Support Questions

Find answers, ask questions, and share your expertise

Ranger policy not enforced in Zeppelin notebook - Using %jdbc(hive) displays all databases and tables.

avatar
Contributor

Hi All,

Ranger plugin is enabled for hive and policy is created in hive for a particular user to get access only on 2 databases.

When the same user logs in to Zeppelin notebook and executes show databases command he could see all databases.

Below 2 lines are executed in zeppelin notebook:

%jdbc(hive)

show databases

The user can see all databases and he can create new database too!!!

How can we enforce ranger policy for a user when zeppelin notebook is used?

Thanks a lot for your time.

1 ACCEPTED SOLUTION

avatar

@Sriram So to summarize in order for impersonation to work in non-kerberized environment for zeppelin jdbc (hive) please follow the following steps:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

No need to enable the global settings, just with the defaults follow the steps listed above. I just tested this in my environment and is working fine.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

View solution in original post

17 REPLIES 17

avatar

@Sriram

Unless you have configured impersonation for jdbc interpreter all access for all users to hive using zeppelin jdbc interpreter will be perform as user zeppelin.

Therefore, please make sure your zeppelin jdbc interpreter is configured for impersonation:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

avatar

@Sriram

If there is no policy for zeppelin user or public group (to which zeppelin usually belongs to) - Then I suggest you check which policy id is granting the access. You can check this in Ranger Admin UI Access tab as seen in the next image:

83390-access-tab-ranger-admin-ui.png

If you click in the policy id shown above it will provide more details on the access. This way you will know why is the access being granted to zeppelin user.

The above will show only if ranger plugin is correctly configured for hive. If you don't see any entries then check hiveserver2 logs and double check the hive ranger plugin is properly configured.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

avatar

@Sriram

So based on the zeppelin configuration for jdbc interpreter I see you are using hive user (this explains why you can see all databases and have full access).

Please review the documentation on how to configure zeppelin jdbc interpreter for impersonation as I mentioned above, you can also check this documentation:

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_zeppelin-component-guide/content/config-...

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

avatar

@Sriram Actually for non kerberos here are the instructions to setup user impersonation:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

avatar
Contributor

@Felix Albani,

In case if the impersonation is not enabled, then I don't have any policy in place for zeppelin user.

How can this happen when there is no policy?

avatar
Contributor

Hi Felix,

Thanks for prompt response.

I could see no policy which gives Zeppelin user complete permissions.

Here is the snippet of the policies.

rangerpolicy.jpg

Also, I am not sure on how to check hive plugin is enabled properly or not.

Note: Policies are applied when checked against HS2 using beeline but the same policy is not applied while using Zeppelin notebook.

Thanks for your time on this.

avatar

@Sriram Could you share a screenshot of the zeppelin jdbc (hive) interpreter configuration? Also if you can tail the hiveserver2 log to which the zeppelin is configured to connect and check what is happening (which is the user used and if there are any ranger issues) that would be helpful.

avatar
Contributor

@Felix, I believe jdbc interpreter configuration has to be changed and I am using default settings.

Here are the jdbc interpreter properties.

jdbc1.jpgjdbc2.jpg

I did disable plugin again and I will post the errors when I enable again.

Please let me know if changes are to be made to jdbc interpreter?

avatar
Contributor

Sorry for asking you this without checking the link you provided ( I am doing it now 😞

In my case, Kerberos is not enabled.

How to change the user name from hive to the user name of the logged in user?

You are correct, hive user has got full permissions and hence policy is not applied.