Pivotal Knowledge Base


Ranger group ACL not working in Hive


HDP cluster with Ranger configured and Hive plugin enabled 


ACLs are defined for different resources in Ranger to restrict/allow access to Hive databases/tables, however the user gets denied (or allowed) contradicting the ACLs defined in Ranger.


Hive Metastore uses by default HadoopDefaultMetastoreAuthenticator to resolve the user -> group mappings. This can be configured by hive.security.metastore.authenticator.manager property, but it shouldn't change unless we enable LDAP or some other authentication method. This class will lookup the local Linux users and groups to create the mappings between the Hive user -> groups.


This implies that if we want user aitor to belong to group foogroup, we have to create user aitor and assign him to group foogroup at Linux level in the Hive Metastore server. Otherwise, group membership will not be propagate to Ranger checks.

Even if Linux is configured to authenticate users against an identity service (like LDAP or AD), the users must be local to propagate GROUP membership to Hive Metastore, and therefore to Ranger Hive Plugin.

Additional Information



Powered by Zendesk