Support Questions
Find answers, ask questions, and share your expertise

Ranger Hive Plugin

Highlighted

Ranger Hive Plugin

New Contributor

Hi All,

 

I have a single node vanilla hadoop cluster installed with root user. Below are the versions on the server.

Hadoop 3.1.0

HBase 2.2.3

Hive 3.1.0

Ranger 3.0.0-SNAPSHOT

 

I have installed apache ranger-admin and ranger-usersync, which is configured to sync with local LDAP which is configured on a different server.

I have enabled the plugin for hive service, which is hadoop-sql now. 

Also I have created a policy for one of the ldap user to deny access to one of the hive DB. But, after enabling hive plugin, apart from the user root, none of the users is able to see any tables ( show tables returns empty set, though there are tables), but it shows all the databases for all the users ( including the one I denied in policy).

 

Can someone please help on the same. Please let me know if more information / logs are needed.

2 REPLIES 2

Re: Ranger Hive Plugin

Mentor

@shaz11 

 

Can you share the screenshot of your policy in Ranger ?

Once you enable Ranger plugin then the authorization is automatically delegated to Ranger so for any user to access the hive tables the permissions should be explicitly given from Ranger!

 

Hope that helps!

Highlighted

Re: Ranger Hive Plugin

New Contributor

@Shelton  Excuse for the delayed response.

 

I have attached the screenshot of the policy in ranger.hivedev policieshivedev policiesTest policy -1Test policy -1Test policy - 2Test policy - 2

 

So according to policy, 'shaz' should have access 'qubz' database and 'edward' should not have access to the 'qubz' database.

 

Beeline:

 

edward@dev-2:~$ beeline
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/hdp/apache-hive-3.1.0-bin/lib/log4j-slf4j-impl-2.10.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/usr/hdp/hadoop-3.1.0/share/hadoop/common/lib/slf4j-log4j12-1.7.25.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
Beeline version 3.1.0 by Apache Hive
beeline> !connect jdbc:hive2://dev-2:10000/;
Connecting to jdbc:hive2://dev-2:10000/;
Enter username for jdbc:hive2://dev-2:10000/: edward
Enter password for jdbc:hive2://dev-2:10000/:
Connected to: Apache Hive (version 3.1.0)
Driver: Hive JDBC (version 3.1.0)
Transaction isolation: TRANSACTION_REPEATABLE_READ
0: jdbc:hive2://dev-2:10000/> show databases;
INFO : Compiling command(queryId=root_20210407130935_a28fc25d-2398-4e61-a205-f24e3ba937f1): show databases
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Semantic Analysis Completed (retrial = false)
INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:database_name, type:string, comment:from deserializer)], properties:null)
INFO : Completed compiling command(queryId=root_20210407130935_a28fc25d-2398-4e61-a205-f24e3ba937f1); Time taken: 0.01 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=root_20210407130935_a28fc25d-2398-4e61-a205-f24e3ba937f1): show databases
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=root_20210407130935_a28fc25d-2398-4e61-a205-f24e3ba937f1); Time taken: 0.015 seconds
INFO : OK
INFO : Concurrency mode is disabled, not creating a lock manager
+----------------+
| database_name |
+----------------+
| default |
| kylin |
| mytesting |
| qubz |
+----------------+
4 rows selected (0.115 seconds)

 

0: jdbc:hive2://dev-2:10000/> show tables from qubz;
INFO : Compiling command(queryId=root_20210407131007_896cb7af-5452-4b5e-bd6c-1393c25e1bd7): show tables from qubz
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Semantic Analysis Completed (retrial = false)
INFO : Returning Hive schema: Schema(fieldSchemas:[FieldSchema(name:tab_name, type:string, comment:from deserializer)], properties:null)
INFO : Completed compiling command(queryId=root_20210407131007_896cb7af-5452-4b5e-bd6c-1393c25e1bd7); Time taken: 0.016 seconds
INFO : Concurrency mode is disabled, not creating a lock manager
INFO : Executing command(queryId=root_20210407131007_896cb7af-5452-4b5e-bd6c-1393c25e1bd7): show tables from qubz
INFO : Starting task [Stage-0:DDL] in serial mode
INFO : Completed executing command(queryId=root_20210407131007_896cb7af-5452-4b5e-bd6c-1393c25e1bd7); Time taken: 0.013 seconds
INFO : OK
INFO : Concurrency mode is disabled, not creating a lock manager
+-----------+
| tab_name |
+-----------+
+-----------+
No rows selected (0.043 seconds)

But, edward was able to see 'qubz' db ( to which he was restricted access, In old Ranger, DB will not be even visible - Is this expected here? ) but no tables visible, whereas 'shaz' user was able to view the DB as well as tables as expected.