Exactly ! And I've checked the logs once again, but I can't see any groups mentioned. Does this reveal a special issue ?
Thanks, Loïc Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-07-24 16:23 GMT+02:00 Alok Lal <[email protected]>: > If the user groups couldn't be asserted, would I see a log indicating > that the user cannot be impersonated (like Knox prompts) ? > > Yes log should show the user and group info being sent to policy > engine. For authorizing. I presume you are using ranger 0.5 to connect > via beeline to a hiveserver2 instance. Right? (Not that these matter, > just to set context.) > > Thanks > > From: Loïc Chanel <[email protected]> > Reply-To: "[email protected]" < > [email protected]> > Date: Friday, July 24, 2015 at 12:53 AM > To: "[email protected]" <[email protected]> > Subject: Re: Hive server identity assertion > > Well, that's what I thought, but the command hdfs groups returns me a > group that I use for a policy giving access to a database, and as I get the > message "HiveAccessControlException Permission denied" when accessing this > database, I think Hive cannot assert the groups the user belongs to. > > I'm using Hive 0.14.0.2.2. > As the problem might come from this, I think it's important to mention > that the users are synchronized from a LDAP via SSSD. > > If the user groups couldn't be asserted, would I see a log indicating > that the user cannot be impersonated (like Knox prompts) ? > > Thanks, > > > Loïc > > Loïc CHANEL > Engineering student at TELECOM Nancy > Trainee at Worldline - Villeurbanne > > 2015-07-23 20:09 GMT+02:00 Don Bosco Durai <[email protected]>: > >> Hive uses the same core-site.xml settings as HDFS. So if the group >> mapping work in HDFS, then it should work in Hive also. >> >> And if the user and groups are in linux/unix, then it should have been >> support out of the box. >> >> What version of Hive are you using? (It shouldn’t matter) >> >> Thanks >> >> Bosco >> >> >> From: Loïc Chanel <[email protected]> >> Reply-To: "[email protected]" < >> [email protected]> >> Date: Thursday, July 23, 2015 at 3:10 AM >> To: "[email protected]" <[email protected]> >> Subject: Hive server identity assertion >> >> Hi all, >> >> As I am now exploring how Ranger works with Hive, I made some policies, >> but it seems that group policies are not enforced. >> Therefore, I was wondering how the Ranger plugin running on Hive was >> asserting the user's identity. >> >> I am even more surprised by the fact that I do not have any problem with >> Ranger plugin working on HDFS, which is running on the exact same node. >> >> In parallel, I know that Know plugin, for example, runs in a totally >> different way, but as it seems that, as does HBase, Hive does not provide >> with any user mapping function, I thought the identity would be asserted on >> the node Hive Server is running on, as if the user was a Unix one. >> >> Do someone as an idea about how the user groups can be founded by Hive >> Ranger plugin ? >> Thanks in advance, >> >> >> Loïc >> >> Loïc CHANEL >> Engineering student at TELECOM Nancy >> Trainee at Worldline - Villeurbanne >> >> >
