Configuring Hive/Impala Access Permissions in Ranger

After an MRS cluster with Ranger installed is created, Hive and Impala access control is not integrated into Ranger. This section describes how to integrate Hive into Ranger. Impala follows the same procedure.

Log in to the Ranger web UI.
In the Service Manager area, click next to HIVE to add a Hive service.

Figure 1 Adding a Hive service

Set the parameters for adding a Hive service according to Table 1. Use the default values for the parameters that are not listed in the table.

**Table 1** **Parameter description**
Parameter	Description	Example Value
Service Name	Name of the service to be created. The value is fixed to hivedev.	hivedev
Username	You can set this parameter to any value.	admin
Password	You can set this parameter to any value.	-
jdbc.driverClassName	Driver class for connecting to Hive. The value is fixed to org.apache.hive.jdbc.HiveDriver.	org.apache.hive.jdbc.HiveDriver
jdbc.url	URL for connecting to Hive. The format is ZooKeeper mode: jdbc:hive2://<host>:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2 <host> indicates a ZooKeeper address. To obtain the ZooKeeper address, log in to MRS Manager, choose Services > ZooKeeper > Instance, and view the management IP address of the ZooKeeper instance.	jdbc:hive2://xx.xx.xx.xx:2181,xx.xx.xx.xx:2181,xx.xx.xx.xx:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2

Figure 2 Creating hivedev

Click Add to add the service.
Start the Ranger Hive plugin to authorize Ranger to manage Hive.
1. On the MRS management console, click the cluster name to go to the cluster details page.
2. Click the Components tab.
3. Choose Hive > Service Configuration and switch Basic to All.
4. Search for hive.security.authorization and modify the following configurations:
  - hive.security.authorization.enabled = true
  - hive.security.authorization.manager = org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory
5. Click Save Configuration and select Restart the affected services or instances to restart the Hive service.

Add an access control policy.

Log in to the Ranger web UI.
In the HIVE area, click the added service hivedev.
Click Add New Policy to add an access control policy.

Set the parameters according to Table 2. Use the default values for the parameters that are not listed in the table.

**Table 2** Parameter description
Parameter	Description	Example Value
Policy Name	Policy name	Policy001
database	Name of the database that the policy allows to access	test
table	Name of the table corresponding to the database that the policy allows to access	table1
Hive Column	Column name of the table corresponding to the database that the policy allows to access	name
Allow Conditions	Select Group: user group that the policy allows to access Select User: user in the user group that the policy allows to access Permissions: permissions that the policy allows the user to have	Select Group: testuser Select User: testuser Permissions: Create and Select

Figure 3 Adding an access control policy for hivedev

Click Add to add the policy. According to the preceding policy, user testuser in the testuser user group has the Create and Select permissions on the name column of table1 in the test database of Hive, but no permissions to access other columns.

Log in to the Hive client by referring to Using Hive from Scratch, and check whether Hive has been integrated into Ranger.
1. Run the following command to access the Hive beeline:
  source /opt/client/bigdata_env
  
  beeline
2. Run the following command to set up a connection and log in as user testuser:
  !connect jdbc:hive2://xx.xx.xx.xx:2181,xx.xx.3.81:2181,192.168.3.153:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2
  Figure 4 Logging in to Hive
3. Query data and check whether Ranger is integrated.
  Figure 5 Verifying the integration of Ranger with Hive