Support Questions

frank93 · ‎03-04-2016

I use ambari v 2.1.1 and HDP 2.3. I would like to ask if there is a possibility to use Hive policies instead of HDFS policies to access a database in Hive. When I try to use select on any table in database I receive the following error:

FAILED: SemanticException Unable to determine if hdfs://MY_CLUSTER/apps/hive/warehouse/db_name.db/table_name is encrypted: org.apache.hadoop.security.AccessControlException: Permission denied: user=my_user (not hive), access=EXECUTE, inode="/apps/hive/warehouse/db_name.db/table_name":hive:hdfs:drwx------

I set hive.server2.enable.doAs to false, and any user should be interpreted as hive (in accessing to database) but is still interpreted as the user who calls to it. I would like users not to have access to databases (to prevent copying them or any other security reason) as a files in HDFS but their access should be configured in Ranger Hive policies only.

Could somebody help me to configure that? Thank you in advance.

nsabharwal · ‎03-07-2016

@Edgar Daeds

The best practice is to stop using Hive CLI. For example: Ranger and Hive works with beeline. Hive CLI does not work with Ranger Hive policies

View solution in original post

umair_khan · ‎03-04-2016

You are correct there setting hive.server2.enable.doAs = false should run hive jobs as 'hive' user or the owner of hive daemon. After you make this change, you will need to restart hive service. Steps:

http://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/

Some additional information: Do you have Ranger up and running? Are Ranger hdfs and hive plugins enabled?

nsabharwal · ‎03-05-2016

@Edgar Daeds

FAILED:SemanticExceptionUnable to determine if hdfs://MY_CLUSTER/apps/hive/warehouse/db_name.db/table_name is encrypted:

Permission denied: user=my_user (not hive), access=EXECUTE, inode="/apps/hive/warehouse/db_name.db/table_name"

Do you have encryption in place?

my_user does not have x on that table

https://community.hortonworks.com/articles/10367/apache-ranger-and-hive-column-level-security.html

frank93 · ‎03-07-2016

Thank you guys for answers,

The problem occurs when I use Hive CLI. If I use Beeline CLI it works very well. So is it normal behavior and should I stop using Hive?

nsabharwal · ‎03-07-2016

@Edgar Daeds

The best practice is to stop using Hive CLI. For example: Ranger and Hive works with beeline. Hive CLI does not work with Ranger Hive policies

frank93 · ‎03-07-2016

Och, now I understand, thank you! And how about Hue, is it also using beeline?

nsabharwal · ‎03-07-2016

@Edgar Daeds I used Hue was a year ago because of Ambari views

http://docs.hortonworks.com/HDPDocuments/Ambari-2.2.1.0/bk_ambari_views_guide/content/ch_using_hive_...

frank93 · ‎03-07-2016

Thanks! I did not hear about Ambari views. I am going into it

nsabharwal · ‎03-07-2016

@Edgar Daeds See this https://community.hortonworks.com/content/kbentry/2947/new-visualization-feature-in-hive-view.html

nsabharwal · ‎03-07-2016

@Edgar Daeds Please do accept the best answer to close this

Cloudera Community

Support Questions

Use Hive policies as access to database and ignore HDFS permissions to database file