Support Questions

Find answers, ask questions, and share your expertise

Ranger policy not enforced in Zeppelin notebook - Using %jdbc(hive) displays all databases and tables.

Contributor

Hi All,

Ranger plugin is enabled for hive and policy is created in hive for a particular user to get access only on 2 databases.

When the same user logs in to Zeppelin notebook and executes show databases command he could see all databases.

Below 2 lines are executed in zeppelin notebook:

%jdbc(hive)

show databases

The user can see all databases and he can create new database too!!!

How can we enforce ranger policy for a user when zeppelin notebook is used?

Thanks a lot for your time.

1 ACCEPTED SOLUTION

@Sriram So to summarize in order for impersonation to work in non-kerberized environment for zeppelin jdbc (hive) please follow the following steps:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

No need to enable the global settings, just with the defaults follow the steps listed above. I just tested this in my environment and is working fine.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

View solution in original post

17 REPLIES 17

@Sriram

Unless you have configured impersonation for jdbc interpreter all access for all users to hive using zeppelin jdbc interpreter will be perform as user zeppelin.

Therefore, please make sure your zeppelin jdbc interpreter is configured for impersonation:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

@Sriram

If there is no policy for zeppelin user or public group (to which zeppelin usually belongs to) - Then I suggest you check which policy id is granting the access. You can check this in Ranger Admin UI Access tab as seen in the next image:

83390-access-tab-ranger-admin-ui.png

If you click in the policy id shown above it will provide more details on the access. This way you will know why is the access being granted to zeppelin user.

The above will show only if ranger plugin is correctly configured for hive. If you don't see any entries then check hiveserver2 logs and double check the hive ranger plugin is properly configured.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

@Sriram

So based on the zeppelin configuration for jdbc interpreter I see you are using hive user (this explains why you can see all databases and have full access).

Please review the documentation on how to configure zeppelin jdbc interpreter for impersonation as I mentioned above, you can also check this documentation:

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_zeppelin-component-guide/content/config-...

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

@Sriram Actually for non kerberos here are the instructions to setup user impersonation:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

Contributor

@Felix Albani,

In case if the impersonation is not enabled, then I don't have any policy in place for zeppelin user.

How can this happen when there is no policy?

Contributor

Hi Felix,

Thanks for prompt response.

I could see no policy which gives Zeppelin user complete permissions.

Here is the snippet of the policies.

rangerpolicy.jpg

Also, I am not sure on how to check hive plugin is enabled properly or not.

Note: Policies are applied when checked against HS2 using beeline but the same policy is not applied while using Zeppelin notebook.

Thanks for your time on this.

@Sriram Could you share a screenshot of the zeppelin jdbc (hive) interpreter configuration? Also if you can tail the hiveserver2 log to which the zeppelin is configured to connect and check what is happening (which is the user used and if there are any ranger issues) that would be helpful.

Contributor

@Felix, I believe jdbc interpreter configuration has to be changed and I am using default settings.

Here are the jdbc interpreter properties.

jdbc1.jpgjdbc2.jpg

I did disable plugin again and I will post the errors when I enable again.

Please let me know if changes are to be made to jdbc interpreter?

Contributor

Sorry for asking you this without checking the link you provided ( I am doing it now 😞

In my case, Kerberos is not enabled.

How to change the user name from hive to the user name of the logged in user?

You are correct, hive user has got full permissions and hence policy is not applied.

Contributor

I could see below line:

If Kerberos is not enabled on the cluster, no additional configuration steps are required.

Hence, I believe default configuration should work properly but it is in conflict with hive user in jdbc connector.

Contributor

Also, hive.server2.enable.doAs is set to true.

@Sriram So to summarize in order for impersonation to work in non-kerberized environment for zeppelin jdbc (hive) please follow the following steps:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

No need to enable the global settings, just with the defaults follow the steps listed above. I just tested this in my environment and is working fine.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

@Sriram Did it work? Please keep me posted 🙂

Contributor

@Felix Albani many many thanks for your continuous support. I will keep you posted, once after Ranger issue is resolved.

Thanks again.

Contributor

Thanks a lot @Felix Albani...you solved my issue.

Contributor

@Felix Albani...Yes your help is valuable and it worked but with one final question.

Do I need to modify credentials for each and every user? How to make it generic for all users at one go?

I am forced to modify credentials for testuser2.

zeppelinissue.jpg

Contributor

@Felix Albani

I could see below lines from Zeppelin documentation.

  1. In the Zeppelin UI, navigate to the %jdbc section of the Interpreter page.
  2. Click edit, then add a hive.proxy.user.property property and set its value to hive.server2.proxy.user.
  3. Click Save, then click restart to restart the JDBC interpreter.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_zeppelin-component-guide/content/config-...

I believe above should be sufficient enough.

As of now because of some issues we did disable plugin for Ranger and need to test it after 1-2 days once after ranger plugin is enabled.

I could not see any job being executed with Zeppelin user login ID even after adding above property.

Take a Tour of the Community
Don't have an account?
Your experience may be limited. Sign in to explore more.