How to Configure Hive Authorization Using Apache Ranger

Apache Ranger is a framework for enabling, monitoring, and managing the comprehensive data security across the Hadoop platform. Ranger simply helps a Hadoop admin with various security management tasks. It provides a mechanism to manage the security from a single pane for various components. With Ranger, you can control fine-grained access to various components of the Hadoop ecosystem.
Ranger has an Administration Portal you can use to define various policies for different components. Ranger plugins can be enabled for several HDP services. The following Ranger plugins are available:
  • HDFS
  • Hive
  • HBase
  • Kafka
  • Knox
  • YARN
  • Storm
In this post, we will see how to create a ranger policy to define access to a particular database/table for a user. Before we create any policy, we first have to enable the Hive Plugin for Ranger using ambari.

Enable Ranger Hive plugin

1. To enable Ranger Hive Plugin goto Services > Ranger > Configs > Ranger Plugin. Enable the Ranger Hive Plugin on this page.
Enable Ranger Hive Plugin in Ambari
2. Save the config by providing an appropriate description note.
save config after enabling Ranger Hive Plugin
save Ranger config provide description of change HDPCA
3. Ambari will prompt for some recommended changes to be done in order to enable the Ranger Hive Plugin. Accept the changes and proceed.
recommended changes to enable Ranger hive Plugin HDPCA
4. We need to restart the Hive Service for the changes to take effect.
restart of hive service after enabling Ranger Hive Plugin HDPCA

Overview of Ranger Admin UI and pre-configured policies for hive

You can log in to the Ranger Admin UI and check if the Ranger Hive Plugin is enabled and you can create policies. To login to the Ranger Dashboard use the default username/password of admin/admin.
Ranger Admin UI from ambari
You can also goto the Ranger Admin UI with below URL:
http://rangerserver:6080
When you log in to the Ranger UI, the home page lists the various menus and types of policies that can be created using Ranger. As we can see the Ranger Hive Plugin is enabled and we can view the pre-configured policies for Hive.
Ranger Admin UI dashboard
You can edit the pre-configured policies as shown below.
pre-configured Hive Policies in Ranger
This particular policy provides ALL privilege access to the users “hive” and “ambari-qa”. You can add a new user/group and also modify the permissions on this page.
Ranger hive pre-configured policy details
privileges allowed in the policy and users

Creating a new Ranger hive Policy

Let’s create a new Ranger Hive Policy to allow access to a particular database (database name: default). The user will have only “select” privilege on all the tables in the default database.
1. Click on the policy group name under Hive.
create new Ranger hive policy
2. Now click on Add New Policy to open a new page, similar to the one shown below:
Ranger Hive Policy details HDPCA
Provide the details like Policy Name, database name, table name etc.
3. In the “User and Group Permissions” section, we will assign the “select” permission to the user “hdfs”. Save the policy.
User and Group Permissions in Ranger Hive Policy HDPCA

Verify the Ranger Hive Policy

Let’s connect to the Hive database using the user hive and test the policy we just created. I have already created a “test” table in the default database.

Getting the HiveServer2 JDBC URL from Ambari

We need to first get the HiveServer2 JDBC URL from ambari in order to connect the hive databases. Goto the Hive Service Page and copy the JDBC URL from the page.
Getting the HiveServer2 JDBC URL from Ambari
We can now connect to the hive default database using the user “hdfs”.
# beeline
Beeline version 1.2.1000.2.6.5.0-292 by Apache Hive
beeline> !connect [HiveServer2 JDBC URL]
connecting hive databases with hdfs user Ranger Hive Policy configuration
We can check if we can view the tables in the “default” database using the “hdfs” user. As shown below, we can query the table “test1” in the default database.
viewing the databases in Hive Ranger Hive Policy configuration
Let’s try to execute any other query on the table and see if the user has the privilege to drop the table “test1”.
drop table test Range Hive Policy configuration

Granting user “hdfs” the “drop” privilege

Let’s modify the policy and give the “drop” privilege to the “hdfs” user on all the tables of the “default” database. From the Ranger Dashboard, edit the policy we created earlier in this post.
edit the Ranger Hive Policy HDPCA
Assign the “drop” privilege to the “hdfs” user and save the policy.
assign drop privilege to a user in Ranger Hive Policy
Wait for a minute or two for the policy to get updated across the cluster. Now try dropping the table again. This time the user hdfs is able to drop the test1 table.
drop table test Range Hive Policy configuration HDPCA exam Objective


No comments:

Post a Comment