Larry, you are correct. If it is not going via HiveServer2, then Hive policies will not be enforced. In this case HDFS policies need to be configured.
I was assuming James had configured Knox to use JDBC/HiveServer2, which I feel should be the correct thing to do. Bosco On 8/15/17, 3:50 PM, "Larry McCay" <[email protected]> wrote: Hive access via WebHCat - via java, pig or whatever is probably not going to be protected by same policies that are set for HiveServer2 access. JDBC enforcement point is inside the HS2 server and WebHCat enforcement point must be closer to the actual resource. @Bosco, please correct me if I am wrong. > On Aug 15, 2017, at 6:45 PM, Don Bosco Durai <[email protected]> wrote: > > If you are using Knox, then it is just a pass through to connect to HiveServer2 via JDBC. So the policies should just work the same way as you will be connecting via beeline or any other JDBC client. > > The best way to validate is to see how Ranger is allowing it. You can check Ranger Audit logs and it will tell you which policy allowed and for which user. > > Bosco > > > On 8/15/17, 2:45 PM, "James Srinivasan" <[email protected]> wrote: > > Does Ranger support the same fine grained access control when Hive is > accessed via JDBC versus when Hive is accessed via Knox/WebHCat? Our > experience is that it works fine in the former case, but in the latter > case the fine grained access control set in our Hive policies seems to > be ignored. > > Many thanks > > >
