After Ranger Authentication Is Enabled for Hive, Unauthorized Tables and Databases Can Be Viewed on the Hue Page

Symptom

In a normal cluster with Kerberos authentication disabled, after Ranger authentication is enabled for Hive, cluster users can view unauthorized data tables and databases on the Hue page.

This section applies only to MRS 3.2.1 or later.

Cause Analysis

After Ranger authentication is enabled for Hive, the default Hive policies contain two public group policies about databases. All users belong to the public group. By default, the public group is granted the permission to create tables in the default database and create other databases. Therefore, all users have the show databases and show tables permissions by default. If some users do not need to have these two permissions, you can delete the default public group policies on the Ranger web UI and grant the required user permissions.

Procedure

1. Log in to the Ranger web UI.
2. In the Service Manager area, click the Hive component name to access the Hive security access policy page.
3. Click in the rows containing the all - database and default database tables columns policies.
4. Delete the public group policies.
   Figure 1 all - database policy
   
   Figure 2 default database tables columns policy
   

5. On the Hive security access policy page, click Add New Policy to add resource access policies for related users or user groups. For details, see Configuring Component Permission Policies.
   

   Hive can display only authorized databases and tables. Hue can display only authorized databases. After a database is authorized, all its tables are displayed.

6. Log in to Manager and choose Cluster > Services > Hive > Configurations > All Configurations > HiveServer(Role) > Customization. Add the following two parameters to hive.server.customized.configs, save the configuration, and rolling-restart the service:

   hive-ext.skip.ranger.showtables.auth=false
   hive.show.all.table=false