At the time of authorization, "groups for the user” information is provided by Hadoop. To find the list of groups for user1, as Hadoop sees it, execute the following command in HiveServer2 host:
$ hdfs groups user1 If Hadoop is configured to read user-group details from Unix, then you need to add user1 to users group in Unix - for example with the command as below: $ usermod --append --groups users user1 Please note that it might take few minutes for UserGroupInformation cache to see this update. Once cache is updated, “hdfs groups user1” should include “users” group as well. After this, HiveServer2 authorization will see user1 as part of users group. Hope this helps. Thanks, Madhan On 5/18/15, 10:03 PM, "林家銘" <[email protected]> wrote: >Hi > >I am using the beeline and Ranger in HDP2.2 sandbox. > >My scenario is >Firstly, I create a user "user1" in Ranger and join the user to a >group says "users", which should be an unix group. > >Secondly, I disable all the policies and create one by myself, which >is set to grant all privileges of database "xademo" to the group >"users". > >Thirdly, I connect to Hiveserver2 by using beeline command as following >!connect jdbc:hive2://sandbox_host:10000 user1 1qaz2wsx >org.apache.hive.jdbc.HiveDriver > >Then, I execute the command "use xademo;" on beeline, but it says >permission denied. >Error: Error while compiling statement: FAILED: >HiveAccessControlException Permission denied: user [user1] does not >have [USE] privilege on [xademo(state=42000,code=40000) > >I think the problem is, hive impersonate as "user1", and the hadoop >security library "UserGroupInfomation" doesn't know the groups "user1" >have joined, so I always saw the debug log says the groups of user1 >can't be found. > >Then what's the best practice of this integration(Ranger with >Hiveserver2)?
