Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

Ranger policy not enforced in Zeppelin notebook - Using %jdbc(hive) displays all databases and tables.

Labels:
sriramhadoop27
Contributor

Created ‎07-24-2018 11:48 AM

Hi All,

Ranger plugin is enabled for hive and policy is created in hive for a particular user to get access only on 2 databases.

When the same user logs in to Zeppelin notebook and executes show databases command he could see all databases.

Below 2 lines are executed in zeppelin notebook:

%jdbc(hive)

show databases

The user can see all databases and he can create new database too!!!

How can we enforce ranger policy for a user when zeppelin notebook is used?

Thanks a lot for your time.

2,211 Views
0 Kudos
1 ACCEPTED SOLUTION

falbani
Guru

Created ‎07-24-2018 02:50 PM

@Sriram So to summarize in order for impersonation to work in non-kerberized environment for zeppelin jdbc (hive) please follow the following steps:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

No need to enable the global settings, just with the defaults follow the steps listed above. I just tested this in my environment and is working fine.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

View solution in original post

2,273 Views
0 Kudos
17 REPLIES 17

falbani
Guru

Created ‎07-24-2018 11:57 AM

@Sriram

Unless you have configured impersonation for jdbc interpreter all access for all users to hive using zeppelin jdbc interpreter will be perform as user zeppelin.

Therefore, please make sure your zeppelin jdbc interpreter is configured for impersonation:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

1,758 Views
0 Kudos

falbani
Guru

Created on ‎07-24-2018 12:51 PM - edited ‎08-17-2019 11:11 PM

@Sriram

If there is no policy for zeppelin user or public group (to which zeppelin usually belongs to) - Then I suggest you check which policy id is granting the access. You can check this in Ranger Admin UI Access tab as seen in the next image:

83390-access-tab-ranger-admin-ui.png

If you click in the policy id shown above it will provide more details on the access. This way you will know why is the access being granted to zeppelin user.

The above will show only if ranger plugin is correctly configured for hive. If you don't see any entries then check hiveserver2 logs and double check the hive ranger plugin is properly configured.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

1,758 Views
0 Kudos

falbani
Guru

Created ‎07-24-2018 01:25 PM

@Sriram

So based on the zeppelin configuration for jdbc interpreter I see you are using hive user (this explains why you can see all databases and have full access).

Please review the documentation on how to configure zeppelin jdbc interpreter for impersonation as I mentioned above, you can also check this documentation:

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.0/bk_zeppelin-component-guide/content/config-...

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

1,758 Views
0 Kudos

falbani
Guru

Created ‎07-24-2018 02:35 PM

@Sriram Actually for non kerberos here are the instructions to setup user impersonation:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

1,757 Views
0 Kudos

sriramhadoop27
Contributor

Created ‎07-24-2018 12:33 PM

@Felix Albani,

In case if the impersonation is not enabled, then I don't have any policy in place for zeppelin user.

How can this happen when there is no policy?

1,758 Views
0 Kudos

sriramhadoop27
Contributor

Created ‎07-24-2018 01:04 PM

Hi Felix,

Thanks for prompt response.

I could see no policy which gives Zeppelin user complete permissions.

Here is the snippet of the policies.

rangerpolicy.jpg

Also, I am not sure on how to check hive plugin is enabled properly or not.

Note: Policies are applied when checked against HS2 using beeline but the same policy is not applied while using Zeppelin notebook.

Thanks for your time on this.

1,758 Views
0 Kudos

falbani
Guru

Created ‎07-24-2018 01:07 PM

@Sriram Could you share a screenshot of the zeppelin jdbc (hive) interpreter configuration? Also if you can tail the hiveserver2 log to which the zeppelin is configured to connect and check what is happening (which is the user used and if there are any ranger issues) that would be helpful.

1,758 Views
0 Kudos

sriramhadoop27
Contributor

Created ‎07-24-2018 01:17 PM

@Felix, I believe jdbc interpreter configuration has to be changed and I am using default settings.

