Perhaps. It is hard to say definitively without taking a look at the logs. From: Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>> Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Friday, July 24, 2015 at 8:10 AM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Re: Hive server identity assertion
Exactly ! And I've checked the logs once again, but I can't see any groups mentioned. Does this reveal a special issue ? Thanks, Loïc Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-07-24 16:23 GMT+02:00 Alok Lal <a...@hortonworks.com<mailto:a...@hortonworks.com>>: If the user groups couldn't be asserted, would I see a log indicating that the user cannot be impersonated (like Knox prompts) ? Yes log should show the user and group info being sent to policy engine. For authorizing. I presume you are using ranger 0.5 to connect via beeline to a hiveserver2 instance. Right? (Not that these matter, just to set context.) Thanks From: Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>> Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Friday, July 24, 2015 at 12:53 AM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Re: Hive server identity assertion Well, that's what I thought, but the command hdfs groups returns me a group that I use for a policy giving access to a database, and as I get the message "HiveAccessControlException Permission denied" when accessing this database, I think Hive cannot assert the groups the user belongs to. I'm using Hive 0.14.0.2.2. As the problem might come from this, I think it's important to mention that the users are synchronized from a LDAP via SSSD. If the user groups couldn't be asserted, would I see a log indicating that the user cannot be impersonated (like Knox prompts) ? Thanks, Loïc Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne 2015-07-23 20:09 GMT+02:00 Don Bosco Durai <bo...@apache.org<mailto:bo...@apache.org>>: Hive uses the same core-site.xml settings as HDFS. So if the group mapping work in HDFS, then it should work in Hive also. And if the user and groups are in linux/unix, then it should have been support out of the box. What version of Hive are you using? (It shouldn't matter) Thanks Bosco From: Loïc Chanel <loic.cha...@telecomnancy.net<mailto:loic.cha...@telecomnancy.net>> Reply-To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Date: Thursday, July 23, 2015 at 3:10 AM To: "user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>" <user@ranger.incubator.apache.org<mailto:user@ranger.incubator.apache.org>> Subject: Hive server identity assertion Hi all, As I am now exploring how Ranger works with Hive, I made some policies, but it seems that group policies are not enforced. Therefore, I was wondering how the Ranger plugin running on Hive was asserting the user's identity. I am even more surprised by the fact that I do not have any problem with Ranger plugin working on HDFS, which is running on the exact same node. In parallel, I know that Know plugin, for example, runs in a totally different way, but as it seems that, as does HBase, Hive does not provide with any user mapping function, I thought the identity would be asserted on the node Hive Server is running on, as if the user was a Unix one. Do someone as an idea about how the user groups can be founded by Hive Ranger plugin ? Thanks in advance, Loïc Loïc CHANEL Engineering student at TELECOM Nancy Trainee at Worldline - Villeurbanne
