Support Questions

Find answers, ask questions, and share your expertise
Check out our newest addition to the community, the Cloudera Data Analytics (CDA) group hub.

Who agreed with this topic

How to create Ranger Policy to automatically grant access to Hive table owner? HDP-2.5.6, Hive & Ranger

New Contributor

I have a database where all members of a group are allowed to create tables. When a user creates a table, only the creator should be allowed access to that table. I will create a new policy to allow other members of the group access to the new table after an approval business process.

HDP 2.6.5, Hive and Ranger (I cannot use Atlas and tag based policies at this time)

This policy allows members of the group to create tables, but the owner has no access after creating.

resources(database:testdb, table:*, column:*)
policyItems (accesses:create,groups:testgroup)

beeline as user1, a member of testgroup

0: jdbc:hive2://localhost:10000> use testdb;
No rows affected (2.509 seconds)

0: jdbc:hive2://localhost:10000> CREATE TABLE testtable (id STRING) ROW FORMAT DELIMITED FIELDS TERMINATED BY ',' LOCATION '/hive/data/testtable';
No rows affected (0.669 seconds)

0: jdbc:hive2://localhost:10000> show tables;
|  tab_name  |
| testtable  |
1 row selected (1.029 seconds)

0: jdbc:hive2://localhost:10000> describe testtable;
Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [user1] does not have [SELECT] privilege on[testdb/testtable/*] (state=42000,code=40000)

I tried adding a policy item using the {OWNER} variable but had the same result.

resources(database:testdb, table:*, column:*)
policyItems [(accesses:[select,update,drop,alter,index,lock,read,write] users:{OWNER}), (accesses:create, groups:testgroup)]
Who agreed with this topic