Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

I enble the hdfs acls in hdp2.1.2. i can restrict each users but unable to restrict the group...please help me to restrict the group in hive warehouse?

Highlighted

I enble the hdfs acls in hdp2.1.2. i can restrict each users but unable to restrict the group...please help me to restrict the group in hive warehouse?

Rising Star

I want to restrict the user "xxx" in group"yyy" to read only permission on hive data so did the below in edge node of my PROD cluster

hadoop fs -setfacl -R -m group:yyy:r-- /apps/hive/warehouse

hadoop fs -getfacl /apps/hive/warehouse

# file: /apps/hive/warehouse

# owner: hive

# group: hdfs

user::rwx

group::rwx

group:yyy:r--

mask::rwx

other::rwx

But i login to user "xxx" in hive i can easily create database in /apps/hive/warehouse

hive> create database testdb2;

OK Time taken: 0.417 seconds

Can any one solve this issue ..how can i restrict the user xxx in group: yyy to not having any write access on hive database...?

5 REPLIES 5
Highlighted

Re: I enble the hdfs acls in hdp2.1.2. i can restrict each users but unable to restrict the group...please help me to restrict the group in hive warehouse?

@sankar rao

Please check your configuration as per http://hortonworks.com/blog/hdfs-acls-fine-grained-permissions-hdfs-files-hadoop/

Although I highly recommend to use ranger for this.

Highlighted

Re: I enble the hdfs acls in hdp2.1.2. i can restrict each users but unable to restrict the group...please help me to restrict the group in hive warehouse?

Rising Star

@Rahul Pathak

I have been configuration like above only...but i don't know why is not reflected..

Highlighted

Re: I enble the hdfs acls in hdp2.1.2. i can restrict each users but unable to restrict the group...please help me to restrict the group in hive warehouse?

Guru

Hi @sankar rao ,

did you ensure that user 'xxx' is just member of group 'yyy' on the NAMENODE, and not part of also other group ?!?!

I'd also highly recommend to use Ranger for that, if already enabled, what are the entries in Ranger audit of exactly those steps you mentioned ?

Highlighted

Re: I enble the hdfs acls in hdp2.1.2. i can restrict each users but unable to restrict the group...please help me to restrict the group in hive warehouse?

Rising Star

@Gerd Koenig

Thanks you Gerd ..i am not see this user in namenode. This user 'xxx' is onboarded only in EDGE node.

In Edge node user 'xxx' has member of the group 'zzz' only.

HADOOP1-230-8:~ # id xxx

uid=25517(xxx) gid=100(users) groups=100(users),25501(zzz)

linux : /home

drwxr-xr-x 2 xxx hdfs 4.0K Jul 24 08:44 xxx

Hadoop: /user

drwxr-xr-x - xxx cid 0 2016-07-24 08:30 /user/xxx

I have try to restrict the user only(xxx) hadoop fs -setfacl -m user:xxx:r-- /apps/hive/warehouse

its working good...but i con't restrict the group...

Can please tel me how can i solve this issue...i have 100+ user ...

Highlighted

Re: I enble the hdfs acls in hdp2.1.2. i can restrict each users but unable to restrict the group...please help me to restrict the group in hive warehouse?

Please see the blog if this help https://cwiki.apache.org/confluence/display/Hive/SQL+Standard+Based+Hive+Authorization

https://cwiki.apache.org/confluence/display/Hive/Hive+Default+Authorization+-+Legacy+Mode

Because I already done this to restrict the user with creating role and provide them access as we want to give.

Don't have an account?
Coming from Hortonworks? Activate your account here