You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@ranger.apache.org by Hanish Bansal <ha...@impetus.co.in> on 2015/03/31 13:35:26 UTC

Hive admin user behavior

Hi All,


When deploying hive, I have defined below configuration for hiveserver2 in configuration file "hive-site.xml":


<property>
    <name>hive.server2.enable.doAs</name>
    <value>true</value>
</property>
<property>
    <name>hive.users.in.admin.role</name>
    <value>hanish</value>
</property>

<property>
    <name>hive.security.authorization.manager</name>
    <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
</property>
<property>
    <name>hive.security.authorization.enabled</name>
    <value>true</value>
</property>
<property>
    <name>hive.security.authenticator.manager</name>
    <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
</property>

<property>
        <name>hive.security.authorization.enabled</name>
                <value>true</value>
</property>


I have added "hanish" user to admin user list (Property- hive.users.in.admin.role ) so it should be able to fetch schema of all tables. But i am getting permission denied error.

I want one user to define as admin user who can fetch schema of all tables. If I give admin permissions or select permissions from ranger-UI to a user for databases=* and tables = * then its working fine and that user is able to fetch schema for all tables. But  as per hive configurations if user is defined as admin by mentioning " hive.users.in.admin.role?" then that user is not behaving as admin.

Please let me know the expected behavior.

Is Ranger overrides behavior of hive property " hive.users.in.admin.role?" ??




-------
Thanks & Regards,
Hanish Bansal
Software Engineer, iLabs
Impetus Infotech Pvt. Ltd.
(O) :  +91.120.4092200-2790
(M) : +91.9953399925

________________________________






NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.

RE: Hive admin user behavior

Posted by Hanish Bansal <ha...@impetus.co.in>.
Thanks for Response Balaji !!


I would also like to know about value of property "hive.security.authorization.enabled". What is expected value of this according to Ranger: true or false ??


-------
Thanks & Regards,
Hanish Bansal
Software Engineer, iLabs
Impetus Infotech Pvt. Ltd.
(O) :  +91.120.4092200-2790
(M) : +91.9953399925
________________________________
From: Balaji Ganesan <bg...@apache.org>
Sent: Wednesday, April 1, 2015 8:02 PM
To: user@ranger.incubator.apache.org
Subject: Re: Hive admin user behavior

If the hive.server2.enable.doAs parameter is set to false, then the underlying jobs in HDFS are run as "hive" user. This is a better security model as the underlying HDFS file permissions can be set to be owned only by "hive" user and end user would not be able to access files directly without going through Hiveserver2

On Wed, Apr 1, 2015 at 2:19 AM, Hanish Bansal <ha...@impetus.co.in>> wrote:

Yes I am using beeline client for testing purpose and hiveserver2 jdbc client.


Still I have confusion about "hive.server2.enable.doAs" property-


As per wiki documentation (https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2​):

By default HiveServer2 performs the query processing as the user who submitted the query. But if the following parameter is set to false, the query will run as the user that the hiveserver2 process runs as.

hive.server2.enable.doAs – Impersonate the connected user, default true.


As per my understanding if this property is set to false, all queries will run as the user who started hiveserver2 process. so we should set "true" value for this property to run the query as user who submitted the query.


Please let me know your thoughts on this.


-------
Thanks & Regards,
Hanish Bansal
Software Engineer, iLabs
Impetus Infotech Pvt. Ltd.
(O) :  +91.120.4092200<tel:%2B91.120.4092200>-2790
(M) : +91.9953399925<tel:%2B91.9953399925>
________________________________
From: Don Bosco Durai <bd...@hortonworks.com>> on behalf of Don Bosco Durai <bo...@apache.org>>
Sent: Tuesday, March 31, 2015 10:20 PM
To: user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>
Subject: Re: Hive admin user behavior

Yes, if you are using Ranger, then you have to set appropriate permissions on Ranger. It helps in plugging any backdoor loop holes.

I am also assuming you are using beeline client or JDBC.

One more thing, we recommend hive.server2.enable.doAs=false.

