Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

how to use hue hiveserver2 with ranger policy enabled?

how to use hue hiveserver2 with ranger policy enabled?

New Contributor

I enabled ranger hive plugin through ambari UI.

And I can use beeline to verify the ranger policies, But when I use hive editor in hue, I cannot access any hive metadata, because hue do not have a valid session. Could anyone help with this?

Here is the configuration changed:

<property>
        <name>hive.security.authorization.enabled</name>
        <value>true</value>
</property>
<property>
        <name>hive.security.authorization.manager</name>
      <value>org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory</value>
</property>
<property>
        <name>hive.security.authenticator.manager</name>
       <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
</property>
<property>
        <name>hive.conf.restricted.list</name>
        <value>hive.security.authorization.enabled,hive.security.authorization.manager,hive.security.authenticator.manager</value>
</property>

And here is the log from hiveserver2:

2018-06-04 17:13:15,607 WARN  [HiveServer2-Handler-Pool: Thread-60]: thrift.ThriftCLIService (ThriftCLIService.java:GetSchemas(535)) - Error getting schemas: 
org.apache.hive.service.cli.HiveSQLException: Invalid SessionHandle: SessionHandle [9208ca9c-875a-4d46-889b-e0865ef5289a]
        at org.apache.hive.service.cli.session.SessionManager.getSession(SessionManager.java:318)
        at org.apache.hive.service.cli.CLIService.getSchemas(CLIService.java:314)
        at org.apache.hive.service.cli.thrift.ThriftCLIService.GetSchemas(ThriftCLIService.java:530)
        at org.apache.hive.service.cli.thrift.TCLIService$Processor$GetSchemas.getResult(TCLIService.java:1377)
        at org.apache.hive.service.cli.thrift.TCLIService$Processor$GetSchemas.getResult(TCLIService.java:1362)
        at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39)
        at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39)
        at org.apache.hive.service.auth.TSetIpAddressProcessor.process(TSetIpAddressProcessor.java:56)
        at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:285)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
        at java.lang.Thread.run(Thread.java:745)


2 REPLIES 2

Re: how to use hue hiveserver2 with ranger policy enabled?

Cloudera Employee

Go to ranger UI using admin account. Then select the audit tab and search for the denied caused by hue. Check which user account is trying to get access.

Re: how to use hue hiveserver2 with ranger policy enabled?

New Contributor

Sorry, I forgot mention that the audit log can only catch the event from beeline connection, but not hue connection event.

Don't have an account?
Coming from Hortonworks? Activate your account here