Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger Hive Policy Question

Ranger Hive Policy Question

Rising Star

I am trying to protect Hive Database using Apache Ranger Hive Plugin. Below is what I have done:

  1. Users create database using Hive View in Ambari
  2. In order to protect that database and its tables, I created a Hive Policy allowing only this user access to this hive database. (see the screen shot)
  3. Then I tried accessing this database using Ambari/Hue interface using some other user account and I was able to. It's accessible by all.
  4. Assuming that we may need a deny_for_all policy denying access to all but this user, still no change. That database is accessible by all.
  5. Please NOTE that I haven't made any change on database permission using (chmod/chown command). Do I have to make it something like chmod 000 ?? As I understand Ambari policy takes precedence of system permission.

What is missing here ?

2726-ranger.jpg

5 REPLIES 5

Re: Ranger Hive Policy Question

Contributor

@prakash What are you seeing in Ranger audit when other user tries to access this database?

Re: Ranger Hive Policy Question

@Prakash Punj

Can you try enabling debug more for ranger as mentioned below -

vi /usr/hdp/current/ranger-admin/ews/webapp/WEB-INF/log4j.xml

change -> <priority value="info" />

To -> <priority value="debug" />

Restart ranger service.

Try test connection and please check xa_portal.log and hive server logs for any error.

Can you paste logs here.

Highlighted

Re: Ranger Hive Policy Question

Contributor
@Prakash Punj

I know this is a Hive plugin related question, but you might want to see : https://community.hortonworks.com/questions/31148/i-am-creating-a-policy-in-ranger-which-blocks-a-us...

How about if you try the same operation through hive cli/ beeline?

Re: Ranger Hive Policy Question

Few points.

1. What is the value set for Hive impersonation (hive.server2.enable.doAs) ? I believe only true would enforce policies for end users.

2. Is the respective table / db file accessible from Hive Cli as well ? Note that Ranger Hive plugin only applies to Hiveserver2. Hive CLI should be protected using permissions at the HDFS folder/file level using Ranger or HDFS ACLs.

Re: Ranger Hive Policy Question

Explorer

Hi, I am using zeppelin to run hive queries. (Ranger is enabled)

With or without user impersonation, when I try running the queries I get the below error:

Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [anonymous] does not have [USE] privilege on [null]

This works fine when in default user I put some username. This also works fine for the user if using Hive CLI.

Can anyone please help?