Thanks

Bosco


From: Hanish Bansal <ha...@impetus.co.in>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Tuesday, March 31, 2015 at 4:35 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Hive admin user behavior


Hi All,


When deploying hive, I have defined below configuration for hiveserver2 in configuration file "hive-site.xml":


<property>
    <name>hive.server2.enable.doAs</name>
    <value>true</value>
</property>
<property>
    <name>hive.users.in.admin.role</name>
    <value>hanish</value>
</property>

<property>
    <name>hive.security.authorization.manager</name>
    <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
</property>
<property>
    <name>hive.security.authorization.enabled</name>
    <value>true</value>
</property>
<property>
    <name>hive.security.authenticator.manager</name>
    <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
</property>

<property>
        <name>hive.security.authorization.enabled</name>
                <value>true</value>
</property>


I have added "hanish" user to admin user list (Property- hive.users.in.admin.role ) so it should be able to fetch schema of all tables. But i am getting permission denied error.

I want one user to define as admin user who can fetch schema of all tables. If I give admin permissions or select permissions from ranger-UI to a user for databases=* and tables = * then its working fine and that user is able to fetch schema for all tables. But  as per hive configurations if user is defined as admin by mentioning " hive.users.in.admin.role​" then that user is not behaving as admin.

Please let me know the expected behavior.

Is Ranger overrides behavior of hive property " hive.users.in.admin.role​" ??




-------
Thanks & Regards,
Hanish Bansal
Software Engineer, iLabs
Impetus Infotech Pvt. Ltd.
(O) :  +91.120.4092200<tel:%2B91.120.4092200>-2790
(M) : +91.9953399925<tel:%2B91.9953399925>

________________________________






NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.

________________________________






NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.


________________________________






NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.

Re: Hive admin user behavior

Posted by Balaji Ganesan <bg...@apache.org>.
If the hive.server2.enable.doAs parameter is set to false, then the
underlying jobs in HDFS are run as "hive" user. This is a better security
model as the underlying HDFS file permissions can be set to be owned only
by "hive" user and end user would not be able to access files directly
without going through Hiveserver2

On Wed, Apr 1, 2015 at 2:19 AM, Hanish Bansal <ha...@impetus.co.in>
wrote:

>  Yes I am using beeline client for testing purpose and hiveserver2 jdbc
> client.
>
>
>  Still I have confusion about "hive.server2.enable.doAs" property-
>
>
>  As per wiki documentation (
> https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2​):
>
> By default HiveServer2 performs the query processing as the user who
> submitted the query. But if the following parameter is set to false, the
> query will run as the user that the hiveserver2 process runs as.
>
> hive.server2.enable.doAs – Impersonate the connected user, default true.
>
>
>  As per my understanding if this property is set to false, all queries
> will run as the user who started hiveserver2 process. so we should set
> "true" value for this property to run the query as user who submitted the
> query.
>
>
>  Please let me know your thoughts on this.
>
>
>      -------
>
> *Thanks & Regards, Hanish Bansal*
> Software Engineer, iLabs
> Impetus Infotech Pvt. Ltd.
> (O) :  +91.120.4092200-2790
> (M) : +91.9953399925
>      ------------------------------
> *From:* Don Bosco Durai <bd...@hortonworks.com> on behalf of Don Bosco
> Durai <bo...@apache.org>
> *Sent:* Tuesday, March 31, 2015 10:20 PM
> *To:* user@ranger.incubator.apache.org
> *Subject:* Re: Hive admin user behavior
>
>  Yes, if you are using Ranger, then you have to set appropriate
> permissions on Ranger. It helps in plugging any backdoor loop holes.
>
>  I am also assuming you are using beeline client or JDBC.
>
>  One more thing, we recommend hive.server2.enable.doAs=false.
>
>  Thanks
>
>  Bosco
>
>
>   From: Hanish Bansal <ha...@impetus.co.in>
> Reply-To: "user@ranger.incubator.apache.org" <
> user@ranger.incubator.apache.org>
> Date: Tuesday, March 31, 2015 at 4:35 AM
> To: "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
> Subject: Hive admin user behavior
>
>    Hi All,
>
>
>  When deploying hive, I have defined below configuration for hiveserver2
> in configuration file "hive-site.xml":
>
>
>  <property>
>     <name>hive.server2.enable.doAs</name>
>     <value>true</value>
> </property>
> <property>
>     <name>hive.users.in.admin.role</name>
>     <value>hanish</value>
> </property>
>
>  <property>
>     <name>hive.security.authorization.manager</name>
>
> <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
> </property>
> <property>
>     <name>hive.security.authorization.enabled</name>
>     <value>true</value>
> </property>
> <property>
>     <name>hive.security.authenticator.manager</name>
>
> <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
> </property>
>
>  <property>
>         <name>hive.security.authorization.enabled</name>
>                 <value>true</value>
> </property>
>
>
>  I have added "hanish" user to admin user list (Property-
> hive.users.in.admin.role ) so it should be able to fetch schema of all
> tables. But i am getting permission denied error.
>
>  I want one user to define as admin user who can fetch schema of all
> tables. If I give admin permissions or select permissions from ranger-UI to
> a user for databases=* and tables = * then its working fine and that user
> is able to fetch schema for all tables. But  as per hive configurations if
> user is defined as admin by mentioning " hive.users.in.admin.role​" then
> that user is not behaving as admin.
>
>  Please let me know the expected behavior.
>
>  Is Ranger overrides behavior of hive property " hive.users.in.admin.role​"
> ??
>
>
>
>      -------
>
> *Thanks & Regards, Hanish Bansal*
> Software Engineer, iLabs
> Impetus Infotech Pvt. Ltd.
> (O) :  +91.120.4092200-2790
> (M) : +91.9953399925
>
> ------------------------------
>
>
>
>
>
>
> NOTE: This message may contain information that is confidential,
> proprietary, privileged or otherwise protected by law. The message is
> intended solely for the named addressee. If received in error, please
> destroy and notify the sender. Any use of this email is prohibited when
> received in error. Impetus does not represent, warrant and/or guarantee,
> that the integrity of this communication has been maintained nor that the
> communication is free of errors, virus, interception or interference.
>
>
> ------------------------------
>
>
>
>
>
>
> NOTE: This message may contain information that is confidential,
> proprietary, privileged or otherwise protected by law. The message is
> intended solely for the named addressee. If received in error, please
> destroy and notify the sender. Any use of this email is prohibited when
> received in error. Impetus does not represent, warrant and/or guarantee,
> that the integrity of this communication has been maintained nor that the
> communication is free of errors, virus, interception or interference.
>

