We have HDP 2.6.3 clustered with kerberos enabled. We have-Hive plugin enabled and policies set for Groups which are imported from OpenDJ(LDAP). We can see hive policies working when the permissions are granted to users, however when the same policies are granted to Groups, the user get's the error regarding - USE privilege not available for default tables.
Users and Groups are imported to Ranger, Ambari and also hadoop-group mapping is enabled.
So when we enter - hdfs groups username, we get the ldap group the user is added to.
So we are not sure, what more needs to be checked. Any suggestions would be helpful.
Check the following in the same hiveserver2 host:
1. How is group mapping configured? With LDAP or with Unix Groups implementation? If unix groups you should check on the hiveserver2 host what is the result of id <username> and if this command is returning the list of groups. What I've seen is that sometimes SSSD/Centrify is used and is not correctly synchronizing groups.
2. Policies are case sensitive for users and groups. Make sure the groups listed with hdfs groups username, and/or id <username> match exact case you see on ranger -> user/groups
*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.
1. The group mapping is done via LDAP with the similar settings that are used to configured Ranger User Info.
2. Yes, we have checked that possibility and hence we have changed the groups to small case to avoid any kind of doubt regarding the case sensitivity.
Yet the problem persists.
Here's the example.
>hdfs groups bhanu.pamu
bhanu.pamu : developers
And we have granted 'developers' group 'select' access in Ranger to Hive Tables.
Any further suggestions please.
@Bhanu Pamu If user based authorization is working this means policies are correctly downloaded to the hiveserver2 policy cache. You can confirm anyways by checking under /etc/ranger/clusterName_hive/policycache/*.json and see if the file contains the entry for the developer group. Just to be clear on the group mapping configuration could you confirm what value you have in your core-site.xml for hadoop.security.group.mapping? Also from which node are you running the hdfs groups command? Make sure you check all this from the hiveserver2 machine.
@Anjali Shevadkar We had to implement the ldap settings in core-site.xml via Ambari and then restart the effected services. Later you may run the hdfs regroup mapping command to sync from backend. Let me know how it goes ?