Support Questions

Find answers, ask questions, and share your expertise

How to give access to users to create and own databases in CDP 7.1.7 Hive.

avatar
Explorer

Hi ,

We are having four nodes CDP 7.1.7 SP1 cluster.

 

Currently , when a normal hive user creates a database, the database ownership is getting assigned to hive:supergroup  in /external/hive which is default.

 

We want the /external/hive database ownership to be assigned to the user who is creating a database.

 

For example:

User "Test " is creates one database, the ownership should be like:

drwxr-xr-x - test supergroup 0 2022-07-05 17:35 /warehouse/tablespace/exteranl/hive/test_db

 

Kindly let us know if this is possible.

1 ACCEPTED SOLUTION

avatar
Master Collaborator

@ssuja I am afraid it's not achievable using Ranger. If you already have a data directory owned by a specific user, say user1, you may create a policy in Ranger providing hive and other users access to that directory path(URI), and keep the physical path owned by user1 itself. See, if this is something you can work with. I should also mention, creating an external Hive table without Location clause, will create a directory with hive ownership, for Impersonation is disabled in Hive.

View solution in original post

5 REPLIES 5

avatar
Explorer

Hi , could you please help on this??!!

avatar
Master Collaborator

Hi @ssuja there is a Hive property that would help you achieve what you are aiming for. Look for hive.server2.enable.doAs under Hive on Tez configurations and enable it. However, there is a catch. This property needs to be disabled if you are using Ranger for authorization. If you are not using Ranger, and using Storage Based Authorization(which is not the recommended in CDP), then you could definitely enable this. Refer to the doc here.

avatar
Explorer

Hi Smruti,

 

Are we able to achieve this :

"We want the /external/hive database ownership to be assigned to the user who is creating a database " by creating any custom policies in Ranger ?

 

avatar
Master Collaborator

@ssuja I am afraid it's not achievable using Ranger. If you already have a data directory owned by a specific user, say user1, you may create a policy in Ranger providing hive and other users access to that directory path(URI), and keep the physical path owned by user1 itself. See, if this is something you can work with. I should also mention, creating an external Hive table without Location clause, will create a directory with hive ownership, for Impersonation is disabled in Hive.

avatar
Community Manager

@ssuja, Has the reply helped resolve your issue? If so, please mark the appropriate reply as the solution, as it will make it easier for others to find the answer in the future. 



Regards,

Vidya Sargur,
Community Manager


Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.
Learn more about the Cloudera Community: