Pivotal Knowledge Base

Follow

Ranger group ACL not working in Hive

Environment 

HDP cluster with Ranger configured and Hive plugin enabled 

Symptom

ACLs are defined for different resources in Ranger to restrict/allow access to Hive databases/tables, however the user gets denied (or allowed) contradicting the ACLs defined in Ranger.

Cause

Hive Metastore uses by default HadoopDefaultMetastoreAuthenticator to resolve the user -> group mappings. This can be configured by hive.security.metastore.authenticator.manager property, but it shouldn't change unless we enable LDAP or some other authentication method. This class will lookup the local Linux users and groups to create the mappings between the Hive user -> groups.

Resolution

This implies that if we want user aitor to belong to group foogroup, we have to create user aitor and assign him to group foogroup at Linux level in the Hive Metastore server. Otherwise, group membership will not be propagate to Ranger checks.

Even if Linux is configured to authenticate users against an identity service (like LDAP or AD), the users must be local to propagate GROUP membership to Hive Metastore, and therefore to Ranger Hive Plugin.

Additional Information

 

Comments

Powered by Zendesk