Thanks in advance! It helps alot
2015-05-20 0:11 GMT+08:00, Madhan Neethiraj <[email protected]>: > > At the time of authorization, "groups for the user” information is > provided by Hadoop. To find the list of groups for user1, as Hadoop sees > it, execute the following command in HiveServer2 host: > > $ hdfs groups user1 > > > If Hadoop is configured to read user-group details from Unix, then you > need to add user1 to users group in Unix - for example with the command as > below: > > $ usermod --append --groups users user1 > > > Please note that it might take few minutes for UserGroupInformation cache > to see this update. Once cache is updated, “hdfs groups user1” should > include “users” group as well. After this, HiveServer2 authorization will > see user1 as part of users group. > > Hope this helps. > > Thanks, > Madhan > > On 5/18/15, 10:03 PM, "林家銘" <[email protected]> wrote: > >>Hi >> >>I am using the beeline and Ranger in HDP2.2 sandbox. >> >>My scenario is >>Firstly, I create a user "user1" in Ranger and join the user to a >>group says "users", which should be an unix group. >> >>Secondly, I disable all the policies and create one by myself, which >>is set to grant all privileges of database "xademo" to the group >>"users". >> >>Thirdly, I connect to Hiveserver2 by using beeline command as following >>!connect jdbc:hive2://sandbox_host:10000 user1 1qaz2wsx >>org.apache.hive.jdbc.HiveDriver >> >>Then, I execute the command "use xademo;" on beeline, but it says >>permission denied. >>Error: Error while compiling statement: FAILED: >>HiveAccessControlException Permission denied: user [user1] does not >>have [USE] privilege on [xademo(state=42000,code=40000) >> >>I think the problem is, hive impersonate as "user1", and the hadoop >>security library "UserGroupInfomation" doesn't know the groups "user1" >>have joined, so I always saw the debug log says the groups of user1 >>can't be found. >> >>Then what's the best practice of this integration(Ranger with >>Hiveserver2)? > >
