Try to delete the policy from Ranger. Then check with user henry again it should not see any tables. Create the policy again and check if that helps you. Also tell me if while creating the policy in ranger does Ranger Web UI auto suggest henry as the user for you? If not then that use is not synced to Ranger hence the error.
On Thu, May 10, 2018, 11:22 AM Roberta Marton <[email protected]> wrote: > Here is the policy definition: > > > > { > > "id":18,"guid":"65c08933-0ada-4577-b8bbe866c36e519", > > "isEnabled":true, > > "createdBy":"Admin", > > "updatedBy":"Admin", > > "createTime":1525901029063 > > ,"updateTime":1525930710922, > > "version":2, > > "service":"hdp_hive", > > "name":"abc_test", > > "policyType":0, > > "description":"", > > > "resourceSignature":"c15fb5ec332fe9828faa045100214819562b49f9880a0dd40ea339703fc73991", > > "isAuditEnabled":true > > ,"resources":{"database":{"values":["default > "],"isExcludes":false,"isRecursive":false}, > > "column":{"values":["all"], "isExcludes":false, "isRecursive":false}, > > "table":{"values":["customer"],"isExcludes":false,"isRecursive":false}}, > > "policyItems":[{"accesses":[{"type":"select","isAllowed":true}], > > "users":["mary","henry"], > > "groups":[],"conditions":[], > > "delegateAdmin":false}],"denyPolicyItems":[], > > "allowExceptions":[],"denyExceptions":[], > > "dataMaskPolicyItems":[], > > "rowFilterPolicyItems":[] > > } > > > > show databases; > > +----------------+--+ > > | database_name | > > +----------------+--+ > > | default | > > | tpcds | > > +----------------+--+ > > 2 rows selected (0.358 seconds) > > > > > show tables; > > +-----------+--+ > > | tab_name | > > +-----------+--+ > > | customer | > > +-----------+--+ > > 1 row selected (0.207 seconds) > > > > > select count(*) from customer; > > Error: Error while compiling statement: FAILED: HiveAccessControlException > Permission denied: user [henry] does not have [SELECT] privilege on > [default/customer] (state=42000,code=40000) > > > > > select * from customer limit 2; > > Error: Error while compiling statement: FAILED: HiveAccessControlException > Permission denied: user [henry] does not have [SELECT] privilege on > [default/customer/*] (state=42000,code=40000) > > > > I am unable to view audit log data – returns “Error connecting to the > search engine”. I am using HDFS instead of SOLR. > > > > Bert > > > > *From:* Madhan Neethiraj [mailto:[email protected]] > *Sent:* Wednesday, May 9, 2018 6:24 PM > *To:* [email protected] > *Subject:* Re: Unable to get ranger policies to work > > > > Roberta, > > > > Can you please add details of the policy you created and the query > executed? Also, it will help to look at the contents of the audit log that > shows ‘Deny’ for the query. > > > > Madhan > > > > > > > > *From: *Roberta Marton <[email protected]> > *Reply-To: *"[email protected]" <[email protected]> > *Date: *Wednesday, May 9, 2018 at 2:44 PM > *To: *"[email protected]" <[email protected]> > *Subject: *Unable to get ranger policies to work > > > > I installed Hortonworks 2.6.2 with Ranger and the Hive plugin using Ambari > (no Kerberos/LDAP) > > I created a Linux user called Henry and assigned him some groups. > > Created several Hive tables using Beeline as a sudo user that installed > the software. > > > > Connected to beeline as “henry” and perform “show databases”. I get back a > “no permissions” error as expected. > > > > I created a policy in Ranger and granted Henry “select” privilege on a > table in one of the Hive databases. > > > > Henry connects to beeline. > > “show databases” return the database that contains the table that Henry > now has select privilege. > > “show tables” return the table that Henry has been granted select > privilege. > > However, when Henry tries to select, it gets a no SELECT privilege error. > > > > I have tried the same exercise with different users, tables, and > privileges and the DML operations never succeed. > > > > I checked the logs and it looks like Hive is contacting Ranger to get > privileges as expected: > > > > 2018-04-27 23:48:19,349 ERROR [HiveServer2-Handler-Pool: Thread-91]: > ql.Driver (SessionState.java:printError(993)) - FAILED: > HiveAccessControlException Permission denied: user [henry] does not have > [SELECT] privilege on [default/customer] > > org.apache.hadoop.hive.ql.security.authorization.plugin.HiveAccessControlException: > Permission denied: user [henry] does not have [SELECT] privilege on > [default/customer] > > at > org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizer.checkPrivileges > (RangerHiveAuthorizer.java:460) > > at > org.apache.hadoop.hive.ql.Driver.doAuthorizationV2(Driver.java:856) > > at > org.apache.hadoop.hive.ql.Driver.doAuthorization(Driver.java:644) > > at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:511) > > at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:321) > > at > org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1221) > > at > org.apache.hadoop.hive.ql.Driver.compileAndRespond(Driver.java:1215) > > at > org.apache.hive.service.cli.operation.SQLOperation.prepare(SQLOperation.java:146) > > at > org.apache.hive.service.cli.operation.SQLOperation.runInternal(SQLOperation.java:226) > > at > org.apache.hive.service.cli.operation.Operation.run(Operation.java:264) > > at > org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementInternal(HiveSessionImpl.java:470) > > at > org.apache.hive.service.cli.session.HiveSessionImpl.executeStatementAsync(HiveSessionImpl.java:457) > > at > org.apache.hive.service.cli.CLIService.executeStatementAsync(CLIService.java:313) > > at > org.apache.hive.service.cli.thrift.ThriftCLIService.ExecuteStatement(ThriftCLIService.java:509) > > at > org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1317) > > at > org.apache.hive.service.cli.thrift.TCLIService$Processor$ExecuteStatement.getResult(TCLIService.java:1302) > > at > org.apache.thrift.ProcessFunction.process(ProcessFunction.java:39) > > at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:39) > > at > org.apache.hive.service.auth.TSetIpAddressProcessor.process(TSetIpAddressProcessor.java:56) > > at > org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:286) > > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > > > I am at a loss on how to proceed. Any suggestions? > > > > Bert >