RE: Hive admin user behavior

Posted by Hanish Bansal <ha...@impetus.co.in>.
Yes I am using beeline client for testing purpose and hiveserver2 jdbc client.


Still I have confusion about "hive.server2.enable.doAs" property-


As per wiki documentation (https://cwiki.apache.org/confluence/display/Hive/Setting+Up+HiveServer2​):

By default HiveServer2 performs the query processing as the user who submitted the query. But if the following parameter is set to false, the query will run as the user that the hiveserver2 process runs as.

hive.server2.enable.doAs – Impersonate the connected user, default true.


As per my understanding if this property is set to false, all queries will run as the user who started hiveserver2 process. so we should set "true" value for this property to run the query as user who submitted the query.


Please let me know your thoughts on this.


-------
Thanks & Regards,
Hanish Bansal
Software Engineer, iLabs
Impetus Infotech Pvt. Ltd.
(O) :  +91.120.4092200-2790
(M) : +91.9953399925
________________________________
From: Don Bosco Durai <bd...@hortonworks.com> on behalf of Don Bosco Durai <bo...@apache.org>
Sent: Tuesday, March 31, 2015 10:20 PM
To: user@ranger.incubator.apache.org
Subject: Re: Hive admin user behavior

Yes, if you are using Ranger, then you have to set appropriate permissions on Ranger. It helps in plugging any backdoor loop holes.

I am also assuming you are using beeline client or JDBC.

One more thing, we recommend hive.server2.enable.doAs=false.

Thanks

Bosco


From: Hanish Bansal <ha...@impetus.co.in>>
Reply-To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Date: Tuesday, March 31, 2015 at 4:35 AM
To: "user@ranger.incubator.apache.org<ma...@ranger.incubator.apache.org>" <us...@ranger.incubator.apache.org>>
Subject: Hive admin user behavior


Hi All,


When deploying hive, I have defined below configuration for hiveserver2 in configuration file "hive-site.xml":


<property>
    <name>hive.server2.enable.doAs</name>
    <value>true</value>
</property>
<property>
    <name>hive.users.in.admin.role</name>
    <value>hanish</value>
</property>

<property>
    <name>hive.security.authorization.manager</name>
    <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHiveAuthorizerFactory</value>
</property>
<property>
    <name>hive.security.authorization.enabled</name>
    <value>true</value>
</property>
<property>
    <name>hive.security.authenticator.manager</name>
    <value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
</property>

<property>
        <name>hive.security.authorization.enabled</name>
                <value>true</value>
</property>


I have added "hanish" user to admin user list (Property- hive.users.in.admin.role ) so it should be able to fetch schema of all tables. But i am getting permission denied error.

