Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger Hive policy doesn't work with user-group - NO LDAP

Highlighted

Ranger Hive policy doesn't work with user-group - NO LDAP

I add a internal ranger user to a hive policy and test the policy in hive, it works.

But if I try to add a user-group which I created in Ranger with the user I tried it before to a hive policy, it doesn't work.

I don't have LDAP activated in this test cluster.

6108-user-group.png

6109-hivepolicy.png

6 REPLIES 6
Highlighted

Re: Ranger Hive policy doesn't work with user-group - NO LDAP

can you please mention what is the operation you are trying to do? , and please see runas configuration is true or false , if it is false then please check whether hive user also has permissions.

Highlighted

Re: Ranger Hive policy doesn't work with user-group - NO LDAP

Sorry for my bad discription...this is a test cluster for a specific usecase. I want to add about 10 users manually in ranger and split them into 3 user-groups.

In ranger-hive I want to create 3 policys and each policy get's one user-group.

If I know add a new user to a user-group, I only add them to the group and must not edit the hive policy.

Highlighted

Re: Ranger Hive policy doesn't work with user-group - NO LDAP

actually i wanted to know the hive operation that is failing , and you can post complete stack of the hive operation response , like what is the error you are getting after running hive command

Highlighted

Re: Ranger Hive policy doesn't work with user-group - NO LDAP

An exception was caught. Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [dummy] does not have [USE] privilege on [test]

the hive runas configuration is false. If I add the user dummy direct to the permission, it works. If I just add the group, it doesn't work.

Highlighted

Re: Ranger Hive policy doesn't work with user-group - NO LDAP

@Andreas Schild is this a unix user ? how are you making hive call using this user ?

and also can you check the audit logs too for this denied operation ?

Highlighted

Re: Ranger Hive policy doesn't work with user-group - NO LDAP

I'm working with Toad for Apache Hadoop. I created a user for ambari with just read only rights. Then I connect toad to the hdp cluster. An now I edit the configuration and set the user to dummy. So now I don't see any databases etc.

I create a hive policy in ranger with all rights for user dummy.

I can't find a good description how the user concept in hdp is working, and how to setup ranger without ldap etc...

Don't have an account?
Coming from Hortonworks? Activate your account here