Hi Markus, At the time of access evaluation, Ranger plugin does not figure out group membership of accessing user by itself; it depends on Hive to provide the groups of the accessing user. Could you please check if group membership is correctly resolved by Hive before Ranger is called to authorize access?
Thanks! Abhay On Mon, Mar 23, 2020 at 4:49 AM <markus.gier...@fiduciagad.de> wrote: > Hi! > > I have the problem that a user can't connect to a hive database because of > a missing USE permission. The user is a member of a group in an > organisation unit X. The cluster itself is in the ou Cluster_X and in > Cluster_X I have a group where the group of organisation unit X is a member > of. > > Nested groups are activated in Ranger and a see the User as a member of > the Cluster_X group. Cluster_group has select and read permissions on hive > defined in a policy. On hdfs level the data can be seen. > > > But wenn the user connect via hive shell and tries to use a database I get > > Error: Error while compiling statement: FAILED: HiveAccessControlException > Permission denied: user [testuser] does not have [USE] privilege on > [refined] (state=42000,code=40000) > > > So how can I set the USE privilege ? There must be a difference betwenn > adding the user to Cluster_X group instead of using nested groups. > > > The Software Stack is HDP 3.1 > > *(Siehe angehängte Datei: denied.jpg)* > > Best Regards and stay healthy. > > Markus > > > > > > > > Fiducia & GAD IT AG | *www.fiduciagad.de* <http://www.fiduciagad.de/> > AG Frankfurt a. M. HRB 102381 | Sitz der Gesellschaft: Frankfurt a. M. | > USt-IdNr. DE 143582320 > Vorstand: Martin Beyer (Vorstandssprecher), Birgit Frohnhoff, Jörg Staff > Vorsitzender des Aufsichtsrats: Jürgen Brinkmann > >
