Hive

The basic Hive URL parameters can be copied and pasted from Hive config panel, Hive -> HiveServer2 JDBC URL. When cluster is kerberized, the URL must be enhanced by HiveServer2 Kerberos principal name, Hive -> Configs -> Advanced -> Advance hive-site -> hive.server2.authentication.kerberos.principal. Finally, the URL for beeline command line will look like:

beeline -u "jdbc:hive2://a1.fyre.ibm.com:2181,aa1.fyre.ibm.com:2181,hurds1.fyre.ibm.com:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;principal=hive/[email protected]"

Test

kinit user3 beeline -u "jdbc:hive2://a1.fyre.ibm.com:2181,aa1.fyre.ibm.com:2181,hurds1.fyre.ibm.com:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;principal=hive/[email protected]"

Connecting to jdbc:hive2://a1.fyre.ibm.com:2181,aa1.fyre.ibm.com:2181,hurds1.fyre.ibm.com:2181/;serviceDiscoveryMode=zooKeeper;zooKeeperNamespace=hiveserver2;principal=hive/[email protected]
Connected to: Apache Hive (version 1.2.1000.2.6.5.1050-37)
Driver: Hive JDBC (version 1.2.1000.2.6.5.1050-37)
Transaction isolation: TRANSACTION_REPEATABLE_READ
Beeline version 1.2.1000.2.6.5.1050-37 by Apache Hive
0: jdbc:hive2://a1.fyre.ibm.com:2181,aa1.fyre> 

Enable Hive Ranger Plugin and test

https://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/

Test

Prepare a simple test.

https://github.com/stanislawbartkowski/hdpactivedirectory#ad-users-and-groups-used-for-testing

• User2 belongs to dataadmin group and has granted all privileges in database datalake
• User3 is a member of datascience group and can access and read data in datalake but cannot modify anything.
• User1 does not belong to any groups, thus should be denied any access try.

Create an adequate Ranger Policy.

Cloudera: The name of Ranger Hive Manager entry is HADOOP SQL. Make sure that Hive and Hive on Tez is enabled for Ranger

As user2

kinit user2 beeline -u ....

create database datalake;
use datalake;
create table test (x int);
insert into test values(1);
insert into test values(2);
insert into test values(3);

As user3

kinit user3 beeline -u ...

use datalake;
select * from test;
+---------+--+
| test.x  |
+---------+--+
| 1       |
| 2       |
| 3       |
+---------+--+
3 rows selected (0,2 seconds)
select sum(x) from test;
+------+--+
| _c0  |
+------+--+
| 6    |
+------+--+

Try to delete table.

drop table test;

Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [user3] does not have [DROP] privilege on [datalake/test] (state=42000,code=40000)

Try to add data to table test

insert into test values(9);

Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [user3] does not have [UPDATE] privilege on [datalake/test] (state=42000,code=40000)

As user1

kinit user1; bee -u ... use datalake;

Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [user1] does not have [USE] privilege on [datalake] (state=42000,code=40000)

select * from datalake.test;

Error: Error while compiling statement: FAILED: HiveAccessControlException Permission denied: user [user1] does not have [SELECT] privilege on [datalake/test/*] (state=42000,code=40000)