Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

PIG is not restricting authorization of HCatalog database and tables

avatar
author-rank piyush_jhawar
Explorer

Created ‎09-05-2016 12:27 PM

Hi ,

We are verifying our product usecases over Ranger enabled HDP enviroment .

Our product launched from User A (LDAP user) . User A dont have access on any DB and Tables .

We have another User B (LDAP) . User B have access on marketingDb.saletable

When we logged in our product and use marketingDb.saletable and submit job so Job is getting success and Jobtracker is showing User A as user .

Question :- If job is launching from User A and User A dont have access on any HCatalog table so how job got successfully completed ?

To further debug this issue , we launched PIG job while User A keytab was in session so PIG job also successfully completed.

Could you please answer of these questions ... Is this happening due to any wrong configuration ..

Please guide us

1,786 Views
1 ACCEPTED SOLUTION

avatar
author-rank ldaluz author-rank
Expert Contributor

Created ‎09-05-2016 04:53 PM

@Piyush Jhawar

The Ranger Hive plugin protects Hive data when it is accessed via HiveServer2. When you access these tables using HCatalog in Pig you are not going through HiveServer2, but instead Pig is using the files directly from HDFS (HCatalog is just used to map the table metadata to the HDFS files in this case).

In order to protect this data, you should also define a Ranger HDFS policy to protect the underlying HDFS directory that is used to store the marketingDb.saletable data.

To clarify:

  • Ranger Hive Plugin - Used to protect Hive data when accessed via HiveServer2 (e.g, a user connecting to Hive via JDBC)
  • Ranger HDFS Plugin - Used to protect HDFS files and directories (suitable if users need to access the data outside of HiveServer2 - Pig, Spark etc)

View solution in original post

1,676 Views
4 REPLIES 4

avatar
author-rank ldaluz author-rank
Expert Contributor

Created ‎09-05-2016 04:53 PM

@Piyush Jhawar

The Ranger Hive plugin protects Hive data when it is accessed via HiveServer2. When you access these tables using HCatalog in Pig you are not going through HiveServer2, but instead Pig is using the files directly from HDFS (HCatalog is just used to map the table metadata to the HDFS files in this case).

In order to protect this data, you should also define a Ranger HDFS policy to protect the underlying HDFS directory that is used to store the marketingDb.saletable data.

To clarify:

  • Ranger Hive Plugin - Used to protect Hive data when accessed via HiveServer2 (e.g, a user connecting to Hive via JDBC)
  • Ranger HDFS Plugin - Used to protect HDFS files and directories (suitable if users need to access the data outside of HiveServer2 - Pig, Spark etc)
1,677 Views

avatar
author-rank piyush_jhawar
Explorer

Created ‎09-06-2016 07:37 AM

@Laurence Da Luz

Thank you very much for detailed answer .My doubt have been cleared now

1,676 Views
0 Kudos

avatar
author-rank myoung
Super Guru

Created ‎09-06-2016 04:30 PM

@Piyush Jhawar

If @Laurence Da Luz answered your question, please accept the answer to help others in the community.

1,676 Views
0 Kudos

avatar
author-rank piyush_jhawar
Explorer

Created ‎09-06-2016 04:43 PM

Yes i should do it..:)

Done it now..Thanks..

1,676 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements