Support Questions

Find answers, ask questions, and share your expertise

Ranger policy not enforced in Zeppelin notebook - Using %jdbc(hive) displays all databases and tables.

avatar
Contributor

Hi All,

Ranger plugin is enabled for hive and policy is created in hive for a particular user to get access only on 2 databases.

When the same user logs in to Zeppelin notebook and executes show databases command he could see all databases.

Below 2 lines are executed in zeppelin notebook:

%jdbc(hive)

show databases

The user can see all databases and he can create new database too!!!

How can we enforce ranger policy for a user when zeppelin notebook is used?

Thanks a lot for your time.

1 ACCEPTED SOLUTION

avatar

@Sriram So to summarize in order for impersonation to work in non-kerberized environment for zeppelin jdbc (hive) please follow the following steps:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

No need to enable the global settings, just with the defaults follow the steps listed above. I just tested this in my environment and is working fine.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

View solution in original post

17 REPLIES 17

avatar
Contributor

I could see below line:

If Kerberos is not enabled on the cluster, no additional configuration steps are required.

Hence, I believe default configuration should work properly but it is in conflict with hive user in jdbc connector.

avatar
Contributor

Also, hive.server2.enable.doAs is set to true.

avatar

@Sriram So to summarize in order for impersonation to work in non-kerberized environment for zeppelin jdbc (hive) please follow the following steps:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

No need to enable the global settings, just with the defaults follow the steps listed above. I just tested this in my environment and is working fine.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

avatar

@Sriram Did it work? Please keep me posted 🙂

avatar
Contributor

@Felix Albani many many thanks for your continuous support. I will keep you posted, once after Ranger issue is resolved.

Thanks again.

avatar
Contributor

Thanks a lot @Felix Albani...you solved my issue.

avatar
Contributor

@Felix Albani...Yes your help is valuable and it worked but with one final question.

Do I need to modify credentials for each and every user? How to make it generic for all users at one go?

I am forced to modify credentials for testuser2.

zeppelinissue.jpg

avatar
Contributor

@Felix Albani

I could see below lines from Zeppelin documentation.

  1. In the Zeppelin UI, navigate to the %jdbc section of the Interpreter page.
  2. Click edit, then add a hive.proxy.user.property property and set its value to hive.server2.proxy.user.
  3. Click Save, then click restart to restart the JDBC interpreter.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_zeppelin-component-guide/content/config-...

I believe above should be sufficient enough.

As of now because of some issues we did disable plugin for Ranger and need to test it after 1-2 days once after ranger plugin is enabled.

I could not see any job being executed with Zeppelin user login ID even after adding above property.