Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Personal DB's for users within same LDAP group

Highlighted

Personal DB's for users within same LDAP group

Explorer

Hello

 

We have a cluster Kerberized cluster with CDH 5.15.0 with Sentry enabled, Integrated with LDAP, using Kerberos that exist on or managed by the LDAP/AD. 

 

I am trying to create personal Hive DB's for which only that user has access to objects under that DB. Facing problem when providing/restricting access to a single user in same LDAP group.

 

In Hue user admin, am only able to grant/restrict permission for a LDAP group and not for an individual user. 

 

We have 4-5 users in same LDAP group for whom I am trying to create personal Hive DB's under their own HDFS home directory as default location (/user/user1). 

 

Steps:

1. Created a group caled (user1_group) in Hue Admin Groups (for user1).

2. Selected all permissions except useradmin.access  and user1 as member.

3. Created a role in Hue --> Security --> Hive tabled --> Roles and selected user1_group which only has 1 user in it.

3. Created a new Hive DB (user1db) with default location as /user/user1 (HDFS path)

4.  Added privelages - for the above role (from #3) with db=user1db --> table=ALL

 

Just with above steps, user1 should be able to see the newly created DB under their Hue/Hive or Impala (after metadata refresh). But, they are not able to. 

 

So, I changed the role (from #3) to reflect the LDAP group (ldap_group1) which user1 belongs to. Then, user1 is able to view the DB.

 

5. When the user tried to create a table - he/she gets the below error.

user=hive, access=WRITE, inode="/user/user1":user1:user1:drwxr-xr-x ...."

6. Executed the below command so that hive gets access to inode above.

hdfs dfs -setfacl -R -m user:hive:rwx /user/user1

7. User1 is able to create the table and perform various operations. 

 

 

The problem here is, any user under LDAP group (ldap_group1) who has permission to impersonate as hive or impala is able to create/delete tables in db_user1. 

 

How can I restrict access to personal DB's only to that user without others having access to it?

What am I doing incorrectly in the above steps?

 

Thanks for the input/pointers. 

 

 

 

 

Don't have an account?
Coming from Hortonworks? Activate your account here