.com/pvillard31/528d0d186d05422b0b9d1f3b94a85a02

It seems to be working as expected. In Audit / Plugins, can you check that the policies have been correctly synced with Hive?

avatar
Contributor

Hi Pierre,

Could able to find the issue with

1) from beeline , if we connect just with < !connect jdbc:hive2:// > it just prompts for user name / password. Now policy is not working

2) if we connect with complete string like : !connect jdbc:hive2://<hiveserver2>:10000/default test2 test2 , now the policy is enforced