Thanks for Response Balaji !!
I would also like to know about value of property "hive.security.authorization.enabled". What is expected value of this according to Ranger: true or false ?? ------- Thanks & Regards, Hanish Bansal Software Engineer, iLabs Impetus Infotech Pvt. Ltd. (O) : +91.120.4092200-2790 (M) : +91.9953399925 ________________________________ From: Balaji Ganesan <[email protected]> Sent: Wednesday, April 1, 2015 8:02 PM To: [email protected] Subject: Re: Hive admin user behavior If the hive.server2.enable.doAs parameter is set to false, then the underlying jobs in HDFS are run as "hive" user. This is a better security model as the underlying HDFS file permissions can be set to be owned only by "hive" user and end user would not be able to access files directly without going through Hiveserver2 On Wed, Apr 1, 2015 at 2:19 AM, Hanish Bansal <[email protected]<mailto:[email protected]>> wrote: Yes I am using beeline client for testing purpose and hiveserver2 jdbc client. Still I have confusion about "hive.server2.enable.doAs" property- As per wiki documentation (https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2): By default HiveServer2 performs the query processing as the user who submitted the query. But if the following parameter is set to false, the query will run as the user that the hiveserver2 process runs as. hive.server2.enable.doAs – Impersonate the connected user, default true. As per my understanding if this property is set to false, all queries will run as the user who started hiveserver2 process. so we should set "true" value for this property to run the query as user who submitted the query. Please let me know your thoughts on this. ------- Thanks & Regards, Hanish Bansal Software Engineer, iLabs Impetus Infotech Pvt. Ltd. (O) : +91.120.4092200<tel:%2B91.120.4092200>-2790 (M) : +91.9953399925<tel:%2B91.9953399925> ________________________________ From: Don Bosco Durai <[email protected]<mailto:[email protected]>> on behalf of Don Bosco Durai <[email protected]<mailto:[email protected]>> Sent: Tuesday, March 31, 2015 10:20 PM To: [email protected]<mailto:[email protected]> Subject: Re: Hive admin user behavior Yes, if you are using Ranger, then you have to set appropriate permissions on Ranger. It helps in plugging any backdoor loop holes. I am also assuming you are using beeline client or JDBC. One more thing, we recommend hive.server2.enable.doAs=false. Thanks Bosco From: Hanish Bansal <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Tuesday, March 31, 2015 at 4:35 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Hive admin user behavior Hi All, When deploying hive, I have defined below configuration for hiveserver2 in configuration file "hive-site.xml": <property> <name>hive.server2.enable.doAs</name> <value>true</value> </property> <property> <name>hive.users.in.admin.role</name> <value>hanish</value> </property> <property> <name>hive.security.authorization.manager</name> <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value> </property> <property> <name>hive.security.authorization.enabled</name> <value>true</value> </property> <property> <name>hive.security.authenticator.manager</name> <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value> </property> <property> <name>hive.security.authorization.enabled</name> <value>true</value> </property> I have added "hanish" user to admin user list (Property- hive.users.in.admin.role ) so it should be able to fetch schema of all tables. But i am getting permission denied error. I want one user to define as admin user who can fetch schema of all tables. If I give admin permissions or select permissions from ranger-UI to a user for databases=* and tables = * then its working fine and that user is able to fetch schema for all tables. But as per hive configurations if user is defined as admin by mentioning " hive.users.in.admin.role" then that user is not behaving as admin. Please let me know the expected behavior. Is Ranger overrides behavior of hive property " hive.users.in.admin.role" ?? ------- Thanks & Regards, Hanish Bansal Software Engineer, iLabs Impetus Infotech Pvt. Ltd. (O) : +91.120.4092200<tel:%2B91.120.4092200>-2790 (M) : +91.9953399925<tel:%2B91.9953399925> ________________________________ NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference. ________________________________ NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference. ________________________________ NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.
