Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

While using Ranger authorization (through policies) for say, a Hive command, is the command's user's group determined through Ranger DB's x_group_users table or through Hadoop? What is the process of determining a user's group?

Solved Go to solution
Highlighted

While using Ranger authorization (through policies) for say, a Hive command, is the command's user's group determined through Ranger DB's x_group_users table or through Hadoop? What is the process of determining a user's group?

Contributor
1 ACCEPTED SOLUTION

Accepted Solutions

Re: While using Ranger authorization (through policies) for say, a Hive command, is the command's user's group determined through Ranger DB's x_group_users table or through Hadoop? What is the process of determining a user's group?

Groups stored in Ranger DB are used only for displaying in Ranger UI and at the time of policy authoring.

At run time, component (in your example Hive) should pass along the group information of the authenticated user to ranger plugin. Typically you can run "hdfs groups <user>" to find out what groups does the user belong to. Expectation is that Components will use the same source as Ranger to provide users/groups mapping.

3 REPLIES 3

Re: While using Ranger authorization (through policies) for say, a Hive command, is the command's user's group determined through Ranger DB's x_group_users table or through Hadoop? What is the process of determining a user's group?

Groups stored in Ranger DB are used only for displaying in Ranger UI and at the time of policy authoring.

At run time, component (in your example Hive) should pass along the group information of the authenticated user to ranger plugin. Typically you can run "hdfs groups <user>" to find out what groups does the user belong to. Expectation is that Components will use the same source as Ranger to provide users/groups mapping.

Re: While using Ranger authorization (through policies) for say, a Hive command, is the command's user's group determined through Ranger DB's x_group_users table or through Hadoop? What is the process of determining a user's group?

Contributor

Thanks for the answer @vperiasamy. So if Ranger usersync source is AD, Hive would try and get user's groups info from AD and as far as I know, store the frequently used user's info in a cache? Also cache gets updated when AD is updated with the user's info?

Re: While using Ranger authorization (through policies) for say, a Hive command, is the command's user's group determined through Ranger DB's x_group_users table or through Hadoop? What is the process of determining a user's group?

Provided Hive also is configured to use AD to get the right groups.

Please see this -- http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/