Create a Hive authorizer URL policy

You can create a Hive Authorizer URL policy in Ranger that maintains Read and Write permissions for a location or folder.

Hive supports several commands that include URLs which refer to a current or future data location. Such locations must authorize end user access to that location. Currently, you can create a Ranger HDFS policy that grants "All" permissions for a location, recursively. If no such policy exists, HDFS authorization "falls back" to the current ACL that defines access to a location or folder. By default the value of the parameter is “hdfs:,file:”. If you remove “hdfs:”, access requests will be authorized against the HIVE URL policy and won't check for hdfs plugin or Hadoop ACL. This solution requires maintaining many policies or ACLs at the storage level. You can create a Hive Authorizer URL policy in Ranger that maintains Read and Write permissions for a location or folder.

To create a Hive Authorizer policy:

  1. In Cloudera Manager > HIVE-1 > Configuration > Search. type ranger-hive.
  2. In Hive Service Advanced Configuration Snippet (Safety Valve) for ranger-hive-security.xml, click +.
    1. Under HIVE-1, in Name, type: ranger.plugin.hive.urlauth.filesystem.schemes.
    2. In Value, type: file:
    3. Click Save Changes.
  3. In Cloudera Manager > Hive_On_Tez-1 > Configuration > Search. type ranger-hive.
  4. In Hive Service Advanced Configuration Snippet (Safety Valve) for ranger-hive-security.xml, click +.
    1. Under HIVE_ON_TEZ-1, in Name, type: ranger.plugin.hive.urlauth.filesystem.schemes.
    2. In Value, type: file:
    3. Click Save Changes.
  5. In HIVE-1 > Actions, click Restart.
  6. In HIVE_ON_TEZ-1 > Actions, click Restart.
    By default the value of the parameter is “hdfs:,file:”. If you remove “hdfs:”, access requests will be authorized against the HIVE URL policy and won't check for hdfs plugin or Hadoop ACL.
  7. In Ranger > Resource Policies > Hadoop SQL, click Add New Policy.
  8. In Policy Details, select URL, then type the URL represents the location or folder to which you want Ranger to authorize access: hdfs://<hostname>.root.hwx.site:8020/demo/data.
  9. In Allow Conditions, select user(s), then choose Read and Write permissions, as shown in the following example:
    Figure 1. Creating a Hive Authorizer URL Policy
    Creating a Hive Authorizer URL Policy

    This policy allows the user to READ / WRITE into the location defined by the URL.

    CREATE EXTERNAL TABLE IF NOT EXISTS STUDENT (student_ID INT, FirstName STRING, LastName STRING, year STRING, Major STRING) COMMENT 'Student Names' ROW FORMAT DELIMITED FIELDS TERMINATED BY ',' STORED AS TEXTFILE LOCATION '/demo/data';

    This will create a table reading data from the location /demo/data provided user will have the necessary READ permission to the location along with CREATE permission for table STUDENT

    If the storage system is S3A or ADFS, then URL policy would be maintained for the scheme. For example, s3a://<folder>, abfs://<folder>.

    Hive supports URL policies for the following commmands that have URLs defined for the respective location:
    CREATE TABLE
    exernal table location
    ALTER TABLE LOCATION
    new location
    ALTER PARTITION LOCATION
    new partition location
    ALTER TABLE ADD PARTITION
    for partition location
    LOAD
    input location

    For additional information about creating Hive commands with URL, see https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping .