Cloudera Docs

Create a Hive authorizer URL policy

You can create a Hive Authorizer URL policy in Ranger that maintains Read and Write permissions for a location or folder.

Hive supports several commands that include URLs which refer to a current or future data location. Such locations must authorize end user access to that location. Currently, you can create a Ranger HDFS policy that grants "All" permissions for a location, recursively. If no such policy exists, HDFS authorization "falls back" to the current ACL that defines access to a location or folder. By default the value of the parameter is “hdfs:,file:,wasb:,adl:”. If you remove “hdfs:”, access requests will be authorized against the HIVE URL policy and won't check for hdfs plugin or Hadoop ACL. This solution requires maintaining many policies or ACLs at the storage level. You can create a Hive Authorizer URL policy in Ranger that maintains Read and Write permissions for a location or folder.

To create a Hive Authorizer policy:

  1. In Cloudera Manager > HIVE-1 > Configuration > Search. type ranger-hive.
  2. In Hive Service Advanced Configuration Snippet (Safety Valve) for ranger-hive-security.xml, click +.
    1. Under HIVE-1, in Name, type: ranger.plugin.hive.urlauth.filesystem.schemes.
    2. In Value, type: file:
    3. Click Save Changes.
  3. In Cloudera Manager > Hive_On_Tez-1 > Configuration > Search. type ranger-hive.
  4. In Hive Service Advanced Configuration Snippet (Safety Valve) for ranger-hive-security.xml, click +.
    1. Under HIVE_ON_TEZ-1, in Name, type: ranger.plugin.hive.urlauth.filesystem.schemes.
    2. In Value, type: file:
    3. Click Save Changes.
  5. In HIVE-1 > Actions, click Restart.
  6. In HIVE_ON_TEZ-1 > Actions, click Restart.
    By default the value of the parameter is “hdfs:,file:,wasb:,adl:”. If you remove “hdfs:”, access requests will be authorized against the HIVE URL policy and won't check for hdfs plugin or Hadoop ACL.
  7. In Ranger > Resource Policies > Hadoop SQL, click Add New Policy.
  8. In Policy Details, select URL, then type the URL represents the location or folder to which you want Ranger to authorize access: hdfs://<hostname>.root.hwx.site:8020/demo/data.
  9. In Allow Conditions, select user(s), then choose Read and Write permissions, as shown in the following example:
    Figure 1. Creating a Hive Authorizer URL Policy
    Creating a Hive Authorizer URL Policy

    This policy allows the user to READ / WRITE into the location defined by the URL.

    CREATE EXTERNAL TABLE IF NOT EXISTS STUDENT (student_ID INT, FirstName STRING, LastName STRING, year STRING, Major STRING) COMMENT 'Student Names' ROW FORMAT DELIMITED FIELDS TERMINATED BY ',' STORED AS TEXTFILE LOCATION '/demo/data';

    This will create a table reading data from the location /demo/data provided user will have the necessary READ permission to the location along with CREATE permission for table STUDENT

    If the storage system is S3A or ADFS, then URL policy would be maintained for the scheme. For example, s3a://<folder>, abfs://<folder>.

    If the storage system is Ozone, then the URL policy would be maintained for the scheme ofs://volume/bucket/[key | folder], o3fs://volume/bucket/[key | folder].

    Hive supports URL policies for the following commmands that have URLs defined for the respective location:
    CREATE TABLE
    exernal table location
    ALTER TABLE LOCATION
    new location
    ALTER PARTITION LOCATION
    new partition location
    ALTER TABLE ADD PARTITION
    for partition location
    LOAD
    input location

    For additional information about creating Hive commands with URL, see https://cwiki.apache.org/confluence/display/RANGER/Hive+Commands+to+Ranger+Permission+Mapping .

Hive authorizer URL policy with hdfs default value

Learn about the performance issue you face when the ranger.plugin.hive.urlauth.filesystem.schemes configuration includes hdfs: as a default filesystem scheme.

The default value of the ranger.plugin.hive.urlauth.filesystem.schemes configuration is hdfs:,file:,wasb:,adl:. When the ranger.plugin.hive.urlauth.filesystem.schemes configuration includes hdfs: as a default filesystem scheme in both HMS and HiveServer2, and you perform a CREATE EXTERNAL TABLE operation with a LOCATION clause, if both the Ranger Hive and HDFS plugins are enabled, the Ranger Plugin Authorizer performs authorization checks on all files within the target directory. This results in performance degradation that scales up linearly with the number of files. The operation can take a significantly long time to complete or even fail with an error if the specified location contains a large number of subdirectories.

If you remove hdfs: from the configuration, the request will be authorized against the HIVE URL policy and will not check for the Ranger HDFS plugin or Hadoop ACL. This will lead to faster responses and less waiting time.