Support Questions

can a user connect to hive if there is no policy in Ranger giving him access ?

Yes, user can connect. As mentioned above he can't access databases unless user has permission on that DB from ranger.

how I am able to do all this even though I am don't have any access granted in Ranger - hive plugin?

I can access the database , I can create tables , I can view other tables .

ranger-hive-policies.jpg

hive> show databases;
OK
default
employee_db
twitter
user1
user2
Time taken: 0.95 seconds, Fetched: 5 row(s)
hive> show schemas;
OK
default
employee_db
twitter
user1
user2
Time taken: 0.013 seconds, Fetched: 5 row(s)
hive> use employee_db;
OK
Time taken: 0.303 seconds
hive> show tables;
OK
employee2
test2
Time taken: 0.254 seconds, Fetched: 2 row(s)
hive> select * from test2;
OK
Failed with exception java.io.IOException:org.apache.hadoop.hbase.TableNotFoundException: Table 'test1' was not found, got: hbase:namespace.
Time taken: 0.948 seconds
hive> select * from employee2 limit 10;
OK
Failed with exception java.io.IOException:org.apache.hadoop.hbase.TableNotFoundException: Table 'emp_hbase' was not found, got: PA_LANE_TXN.
Time taken: 0.156 seconds
hive> desc employee2;
OK
id                      int                     from deserializer
name                    string                  from deserializer
designation             string                  from deserializer
salary                  float                   from deserializer
city                    string                  from deserializer
Time taken: 0.416 seconds, Fetched: 5 row(s)
hive> create table test (id int);
OK
Time taken: 0.183 seconds
hive> insert into test values (1);
Query ID = sami_20170713092659_6cd0e6fc-47fc-4037-ab6e-2a93439035b7
Total jobs = 1
Launching Job 1 out of 1

Status: Running (Executing on YARN cluster with App id application_1499892912015_0001)
--------------------------------------------------------------------------------
        VERTICES      STATUS  TOTAL  COMPLETED  RUNNING  PENDING  FAILED  KILLED
--------------------------------------------------------------------------------
Map 1 ..........   SUCCEEDED      1          1        0        0       0       0
--------------------------------------------------------------------------------
VERTICES: 01/01  [==========================>>] 100%  ELAPSED TIME: 7.06 s
--------------------------------------------------------------------------------
Loading data to table employee_db.test
Table employee_db.test stats: [numFiles=1, numRows=1, totalSize=2, rawDataSize=1]
OK
Time taken: 8.782 seconds
hive> quit
    > ;
-bash-4.1$ id
uid=600(sami) gid=600(sami) groups=600(sami)
-bash-4.1$

@Sami Ahmad

You should not use the Hive CLI after enabling the Ranger Hive plugin. The Hive CLI is not supported in HDP-2.2.0 and higher versions, and may break the install or lead to other unpredictable behavior. Instead, you should use the HiveServer2 Beeline CLI.

so whats the best practice in production environments , do they delete the hive CLI , ? restrict it ?

please advise how to prevent users from using it

@Sami Ahmad

Suggested to restrict it. You can follow below steps to disable it:

We can add below lines in hive-env template via ambari to disable hive-shell

if [ "$SERVICE" = "cli" ] && [ "$USER" != "ambari-qa" ]; then
echo "Sorry! I have disabled hive-shell"
exit 1 
fi

After restarting hive services, when you try to run hive shell then you will get below output

[root@sandbox hive]# hive
Sorry! I have disabled hive-shell

Link to article : https://community.hortonworks.com/questions/10760/how-to-disable-hive-shell-for-all-users.html