Support Questions

Adija1 · ‎09-27-2016

Hello

We use HDP 2.3 with Ranger 0.5 for managing HIVE permissions. (not for HDFS. Just hive). Ranger (usersync) is configured to use Active Directory and it syncs the users & groups from AD without any issues. In Ranger >>> Settings >>> Users/Groups we see each user and it's corresponding Active Directory groups. When granting authorizations to users for hive access - it works perfect ! However - when using groups (which is way more efficient to manage) it just doesn't work. Permission is always denied. It seems using groups just doesn't work - only users. Again - the sync works and i'm able to see the each users' groups in Ranger - but when i use groups instead of users for hive permissions - it does nothing.

Any ideas why ?

Thanks in advance !

Adi J.

tstebbens · ‎09-27-2016

@Adi Jabkowsky Usually this happens because Hiveserver2 cannot determine which groups the user belongs to. Check your Hiveserver2 log for a message that looks like "No groups for user XXX" where XXX is the user that is being denied access.

If this is the case you'll need to make sure that the OS on the Hiveserver2 node can resolve the groups for that user. Either configure the OS to pull user and group information from Active Directory or set up Hadoop Group Mapping.

View solution in original post

arturbrandys1 · ‎08-04-2021

In my case I had to restart HiveServer2 services on nodes after I had connected the hosts to the domain (using sssd service).

Cloudera Community

Support Questions

Ranger Group permissions from LDAP - not working in Hive