Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Ranger Hive Plugin

avatar
author-rank shaz11
New Contributor

Created on ‎04-01-2021 08:49 AM - last edited on ‎04-02-2021 05:55 AM by Community Manager Community Manager

Hi All,

 

I have a single node vanilla hadoop cluster installed with root user. Below are the versions on the server.

Hadoop 3.1.0

HBase 2.2.3

Hive 3.1.0

Ranger 3.0.0-SNAPSHOT

 

I have installed apache ranger-admin and ranger-usersync, which is configured to sync with local LDAP which is configured on a different server.

I have enabled the plugin for hive service, which is hadoop-sql now. 

Also I have created a policy for one of the ldap user to deny access to one of the hive DB. But, after enabling hive plugin, apart from the user root, none of the users is able to see any tables ( show tables returns empty set, though there are tables), but it shows all the databases for all the users ( including the one I denied in policy).

 

Can someone please help on the same. Please let me know if more information / logs are needed.

1,199 Views
0 Kudos
2 REPLIES 2

avatar
author-rank Shelton
Master Mentor

Created ‎04-02-2021 03:09 PM

@shaz11 

 

Can you share the screenshot of your policy in Ranger ?

Once you enable Ranger plugin then the authorization is automatically delegated to Ranger so for any user to access the hive tables the permissions should be explicitly given from Ranger!

 

Hope that helps!

1,179 Views
0 Kudos

avatar
author-rank shaz11
New Contributor

Created ‎04-07-2021 06:29 AM

@Shelton  Excuse for the delayed response.

 

I have attached the screenshot of the policy in ranger.hivedev policieshivedev policiesTest policy -1Test policy -1Test policy - 2Test policy - 2

 

So according to policy, 'shaz' should have access 'qubz' database and 'edward' should not have access to the 'qubz' database.

 

Beeline:

 

edward@dev-2:~$ beeline
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/hdp/apache-hive-3.1.0-bin/lib/log4j-slf4j-impl-2.10.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/hdp/hadoop-3.1.0/share/hadoop/common/lib/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
Beeline version 3.1.0 by Apache Hive
beeline> !connect jdbc:hive2://dev-2:10000/;
Connecting to jdbc:hive2://dev-2:10000/;
Enter username for jdbc:hive2://dev-2:10000/: edward
Enter password for jdbc:hive2://dev-2:10000/:
Connected to: Apache Hive (version 3.1.0)
Driver: Hive JDBC (version 3.1.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://dev-2:10000/> show databases;
INFO : Compiling command(queryId=root_20210407130935_a28fc25d-2398-4e61-a205-f24e3ba937f1): show databases
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Semantic Analysis Completed (retrial = false)
INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO : Completed compiling command(queryId=root_20210407130935_a28fc25d-2398-4e61-a205-f24e3ba937f1); Time taken: 0.01 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=root_20210407130935_a28fc25d-2398-4e61-a205-f24e3ba937f1): show databases
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=root_20210407130935_a28fc25d-2398-4e61-a205-f24e3ba937f1); Time taken: 0.015 seconds
INFO : OK
INFO : Concurrency mode is disabled, not creating a lock manager
+----------------+
| database_name |
+----------------+
| default |
| kylin |
| mytesting |
| qubz |
+----------------+
4 rows selected (0.115 seconds)

 

0: jdbc:hive2://dev-2:10000/> show tables from qubz;
INFO : Compiling command(queryId=root_20210407131007_896cb7af-5452-4b5e-bd6c-1393c25e1bd7): show tables from qubz
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Semantic Analysis Completed (retrial = false)
INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:tab_name, type:string, comment:from deserializer)], properties:null)
INFO : Completed compiling command(queryId=root_20210407131007_896cb7af-5452-4b5e-bd6c-1393c25e1bd7); Time taken: 0.016 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=root_20210407131007_896cb7af-5452-4b5e-bd6c-1393c25e1bd7): show tables from qubz
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=root_20210407131007_896cb7af-5452-4b5e-bd6c-1393c25e1bd7); Time taken: 0.013 seconds
INFO : OK
INFO : Concurrency mode is disabled, not creating a lock manager
+-----------+
| tab_name |
+-----------+
+-----------+
No rows selected (0.043 seconds)

But, edward was able to see 'qubz' db ( to which he was restricted access, In old Ranger, DB will not be even visible - Is this expected here? ) but no tables visible, whereas 'shaz' user was able to view the DB as well as tables as expected.

 

 

1,149 Views
0 Kudos
Announcements
Product Announcements
[ANNOUNCE] Cloudera on Public Cloud Runtime 7.2.18 is GA!
What's New @ Cloudera
Cloudera Operational Database (COD) supports enhancements to...
Community Announcements
March 2024 Community Highlights
Community Announcements
Celebrating 100,000 Members: A Journey of Growth and Connect...
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector for Apache Hive 2.6.2...
View More Announcements