Support Questions

snukavarapu · ‎10-02-2015

For doAs=false,

every Hive table has to be owned by “hive” user and if anyone creates an external table, that won’t be owned by Hive user. Are we supposed to restrict usage of external tables?

pardeep_kumar · ‎10-02-2015

@snukavarapu@hortonworks.com

We are not supposed to restrict usage of external tables.

For reference,

http://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/

View solution in original post

pardeep_kumar · ‎10-02-2015

@snukavarapu@hortonworks.com

We are not supposed to restrict usage of external tables.

For reference,

http://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/

k_zarzycki · ‎06-30-2016

I have the same problem, as users of Hive (configured with doAs=false and security in Ranger) create lots of external tables to map their data. But hive is unable to access this data by default, we have to give explicit permissions for hive user to read the hdfs data of external table. That is very cumbersome.

I don't see any best practice regarding external tables in the document you referenced. Do you guys have any advice how to handle external tables in such case?

Thanks!

jniemiec · ‎10-02-2015

Can't we just overload the HDFS Policies? So for example at a client we are using doAs false so we can use column security via Hive, but then for the 'application' that loads the data also has an HDFS Policy so it can directly run MR jobs and the like to get the data loaded for end Hive users.

Cloudera Community

Support Questions

Ranger - hive doAs as false - external tables not owned by hive user.