Sorry, I missed one thing -- you need to backport: HIVE-20344: PrivilegeSynchronizer for SBA might hit AccessControlException (Daniel Dai, reviewed by Vaibhav Gumashta)
--- Sungwoo On Wed, Sep 22, 2021 at 12:24 AM Sungwoo Park <glap...@gmail.com> wrote: > Actually we can run Hive 3.1.2 with Ranger! > > To run Hive 3.1.2 with Ranger 2.0.0, you could set: > > hive.security.authorization.enabled=true > > hive.security.authenticator.manager=org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator > > hive.security.authorization.manager=org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory > hive.privilege.synchronizer=true > > For Ranger 2.0.0, RangerHiveAuthorizerBase.getHivePolicyProvider() returns > null, so it is okay to set hive.privilege.synchronizer to true, and you > don't have to set up ZooKeeper. > > To run Hive 3.1.2 with Ranger 2.1.0 but without ZooKeeper, you need to set > hive.privilege.synchronizer to false because > RangerHiveAuthorizer.getHivePolicyProvider() returns > RangerHivePolicyProvider. If hive.privilege.synchronizer is set to true, > ZooKeeper should be running. > > So, with Ranger 2.0.0 or 2.1.0, you can run Hive 3.1.2 without ZooKeeper. > (Of course, you can run it with ZooKeeper, too.) It may take a while (like > a few seconds) for a new Ranger policy to be delivered to HiveServer2, but > this does not seem like an issue in practice. > > --- Sungwoo > > On Tue, Sep 21, 2021 at 6:50 PM Antoine DUBOIS <antoine.dub...@cc.in2p3.fr> > wrote: > >> Yes I can. >> You cannot use Ranger without having to configure an instance of >> zookeeper to run for unclear reasons. >> >> public void startPrivilegeSynchonizer(HiveConf hiveConf) throws Exception { >> >> PolicyProviderContainer policyContainer = new PolicyProviderContainer(); >> HiveAuthorizer authorizer = SessionState.get().getAuthorizerV2(); >> if (authorizer.getHivePolicyProvider() != null) { >> policyContainer.addAuthorizer(authorizer); >> } >> if (hiveConf.get(MetastoreConf.ConfVars.PRE_EVENT_LISTENERS.getVarname()) >> != null && >> >> hiveConf.get(MetastoreConf.ConfVars.PRE_EVENT_LISTENERS.getVarname()).contains( >> >> "org.apache.hadoop.hive.ql.security.authorization.AuthorizationPreEventListener") >> && >> >> hiveConf.get(MetastoreConf.ConfVars.HIVE_AUTHORIZATION_MANAGER.getVarname())!= >> null) { >> List<HiveMetastoreAuthorizationProvider> providers = >> HiveUtils.getMetaStoreAuthorizeProviderManagers( >> hiveConf, HiveConf.ConfVars.HIVE_METASTORE_AUTHORIZATION_MANAGER, >> SessionState.get().getAuthenticator()); >> for (HiveMetastoreAuthorizationProvider provider : providers) { >> if (provider.getHivePolicyProvider() != null) { >> policyContainer.addAuthorizationProvider(provider); >> } >> } >> } >> [...] >> >> if (policyContainer.size() > 0) { >> zKClientForPrivSync = startZookeeperClient(hiveConf); >> String rootNamespace = >> hiveConf.getVar(HiveConf.ConfVars.HIVE_SERVER2_ZOOKEEPER_NAMESPACE); >> >> >> So as long as you are using ranger you must use zookeeper and >> configuration in this case is unclear. >> I never managed to make it work properly. >> It seems like version 3.1.2 is no longer developed or supported and only >> 2.x is still under developpement. >> Looks like cloudera buying HDP makes development less active in the end... >> >> ------------------------------ >> *De: *"Battula, Brahma Reddy" <bbatt...@visa.com> >> *À: *user@hive.apache.org >> *Envoyé: *Vendredi 17 Septembre 2021 21:15:51 >> *Objet: *Re: Future release of hive >> >> >> >> Can you please give more details on issues which you faced with >> hive-3.1.2 and ranger-2.1.0..? >> >> >> >> >> >> *From: *Antoine DUBOIS <antoine.dub...@cc.in2p3.fr> >> *Date: *Tuesday, 14 September 2021 at 6:20 PM >> *To: *user@hive.apache.org <user@hive.apache.org> >> *Subject: *Future release of hive >> >> Hello >> >> After trying to use hive 3.1.2 for several weeks with ranger, I stop. >> It's seems way too complicated and tedious. >> >> I wonder when or even if there will be any more release in the 3.0 branch. >> >> I wonder if Hive 3.0 was just an experience as it seems maintenance is >> not really there. >> Is there any plan for Hive 4.0 or should I use Hive 2.8 knowing I'm using >> Hadoop 3 ? >> Any insight on hive release cycle woudl be awesome. >> >> >> >> i hope you have a nice day. >> >> >> >> Antoine DUBOIS >> >> >> >>