HDP cluster with Ranger configured and Hive plugin enabled
ACLs are defined for different resources in Ranger to restrict/allow access to Hive databases/tables, however the user gets denied (or allowed) contradicting the ACLs defined in Ranger.
Hive Metastore uses by default
HadoopDefaultMetastoreAuthenticator to resolve the user -> group mappings. This can be configured by
hive.security.metastore.authenticator.manager property, but it shouldn't change unless we enable LDAP or some other authentication method. This class will lookup the local Linux users and groups to create the mappings between the Hive user -> groups.
This implies that if we want user
aitor to belong to group
foogroup, we have to create user
aitor and assign him to group
foogroup at Linux level in the Hive Metastore server. Otherwise, group membership will not be propagate to Ranger checks.
Even if Linux is configured to authenticate users against an identity service (like LDAP or AD), the users must be local to propagate GROUP membership to Hive Metastore, and therefore to Ranger Hive Plugin.
- Ranger Plugin for Hive Metastore
- SQL Standard Based Hive Authorization
- HiveDefaultAuthorization LegacyMode - Users, Groups, and Roles