Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger policy not enforced in Zeppelin notebook - Using %jdbc(hive) displays all databases and tables.

Labels:
avatar
author-rank sriramhadoop27
Contributor

Created ‎07-24-2018 11:48 AM

Hi All,

Ranger plugin is enabled for hive and policy is created in hive for a particular user to get access only on 2 databases.

When the same user logs in to Zeppelin notebook and executes show databases command he could see all databases.

Below 2 lines are executed in zeppelin notebook:

%jdbc(hive)

show databases

The user can see all databases and he can create new database too!!!

How can we enforce ranger policy for a user when zeppelin notebook is used?

Thanks a lot for your time.

4,708 Views
0 Kudos
1 ACCEPTED SOLUTION

avatar
author-rank falbani author-rank
Guru

Created ‎07-24-2018 02:50 PM

@Sriram So to summarize in order for impersonation to work in non-kerberized environment for zeppelin jdbc (hive) please follow the following steps:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

No need to enable the global settings, just with the defaults follow the steps listed above. I just tested this in my environment and is working fine.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

View solution in original post

4,770 Views
0 Kudos
17 REPLIES 17

avatar
author-rank falbani author-rank
Guru

Created ‎07-24-2018 11:57 AM

@Sriram

Unless you have configured impersonation for jdbc interpreter all access for all users to hive using zeppelin jdbc interpreter will be perform as user zeppelin.

Therefore, please make sure your zeppelin jdbc interpreter is configured for impersonation:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

3,366 Views
0 Kudos

avatar
author-rank falbani author-rank
Guru

Created on ‎07-24-2018 12:51 PM - edited ‎08-17-2019 11:11 PM

@Sriram

If there is no policy for zeppelin user or public group (to which zeppelin usually belongs to) - Then I suggest you check which policy id is granting the access. You can check this in Ranger Admin UI Access tab as seen in the next image:

83390-access-tab-ranger-admin-ui.png

If you click in the policy id shown above it will provide more details on the access. This way you will know why is the access being granted to zeppelin user.

The above will show only if ranger plugin is correctly configured for hive. If you don't see any entries then check hiveserver2 logs and double check the hive ranger plugin is properly configured.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

3,366 Views
0 Kudos

avatar
author-rank falbani author-rank
Guru

Created ‎07-24-2018 01:25 PM

@Sriram

So based on the zeppelin configuration for jdbc interpreter I see you are using hive user (this explains why you can see all databases and have full access).

Please review the documentation on how to configure zeppelin jdbc interpreter for impersonation as I mentioned above, you can also check this documentation:

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_zeppelin-component-guide/content/config-...

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

3,366 Views
0 Kudos

avatar
author-rank falbani author-rank
Guru

Created ‎07-24-2018 02:35 PM

@Sriram Actually for non kerberos here are the instructions to setup user impersonation:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

3,365 Views
0 Kudos

avatar
author-rank sriramhadoop27
Contributor

Created ‎07-24-2018 12:33 PM

@Felix Albani,

In case if the impersonation is not enabled, then I don't have any policy in place for zeppelin user.

How can this happen when there is no policy?

3,366 Views
0 Kudos

avatar
author-rank sriramhadoop27
Contributor

Created ‎07-24-2018 01:04 PM

Hi Felix,

Thanks for prompt response.

I could see no policy which gives Zeppelin user complete permissions.

Here is the snippet of the policies.

rangerpolicy.jpg

Also, I am not sure on how to check hive plugin is enabled properly or not.

Note: Policies are applied when checked against HS2 using beeline but the same policy is not applied while using Zeppelin notebook.

Thanks for your time on this.

3,366 Views
0 Kudos

avatar
author-rank falbani author-rank
Guru

Created ‎07-24-2018 01:07 PM

@Sriram Could you share a screenshot of the zeppelin jdbc (hive) interpreter configuration? Also if you can tail the hiveserver2 log to which the zeppelin is configured to connect and check what is happening (which is the user used and if there are any ranger issues) that would be helpful.

3,366 Views
0 Kudos

avatar
author-rank sriramhadoop27
Contributor

Created ‎07-24-2018 01:17 PM

@Felix, I believe jdbc interpreter configuration has to be changed and I am using default settings.

Here are the jdbc interpreter properties.

jdbc1.jpgjdbc2.jpg

I did disable plugin again and I will post the errors when I enable again.

Please let me know if changes are to be made to jdbc interpreter?

3,366 Views
0 Kudos

avatar
author-rank sriramhadoop27
Contributor

Created ‎07-24-2018 01:30 PM

Sorry for asking you this without checking the link you provided ( I am doing it now 😞

In my case, Kerberos is not enabled.

How to change the user name from hive to the user name of the logged in user?

You are correct, hive user has got full permissions and hence policy is not applied.

3,366 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera DataFlow 2.9 now supports building GenAI pipelines ...
What's New @ Cloudera
Accelerate Data Scientist Productivity with Cloudera Copilot...
What's New @ Cloudera
[RELEASED] Cloudera Streaming Analytics - Kubernetes Operato...
Community Announcements
October 2024 Community Highlights
What's New @ Cloudera
Accelerate Your AI with the Cloudera AI Inference Service wi...
View More Announcements