Yes, if you are using Ranger, then you have to set appropriate permissions on Ranger. It helps in plugging any backdoor loop holes.
I am also assuming you are using beeline client or JDBC. One more thing, we recommend hive.server2.enable.doAs=false. Thanks Bosco From: Hanish Bansal <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Tuesday, March 31, 2015 at 4:35 AM To: "[email protected]" <[email protected]> Subject: Hive admin user behavior > Hi All, > > > > When deploying hive, I have defined below configuration for hiveserver2 in > configuration file "hive-site.xml": > > > <property> > <name>hive.server2.enable.doAs</name> > <value>true</value> > </property> > <property> > <name>hive.users.in.admin.role</name> > <value>hanish</value> > </property> > > <property> > <name>hive.security.authorization.manager</name> > > <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHi > veAuthorizerFactory</value> > </property> > <property> > <name>hive.security.authorization.enabled</name> > <value>true</value> > </property> > <property> > <name>hive.security.authenticator.manager</name> > > <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value> > > </property> > > <property> > <name>hive.security.authorization.enabled</name> > <value>true</value> > </property> > > > I have added "hanish" user to admin user list (Property- > hive.users.in.admin.role ) so it should be able to fetch schema of all tables. > But i am getting permission denied error. > > I want one user to define as admin user who can fetch schema of all tables. If > I give admin permissions or select permissions from ranger-UI to a user for > databases=* and tables = * then its working fine and that user is able to > fetch schema for all tables. But as per hive configurations if user is > defined as admin by mentioning " hive.users.in.admin.role" then that user is > not behaving as admin. > > Please let me know the expected behavior. > > Is Ranger overrides behavior of hive property " hive.users.in.admin.role" ?? > > > > > ------- > Thanks & Regards, > Hanish Bansal > Software Engineer, iLabs > Impetus Infotech Pvt. Ltd. > (O) : +91.120.4092200-2790 > (M) : +91.9953399925 > > > > > > > > > NOTE: This message may contain information that is confidential, proprietary, > privileged or otherwise protected by law. The message is intended solely for > the named addressee. If received in error, please destroy and notify the > sender. Any use of this email is prohibited when received in error. Impetus > does not represent, warrant and/or guarantee, that the integrity of this > communication has been maintained nor that the communication is free of > errors, virus, interception or interference.
