Support Questions
Find answers, ask questions, and share your expertise

Ranger Hive Policy Question

Ranger Hive Policy Question

Rising Star

I am trying to protect Hive Database using Apache Ranger Hive Plugin. Below is what I have done:

  1. Users create database using Hive View in Ambari
  2. In order to protect that database and its tables, I created a Hive Policy allowing only this user access to this hive database. (see the screen shot)
  3. Then I tried accessing this database using Ambari/Hue interface using some other user account and I was able to. It's accessible by all.
  4. Assuming that we may need a deny_for_all policy denying access to all but this user, still no change. That database is accessible by all.
  5. Please NOTE that I haven't made any change on database permission using (chmod/chown command). Do I have to make it something like chmod 000 ?? As I understand Ambari policy takes precedence of system permission.

What is missing here ?

2726-ranger.jpg

5 REPLIES 5

Re: Ranger Hive Policy Question

Contributor

@prakash What are you seeing in Ranger audit when other user tries to access this database?

Re: Ranger Hive Policy Question

@Prakash Punj

Can you try enabling debug more for ranger as mentioned below -

vi /usr/hdp/current/ranger-admin/ews/webapp/WEB-INF/log4j.xml

change -> <priority value="info" />

To -> <priority value="debug" />

Restart ranger service.

Try test connection and please check xa_portal.log and hive server logs for any error.

Can you paste logs here.

Re: Ranger Hive Policy Question

Contributor
@Prakash Punj

I know this is a Hive plugin related question, but you might want to see : https://community.hortonworks.com/questions/31148/i-am-creating-a-policy-in-ranger-which-blocks-a-us...

How about if you try the same operation through hive cli/ beeline?

Re: Ranger Hive Policy Question

Few points.

1. What is the value set for Hive impersonation (hive.server2.enable.doAs) ? I believe only true would enforce policies for end users.

2. Is the respective table / db file accessible from Hive Cli as well ? Note that Ranger Hive plugin only applies to Hiveserver2. Hive CLI should be protected using permissions at the HDFS folder/file level using Ranger or HDFS ACLs.

Re: Ranger Hive Policy Question

Explorer

Hi, I am using zeppelin to run hive queries. (Ranger is enabled)

With or without user impersonation, when I try running the queries I get the below error:

Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [anonymous] does not have [USE] privilege on [null]

This works fine when in default user I put some username. This also works fine for the user if using Hive CLI.

Can anyone please help?