Configuring Hive/Impala Access Permissions in Ranger
After an MRS cluster with Ranger installed is created, Hive and Impala access control is not integrated into Ranger. This section describes how to integrate Hive into Ranger. Impala follows the same procedure.
- Log in to the Ranger web UI.
- In the Service Manager area, click next to HIVE to add a Hive service.
Figure 1 Adding a Hive service
- Set the parameters for adding a Hive service according to Table 1. Use the default values for the parameters that are not listed in the table.
Table 1 Parameter description Parameter
Description
Example Value
Service Name
Name of the service to be created. The value is fixed to hivedev.
hivedev
Username
You can set this parameter to any value.
admin
Password
You can set this parameter to any value.
-
jdbc.driverClassName
Driver class for connecting to Hive. The value is fixed to org.apache.hive.jdbc.HiveDriver.
org.apache.hive.jdbc.HiveDriver
jdbc.url
URL for connecting to Hive. The format is ZooKeeper mode:
jdbc:hive2://<host>:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2
<host> indicates a ZooKeeper address. To obtain the ZooKeeper address, log in to MRS Manager, choose Services > ZooKeeper > Instance, and view the management IP address of the ZooKeeper instance.
jdbc:hive2://xx.xx.xx.xx:2181,xx.xx.xx.xx:2181,xx.xx.xx.xx:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2
Figure 2 Creating hivedev
- Click Add to add the service.
- Start the Ranger Hive plugin to authorize Ranger to manage Hive.
- On the MRS management console, click the cluster name to go to the cluster details page.
- Click the Components tab.
- Choose Hive > Service Configuration and switch Basic to All.
- Search for hive.security.authorization and modify the following configurations:
- hive.security.authorization.enabled = true
- hive.security.authorization.manager = org.apache.ranger.authorization.hive.authorizer.RangerHiveAuthorizerFactory
- Click Save Configuration and select Restart the affected services or instances to restart the Hive service.
- Add an access control policy.
- Log in to the Ranger web UI.
- In the HIVE area, click the added service hivedev.
- Click Add New Policy to add an access control policy.
- Set the parameters according to Table 2. Use the default values for the parameters that are not listed in the table.
Table 2 Parameter description Parameter
Description
Example Value
Policy Name
Policy name
Policy001
database
Name of the database that the policy allows to access
test
table
Name of the table corresponding to the database that the policy allows to access
table1
Hive Column
Column name of the table corresponding to the database that the policy allows to access
name
Allow Conditions
- Select Group: user group that the policy allows to access
- Select User: user in the user group that the policy allows to access
- Permissions: permissions that the policy allows the user to have
- Select Group: testuser
- Select User: testuser
- Permissions: Create and Select
Figure 3 Adding an access control policy for hivedev
- Click Add to add the policy. According to the preceding policy, user testuser in the testuser user group has the Create and Select permissions on the name column of table1 in the test database of Hive, but no permissions to access other columns.
- Log in to the Hive client by referring to Using Hive from Scratch, and check whether Hive has been integrated into Ranger.
- Run the following command to access the Hive beeline:
source /opt/client/bigdata_env
beeline
- Run the following command to set up a connection and log in as user testuser:
!connect jdbc:hive2://xx.xx.xx.xx:2181,xx.xx.3.81:2181,192.168.3.153:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2Figure 4 Logging in to Hive
- Query data and check whether Ranger is integrated.
Figure 5 Verifying the integration of Ranger with Hive
- Run the following command to access the Hive beeline:
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot