Create a Hive Policy
To add a new policy to an existing Hive service:
On the Service Manager page, select an existing service under Hive.
The List of Policies page appears.
[D]Click
.The Create Policy page appears.
[D]Complete the Create Policy page as follows:
Table 3.46. Policy Details
Field Description Policy Name Enter an appropriate policy name. This name cannot be duplicated across the system. This field is mandatory. The policy is enabled by default. Database Type in the applicable database name. The autocomplete feature displays available databases based on the entered text.
Include is selected by default to allow access. Select Exclude to deny access..
Table To continue adding a table-based policy, keep Table selected.
Type in the applicable table name. The autocomplete feature displays available tables based on the entered text.
Include is selected by default to allow access. Select Exclude to deny access.
Column Type in the applicable Hive column name. The autocomplete feature displays available columns based on the entered text.
Include is selected by default to allow access. Select Exclude to deny access.
If using the Ranger Hive plugin with HiveServer2 or HiveServer2-LLAP, where column or description permissions include
all
, you must set a parameter for Hive columns to display as expected: in Ambari>Hive, underranger-hive-security.xml
, enter:xasecure.hive.describetable.showcolumns.authorization.option
=show-all
. Failure to set this parameter will result in the error message HiveAccessControlException.URL The URL field in the Hive Policy is applicable only for cloud users.
Specify the cloud storage path (for example
s3a://dev-admin/demo/campaigns.txt
) where the end-user permission is needed to read/write the Hive data from/to a cloud storage path.Permissions: READ operation on the URL permits the user to perform HiveServer2 operations which use S3 as data source for Hive tables. WRITE operation on the URL permits the user to perform HiveServer2 operations which write data to the specified S3 location.
This feature is a Technical Preview: it is not ready for production deployment.
Description (Optional) Describe the purpose of the policy.
If using the Ranger Hive plugin with HiveServer2 or HiveServer2-LLAP, where column or description permissions include
all
, you must set a parameter for Hive columns to display as expected: in Ambari>Hive, underranger-hive-security.xml
, enter:xasecure.hive.describetable.showcolumns.authorization.option
=show-all
. Failure to set this parameter will result in the error message HiveAccessControlException.Hive Service Name hiveservice is used only in conjunction with Permissions=Service Admin. Enables a user who has Service Admin permission in Ranger to run the kill query API: kill query
. Supported value:<queryID>
*
. (Required)Audit Logging Specify whether this policy is audited. (De-select to disable auditing). Table 3.47. Allow Conditions
Label
Description
Select Group Specify a group to which this policy applies. To designate the group as an Administrator for the chosen resource, select the Delegate Admin check box. (Administrators can create child policies based on existing policies).
The public group contains all users, so granting access to the public group grants access to all users.
Select User Specify one or more users to which this policy applies. To designate the group as an Administrator for the chosen resource, select the Delegate Admin check box. (Administrators can create child policies based on existing policies). Permissions Add or edit permissions: Select, Update, Create, Drop, Alter, Index, Lock, All, ReplAdmin, Service Admin, Select/Deselect All.
If using the Ranger Hive plugin with HiveServer2 or HiveServer2-LLAP, where column or description permissions include
all
, you must set a parameter for Hive columns to display as expected: in Ambari>Hive, underranger-hive-security.xml
, enter:xasecure.hive.describetable.showcolumns.authorization.option
=show-all
. Failure to set this parameter will result in the error message HiveAccessControlException.In order to execute repl dump, repl load, or repl status commands, you must set a parameter: in Ambari>Hive, under
hive-site.xml
, enter:hive.distcp.privileged.doAs
=hive
.Service Admin is used in conjunction with Hive Service Name and the kill query API:
kill query
.<queryID>
Delegate Admin When Delegate Admin is selected, administrative privileges are assigned to the applicable users and groups. Delegated administrators can update and delete policies, and can also create child policies based on the original policy. For reference information, see: Wildcard Characters and {USER} Variable.
You can use the Plus (+) symbol to add additional conditions. Conditions are evaluated in the order listed in the policy. The condition at the top of the list is applied first, then the second, then the third, and so on.
Click
.
Note | |
---|---|
The Ranger Hive plugin only protects HiveServer2; Hive CLI is not supported by Ranger. |