I want one user to define as admin user who can fetch schema of all tables. If I give admin permissions or select permissions from ranger-UI to a user for databases=* and tables = * then its working fine and that user is able to fetch schema for all tables. But  as per hive configurations if user is defined as admin by mentioning " hive.users.in.admin.role​" then that user is not behaving as admin.

Please let me know the expected behavior.

Is Ranger overrides behavior of hive property " hive.users.in.admin.role​" ??




-------
Thanks & Regards,
Hanish Bansal
Software Engineer, iLabs
Impetus Infotech Pvt. Ltd.
(O) :  +91.120.4092200-2790
(M) : +91.9953399925

________________________________






NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.

________________________________






NOTE: This message may contain information that is confidential, proprietary, privileged or otherwise protected by law. The message is intended solely for the named addressee. If received in error, please destroy and notify the sender. Any use of this email is prohibited when received in error. Impetus does not represent, warrant and/or guarantee, that the integrity of this communication has been maintained nor that the communication is free of errors, virus, interception or interference.

Re: Hive admin user behavior

Posted by Don Bosco Durai <bo...@apache.org>.
Yes, if you are using Ranger, then you have to set appropriate permissions
on Ranger. It helps in plugging any backdoor loop holes.

I am also assuming you are using beeline client or JDBC.

One more thing, we recommend hive.server2.enable.doAs=false.

Thanks

Bosco


From:  Hanish Bansal <ha...@impetus.co.in>
Reply-To:  "user@ranger.incubator.apache.org"
<us...@ranger.incubator.apache.org>
Date:  Tuesday, March 31, 2015 at 4:35 AM
To:  "user@ranger.incubator.apache.org" <us...@ranger.incubator.apache.org>
Subject:  Hive admin user behavior

> Hi All,
> 
> 
> 
> When deploying hive, I have defined below configuration for hiveserver2 in
> configuration file "hive-site.xml":
> 
> 
> <property>
>     <name>hive.server2.enable.doAs</name>
>     <value>true</value>
> </property>
> <property>
>     <name>hive.users.in.admin.role</name>
>     <value>hanish</value>
> </property>
> 
> <property>
>     <name>hive.security.authorization.manager</name>
>     
> <value>org.apache.hadoop.hive.ql.security.authorization.plugin.sqlstd.SQLStdHi
> veAuthorizerFactory</value>
> </property>
> <property>
>     <name>hive.security.authorization.enabled</name>
>     <value>true</value>
> </property>
> <property>
>     <name>hive.security.authenticator.manager</name>
>     
> 
<value>org.apache.hadoop.hive.ql.security.SessionStateUserAuthenticator</value>
>
> </property>
> 
> <property>
>         <name>hive.security.authorization.enabled</name>
>                 <value>true</value>
> </property>
> 
> 
> I have added "hanish" user to admin user list (Property-
> hive.users.in.admin.role ) so it should be able to fetch schema of all tables.
> But i am getting permission denied error.
> 
> I want one user to define as admin user who can fetch schema of all tables. If
> I give admin permissions or select permissions from ranger-UI to a user for
> databases=* and tables = * then its working fine and that user is able to
> fetch schema for all tables. But  as per hive configurations if user is
> defined as admin by mentioning " hive.users.in.admin.role​" then that user is
> not behaving as admin.
> 
> Please let me know the expected behavior.
> 
> Is Ranger overrides behavior of hive property " hive.users.in.admin.role​" ??
> 
> 
> 
> 
> -------
> Thanks & Regards,
> Hanish Bansal
> Software Engineer, iLabs
> Impetus Infotech Pvt. Ltd.
> (O) :  +91.120.4092200-2790
> (M) : +91.9953399925
> 
> 
> 
> 
> 
> 
> 
> 
> NOTE: This message may contain information that is confidential, proprietary,
> privileged or otherwise protected by law. The message is intended solely for
> the named addressee. If received in error, please destroy and notify the
> sender. Any use of this email is prohibited when received in error. Impetus
> does not represent, warrant and/or guarantee, that the integrity of this
> communication has been maintained nor that the communication is free of
> errors, virus, interception or interference.