Here are the jdbc interpreter properties.

jdbc1.jpgjdbc2.jpg

I did disable plugin again and I will post the errors when I enable again.

Please let me know if changes are to be made to jdbc interpreter?

1,758 Views
0 Kudos

sriramhadoop27
Contributor

Created ‎07-24-2018 01:30 PM

Sorry for asking you this without checking the link you provided ( I am doing it now 😞

In my case, Kerberos is not enabled.

How to change the user name from hive to the user name of the logged in user?

You are correct, hive user has got full permissions and hence policy is not applied.

1,758 Views
0 Kudos

sriramhadoop27
Contributor

Created ‎07-24-2018 01:33 PM

I could see below line:

If Kerberos is not enabled on the cluster, no additional configuration steps are required.

Hence, I believe default configuration should work properly but it is in conflict with hive user in jdbc connector.

1,230 Views
0 Kudos

sriramhadoop27
Contributor

Created ‎07-24-2018 01:34 PM

Also, hive.server2.enable.doAs is set to true.

1,229 Views
0 Kudos

falbani
Guru

Created ‎07-24-2018 02:50 PM

@Sriram So to summarize in order for impersonation to work in non-kerberized environment for zeppelin jdbc (hive) please follow the following steps:

https://community.hortonworks.com/articles/113228/how-to-enable-user-impersonation-for-jdbc-interpre...

No need to enable the global settings, just with the defaults follow the steps listed above. I just tested this in my environment and is working fine.

HTH

*** If you found this answer addressed your question, please take a moment to login and click the "accept" link on the answer.

2,274 Views
0 Kudos

falbani
Guru

Created ‎07-24-2018 08:41 PM

@Sriram Did it work? Please keep me posted 🙂

1,229 Views
0 Kudos

sriramhadoop27
Contributor

Created ‎07-25-2018 12:56 AM

@Felix Albani many many thanks for your continuous support. I will keep you posted, once after Ranger issue is resolved.

Thanks again.

1,229 Views
0 Kudos

sriramhadoop27
Contributor

Created ‎07-25-2018 02:10 PM

Thanks a lot @Felix Albani...you solved my issue.

1,229 Views
0 Kudos

sriramhadoop27
Contributor

Created ‎07-25-2018 01:12 AM

@Felix Albani...Yes your help is valuable and it worked but with one final question.

Do I need to modify credentials for each and every user? How to make it generic for all users at one go?

I am forced to modify credentials for testuser2.

zeppelinissue.jpg

1,229 Views
0 Kudos

sriramhadoop27
Contributor

Created ‎07-25-2018 10:54 AM

@Felix Albani

I could see below lines from Zeppelin documentation.

  1. In the Zeppelin UI, navigate to the %jdbc section of the Interpreter page.
  2. Click edit, then add a hive.proxy.user.property property and set its value to hive.server2.proxy.user.
  3. Click Save, then click restart to restart the JDBC interpreter.

https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.4/bk_zeppelin-component-guide/content/config-...

I believe above should be sufficient enough.

As of now because of some issues we did disable plugin for Ranger and need to test it after 1-2 days once after ranger plugin is enabled.

I could not see any job being executed with Zeppelin user login ID even after adding above property.

1,229 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Community Announcements
March 2023 Community Highlights
What's New @ Cloudera
Cloudera DataFlow Designer for self-service data flow development is now generally available to all CDP Public Cloud customers
What's New @ Cloudera
Cloudera Operational Database (COD) UI provides the JWT configuration details to connect to your HBase client
What's New @ Cloudera
Cloudera Operational Database (COD) UI allows storage type selection when creating an operational database
What's New @ Cloudera
Release of Cloudera Streaming Analytics (CSA) 1.9.0 for CDP 7.1.7 SP2 & CDP 7.1.8
View More Announcements