Created %hive interpreter with user impersonation enabled and submitting queries getting this error:
user [anonymous] does not have [USE] privilege on [null]
Created %jdbc(hive) and submitting jobs, the user is able to access everything as the query is running with hive as a user(Ranger permissions set for hive to access everything)
Please help me configure this so that the user logged in is able to access only those tables which it has access for in Ranger policies.
At this point i am not sure about how to fix this. But i will do some research on this.
I will check one article which seems to be good to start with: https://community.hortonworks.com/articles/93179/secured-access-to-hive-using-zeppelins-jdbchive-in....
Can you check if you have set "hive.server2.enable.doAs" to true. This will make sure that queries are executed as end user instead of hive user. Make sure that the user running the query has proper permissions to hive warehouse directory ( /apps/hive)
Assign the user access to these HDFS directories in ranger.
Also, in the jdbc interpreter remove these params if present (hive.user, hive.proxy.user.property).
Note: I did not try out your use case personally. It's worth to give it a try
For hive.server2.enable.doAs, hive-interactive site has "Run as end user instead of Hive user=true"
When running the queries from beeline for the same user it works fine so permissions are correct.
Jdbc interpreter does not have any of the above parameter. Although tried with these as well.
It keeps taking user as anonymous if no default user is specified. And anonymous has no access.
In Zeppelin config: "zeppelin.anonymous.allowed=false" is also set.
Are you using hive interactive url or hive server2 url from zeppelin. Please check hive.url param in the interpreter settings.
If you are using hive server2 , then you should set "Run as end user instead of Hive user=true" for hiveserver2 and not in hive-interactive.
Hive -> Config -> Settings -> Security .
Should this line be commented or not?
#/api/version = anon
What is this exactly doing?
The problem is that the requests are getting submitted as anonymous irrespective to keeping the user impersonation option checked or unchecked. It's an Access Control Exception.
Details of siro_ini_content
# This section is used for url-based security.
# You can secure interpreter, configuration and credential information by urls. Comment or uncomment the below urls that you want to hide.
# anon means the access is anonymous.
# authc means Form based Auth Security
# To enfore security, comment the line below and uncomment the next one
#/api/version = anon
#/api/interpreter/** = authc, roles[admin]
#/api/configurations/** = authc, roles[admin]
#/api/credential/** = authc, roles[admin]
#/** = anon
#/** = authc
/api/configurations/** = authc, roles[admin]
/api/credential/** = authc, roles[admin]
/** = authc