Ranger group ACL not working in Hive - Pivotal HD
Article ID: 294991
Updated On:
Products
Services Suite
Issue/Introduction
Symptoms:
ACLs are defined for different resources in Ranger to restrict or allow access to Hive databases or tables, however the user gets denied (or allowed) contradicting the ACLs defined in Ranger.
Environment
Cause
Hive Metastore uses by default
HadoopDefaultMetastoreAuthenticator to resolve the user -> group mappings. This can be configured by hive.security.metastore.authenticator.manager property, but it shouldn't change unless we enable LDAP or some other authentication method. This class will lookup the local Linux users and groups to create the mappings between the Hive user -> groups.
Resolution
This implies that if we want user aitor to belong to group foogroup, we have to create user aitor and assign him to group foogroup at Linux level in the Hive Metastore server. Otherwise, group membership will not be propagate to Ranger checks.
Even if Linux is configured to authenticate users against an identity service (like LDAP or AD), the users must be local to propagate GROUP membership to Hive Metastore, and therefore to Ranger Hive Plugin.
Feedback
Yes
No
Powered by
