After Ranger Authentication Is Enabled for Hive, Unauthorized Tables and Databases Can Be Viewed on the Hue Page
Issue
Although Ranger authentication is enabled for Hive, unauthorized tables and databases can be still viewed on the Hue page.
Symptom
In a normal cluster with Kerberos authentication disabled, after Ranger authentication is enabled for Hive, unauthorized tables and databases can be viewed on the Hue page.
Cause Analysis
After Ranger authentication is enabled for Hive, the default Hive policies contain two public group policies about databases. All users belong to the public group. By default, the public group is granted the permission to create tables in the default database and create other databases. Therefore, all users have the show databases and show tables permissions by default. If some users do not need to have these two permissions, you can delete the default public group policies on the Ranger web UI and grant the required user permissions.
Procedure
- Log in to the Ranger web UI.
- In the Service Manager area, click the Hive component name to access the Hive security access policy page.
- Click in the rows containing the all - database and default database tables columns policies.
- Delete the public group policies.
Figure 1 all - database policy
Figure 2 default database tables columns policy
- On the Hive security access policy page, click Add New Policy to add resource access policies for related users or user groups. For details, see Configuring Component Permission Policies.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.