Support Questions

Find answers, ask questions, and share your expertise

While using Ranger authorization (through policies) for say, a Hive command, is the command's user's group determined through Ranger DB's x_group_users table or through Hadoop? What is the process of determining a user's group?

avatar
Rising Star
1 ACCEPTED SOLUTION

avatar

Groups stored in Ranger DB are used only for displaying in Ranger UI and at the time of policy authoring.

At run time, component (in your example Hive) should pass along the group information of the authenticated user to ranger plugin. Typically you can run "hdfs groups <user>" to find out what groups does the user belong to. Expectation is that Components will use the same source as Ranger to provide users/groups mapping.

View solution in original post

3 REPLIES 3

avatar

Groups stored in Ranger DB are used only for displaying in Ranger UI and at the time of policy authoring.

At run time, component (in your example Hive) should pass along the group information of the authenticated user to ranger plugin. Typically you can run "hdfs groups <user>" to find out what groups does the user belong to. Expectation is that Components will use the same source as Ranger to provide users/groups mapping.

avatar
Rising Star

Thanks for the answer @vperiasamy. So if Ranger usersync source is AD, Hive would try and get user's groups info from AD and as far as I know, store the frequently used user's info in a cache? Also cache gets updated when AD is updated with the user's info?

avatar

Provided Hive also is configured to use AD to get the right groups.

Please see this -- http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/