After Ranger Authentication Is Enabled for Hive, Unauthorized Tables and Databases Can Be Viewed on the Hue Page
Symptom
In a normal cluster with Kerberos authentication disabled, after Ranger authentication is enabled for Hive, cluster users can view unauthorized data tables and databases on the Hue page.

This section applies only to MRS 3.2.1 or later.
Cause Analysis
After Ranger authentication is enabled for Hive, the default Hive policies contain two public group policies about databases. All users belong to the public group. By default, the public group is granted the permission to create tables in the default database and create other databases. Therefore, all users have the show databases and show tables permissions by default. If some users do not need to have these two permissions, you can delete the default public group policies on the Ranger web UI and grant the required user permissions.
Procedure
- Log in to the Ranger web UI.
- In the Service Manager area, click the Hive component name to access the Hive security access policy page.
- Click
in the rows containing the all - database and default database tables columns policies.
- Delete the public group policies.
Figure 1 all - database policyFigure 2 default database tables columns policy
- On the Hive security access policy page, click Add New Policy to add resource access policies for related users or user groups. For details, see Configuring Component Permission Policies.
Hive can display only authorized databases and tables. Hue can display only authorized databases. After a database is authorized, all its tables are displayed.
- Log in to Manager and choose Cluster > Services > Hive > Configurations > All Configurations > HiveServer(Role) > Customization. Add the following two parameters to hive.server.customized.configs, save the configuration, and rolling-restart the service:
hive-ext.skip.ranger.showtables.auth=false hive.show.all.table=false
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot