About benhadoop

benhadoop · ‎07-31-2018

Did you authenticate using Keytabs or using a password-based kinit? Could you please send the result of "klist" and "klist -kte <keytab-file>"

benhadoop · ‎03-16-2018

Hi @Jinyu Li your issue is likely produced by Hive Permission Inheritance. After creating the tables, the Sqoop app tries to change the owner/mode of the created HDFS files. Ranger permissions (even rwx) do not give rights to change POSIX owner/mode, which is why the operation fails. Such failure is classified as "EXECUTE" action by Ranger. You can find more details in the HDFS Audit log, stored locally on the NameNode. Solution: Could you please try to set "hive.warehouse.subdir.inherit.perms" to false and re-run the job? This stops Hive Imports from trying to set permissions, which is fine when Ranger is the primary source of authorization. see https://cwiki.apache.org/confluence/display/Hive/Permission+Inheritance+in+Hive for more details. Best, Benjamin

benhadoop · ‎05-03-2017

@Adi Jabkowsky This did the trick! Thank you. Now it works.

benhadoop · ‎05-03-2017

I am having the same issues after upgrading from Ambari 2.4.0.1 to Ambari 2.5.0.3: The CapSched View is effectively unusable, as no Admin can access it anymore.

benhadoop · ‎04-04-2017

Thank you for that answer. I was not sure, if there are any specialities, as Hive did some custom checks for read/write rights until: https://issues.apache.org/jira/browse/HIVE-7583 and https://issues.apache.org/jira/browse/HDFS-6570

benhadoop · ‎03-29-2017

Thank you! This answers the second question.

benhadoop · ‎03-29-2017

Hi community, I have a question about authorization for the Hive Metastore (not the HiveServer2). Cluster is HDP 2.5 and Kerberos is set up. The Apache community recommends to use a StorageBasedAuthorizationProvider. I understand, how it gets the ACLs from the underlying filesystem. In my situation, I have Ranger set up and want to handle most of authorization there - effectively making Hadoop native permissions unused (for instance by setting the to 000 on the Hive directories). The question now is: - When using the StorageBasedAuthorizationProvider: Will the Hive Metastore consider Ranger policies on HDFS warehouse directories in his decision, if a certain user can read/write to directory? Or do I have to use POSIX permissions or HDFS ACLs? - Is the a better way to realize Hive Metastore authorization (Maybe a custom authorization provider for HiveMetastore, that connects to Ranger and uses Ranger Policies for HiveServer2)? Thank you!

benhadoop · ‎03-29-2017

Just to sum it up: I have now chosen to place some regex in the auth-to-local rules to match exactly those hosts, which are used in a certain cluster. While this adds operations overhead, it will make the cluster more secure. The guys of Cloudera have a good summary about that in their documentation: https://www.cloudera.com/documentation/enterprise/5-9-x/topics/sg_auth_to_local_isolate.html

benhadoop · ‎03-28-2017

This is the answer I was hoping for. Thanks

benhadoop · ‎03-24-2017

Hi @spotluri This is also a great idea, if splitting REALMs is not feasible.

Online	Offline
Last Visited	‎09-02-2019 06:07 AM

Member Since	‎12-14-2015 11:46 PM
Last Visited	‎09-02-2019 06:07 AM
Posts	89
Kudos received	7

Cloudera Community

Re: spark-submit still pointing to Spark-version a...

Re: CM interface to see exact settings

Re: Fair Share Preemption for undeclared (user) qu...

Re: Oozie not passing Ambari Service checks -> YAR...

Re: Ranger for YARN RM: Not using group membership

Re: GSSException: Failure unspecified at GSS-API l...

Re: yarn can read/write to hdfs, but cannot execut...

Re: Permissions problem in Capacity Scheduler view...

Re: Permissions problem in Capacity Scheduler view...

Re: Hive Metastore Authorization and how it is con...

Re: Hive Metastore Authorization and how it is con...

Hive Metastore Authorization and how it is connect...

Re: Possibility to use Principals across clusters

Re: Secure Ambari Infra (SolR) using Ranger Author...

Re: Possibility to use Principals across clusters