Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

Use Hive policies as access to database and ignore HDFS permissions to database file

avatar
Super Collaborator

I use ambari v 2.1.1 and HDP 2.3. I would like to ask if there is a possibility to use Hive policies instead of HDFS policies to access a database in Hive. When I try to use select on any table in database I receive the following error:

FAILED: SemanticException Unable to determine if hdfs://MY_CLUSTER/apps/hive/warehouse/db_name.db/table_name is encrypted: org.apache.hadoop.security.AccessControlException: Permission denied: user=my_user (not hive), access=EXECUTE, inode="/apps/hive/warehouse/db_name.db/table_name":hive:hdfs:drwx------

I set hive.server2.enable.doAs to false, and any user should be interpreted as hive (in accessing to database) but is still interpreted as the user who calls to it. I would like users not to have access to databases (to prevent copying them or any other security reason) as a files in HDFS but their access should be configured in Ranger Hive policies only.

Could somebody help me to configure that? Thank you in advance.

1 ACCEPTED SOLUTION

avatar
Master Mentor
@Edgar Daeds

The best practice is to stop using Hive CLI. For example: Ranger and Hive works with beeline. Hive CLI does not work with Ranger Hive policies

View solution in original post

9 REPLIES 9

avatar
Expert Contributor

You are correct there setting hive.server2.enable.doAs = false should run hive jobs as 'hive' user or the owner of hive daemon. After you make this change, you will need to restart hive service. Steps:

http://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/

Some additional information: Do you have Ranger up and running? Are Ranger hdfs and hive plugins enabled?

avatar
Master Mentor
@Edgar Daeds

FAILED:SemanticExceptionUnable to determine if hdfs://MY_CLUSTER/apps/hive/warehouse/db_name.db/table_name is encrypted:

Permission denied: user=my_user (not hive), access=EXECUTE, inode="/apps/hive/warehouse/db_name.db/table_name"

Do you have encryption in place?

my_user does not have x on that table

https://community.hortonworks.com/articles/10367/apache-ranger-and-hive-column-level-security.html

avatar
Super Collaborator

Thank you guys for answers,

The problem occurs when I use Hive CLI. If I use Beeline CLI it works very well. So is it normal behavior and should I stop using Hive?

avatar
Master Mentor
@Edgar Daeds

The best practice is to stop using Hive CLI. For example: Ranger and Hive works with beeline. Hive CLI does not work with Ranger Hive policies

avatar
Super Collaborator

Och, now I understand, thank you! And how about Hue, is it also using beeline?

avatar
Master Mentor

avatar
Super Collaborator

Thanks! I did not hear about Ambari views. I am going into it

avatar
Master Mentor

@Edgar Daeds Please do accept the best answer to close this