Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Ranger Policies are not enforced using %livy.sql interpreter in Zeppelin

Ranger Policies are not enforced using %livy.sql interpreter in Zeppelin

New Contributor

I have a Kerberized HDP cluster with Spark, Hive, Livy, Zeppelin and Ranger.

When I'm querying hive using JDBC(hive) interpreter, my policies are enforced as expected. In my case, the user gets rejected when trying to list tables in db.

When I use the same query by using livy.sql interpreter, it gets executed and can see all tables, even though my policy is saying I can't...

What am I missing?

Cheers

8 REPLIES 8

Re: Ranger Policies are not enforced using %livy.sql interpreter in Zeppelin

Expert Contributor

Did you check the audit log to see what user actually accessed the table?

Re: Ranger Policies are not enforced using %livy.sql interpreter in Zeppelin

Expert Contributor

@Jakub Igla

I have seen an issue like this happen in Zeppelin when the interpreter binding mode was set permissively. Try isolating the interpretor and monitoring the audit log to see what's actually happening.

Re: Ranger Policies are not enforced using %livy.sql interpreter in Zeppelin

New Contributor

In Ranger Audit I can only see one entry related to that, which is yarn queue that was allowed.
When I change interpreter to isolated (from scoped) I get:

org.apache.zeppelin.interpreter.InterpreterException: Host key verification failed.

Re: Ranger Policies are not enforced using %livy.sql interpreter in Zeppelin

Expert Contributor

@Jakub Igla: You can check the logs for Livy might give you more info on why you are getting this error. I happen to know that livy is ssh'ing in as your user and that is some how causing this error. (the error you are getting is an ssh error and livy uses ssh so... this is how I know this issue is an ssh issue.)

Maybe the user you are using isn't present on the node livy is using.

Re: Ranger Policies are not enforced using %livy.sql interpreter in Zeppelin

New Contributor

Re: Ranger Policies are not enforced using %livy.sql interpreter in Zeppelin

Expert Contributor

It's my fault i didn't realize you where not using LLAP which does correctly honor ranger policies. I should have caught that.

See the following:

https://community.hortonworks.com/content/kbentry/101181/rowcolumn-level-security-in-sql-for-apache-...

https://community.hortonworks.com/articles/110093/using-rowcolumn-level-security-of-spark-with-zeppe...

also you need this parameter which for some reason isn't in the above guides:

livy.spark.yarn.security.credentials.hiveserver2.enabled true

Re: Ranger Policies are not enforced using %livy.sql interpreter in Zeppelin

Contributor
@Jakub Igla

@Matt Andruff

Can you tell me how can we enable hive policies for hive jdbc connector?

Re: Ranger Policies are not enforced using %livy.sql interpreter in Zeppelin

Contributor

In my case, ranger policies are not enforced in zeppelin notebook.