Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

How to prevent access to hive database via hivecontext?

avatar
New Contributor

I've set up ranger on my cluster to enforce permission on databases. It works fantastically with ODBC connections. However, I also have a pyspark kernel for Jupyter Notebook running on the server, which completely bypass any policies applied i.e. by calling HiveContext any users access any database regardless of the permissions I setup on Ranger Hive.

Hive authorization is my primary goal but SparkContext on my Jupyter Notebook would be invaluable as well. Any pointers on how to set this up correctly is highly appreciated.

Thank you.

1 ACCEPTED SOLUTION

avatar
@Pee Tankulrat

Also make sure that it is not failing back to POSIX permission.

Remove all POSIX permission from the directory using hdfs dfs -chmod

View solution in original post

6 REPLIES 6

avatar

@Pee Tankulrat, As of now Spark will not honour hive acl's. One thing you can do is to add rules for the underlying HDFS directory of a hive db and precent users to access it.

avatar
New Contributor

56554-ranger.png

Thank you @Sandeep Nemuri for your tips. But, I went over to my Ranger's HDFS policy and saw that currently the users do not have direct access to the hive directory? As the policy is usually deny all except when there's an access policy for it?

Do I have to modify this policy?

avatar
@Pee Tankulrat

Yes, the policy usually denied all except when there's an access policy for it. This should be ok.

avatar
@Pee Tankulrat

Also make sure that it is not failing back to POSIX permission.

Remove all POSIX permission from the directory using hdfs dfs -chmod

avatar
New Contributor

Thanks @Sandeep Nemuri and @Rahul Pathak

I think the POSIX permission is most likely what's bypassing this. I'll give it a try and let you know again.

Since then I have spotted another problem with group policy in Ranger.

It appears that users' group doesn't seems to be working for us (allowing a group that the user is a member of, does not grant access). I've try setting hive group based policy (Authenticated with LDAP), but none seems to be working (User based policy works flawlessly). Am I missing anything?

avatar

@Pee Tankulrat, As Rahul mentioned you need to make sure that policy is not failing back to POSIX permission. And for group policy issue, you may ask another question with more details.