Created 07-24-2018 11:48 AM
Hi All,
Ranger plugin is enabled for hive and policy is created in hive for a particular user to get access only on 2 databases.
When the same user logs in to Zeppelin notebook and executes show databases command he could see all databases.
Below 2 lines are executed in zeppelin notebook:
%jdbc(hive)
show databases
The user can see all databases and he can create new database too!!!
How can we enforce ranger policy for a user when zeppelin notebook is used?
Thanks a lot for your time.
Created 07-24-2018 02:50 PM
@Sriram So to summarize in order for impersonation to work in non-kerberized environment for zeppelin jdbc (hive) please follow the following steps:
No need to enable the global settings, just with the defaults follow the steps listed above. I just tested this in my environment and is working fine.
HTH
*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.
Created 07-24-2018 01:33 PM
I could see below line:
If Kerberos is not enabled on the cluster, no additional configuration steps are required.
Hence, I believe default configuration should work properly but it is in conflict with hive user in jdbc connector.
Created 07-24-2018 01:34 PM
Also, hive.server2.enable.doAs is set to true.
Created 07-24-2018 02:50 PM
@Sriram So to summarize in order for impersonation to work in non-kerberized environment for zeppelin jdbc (hive) please follow the following steps:
No need to enable the global settings, just with the defaults follow the steps listed above. I just tested this in my environment and is working fine.
HTH
*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.
Created 07-24-2018 08:41 PM
@Sriram Did it work? Please keep me posted 🙂
Created 07-25-2018 12:56 AM
@Felix Albani many many thanks for your continuous support. I will keep you posted, once after Ranger issue is resolved.
Thanks again.
Created 07-25-2018 02:10 PM
Thanks a lot @Felix Albani...you solved my issue.
Created 07-25-2018 01:12 AM
@Felix Albani...Yes your help is valuable and it worked but with one final question.
Do I need to modify credentials for each and every user? How to make it generic for all users at one go?
I am forced to modify credentials for testuser2.
Created 07-25-2018 10:54 AM
I could see below lines from Zeppelin documentation.
%jdbc
section of the Interpreter page.hive.proxy.user.property
property and set its value to hive.server2.proxy.user
.I believe above should be sufficient enough.
As of now because of some issues we did disable plugin for Ranger and need to test it after 1-2 days once after ranger plugin is enabled.
I could not see any job being executed with Zeppelin user login ID even after adding above property.