Common exceptions related to Ranger authorization
Learn about the common exceptions you may encounter with Ranger authorization and the required policy definitions to resolve them.
Trino permission denied errors
Users are unable to run queries on the Trino cluster and receive the following Permission Denied exception:
TrinoUserError(type=USER_ERROR, name=PERMISSION_DENIED, message="Access Denied: Cannot execute query: queryId=20260122_214011_00001_x8bub for <user>", query_id=20260122_214011_00001_x8bub)"
The Ranger Trino authorization service (cm_trino) requires users to have
explicit permission to run queries. For the "all - queryid" policy, you can either include the
logged-in user or user's group in the Allow Conditions to provide access.
As with other Ranger policies, you can enable universal access by assigning the "public" group or "{USER}" in your policy. However, be aware that this allows everyone to access the resource, resulting in maximum security exposure.
Similarly, you must also ensure that the user or LDAP user group are added to the required Trino policies such as, "all - trinouser", "all - catalog, schema, table", "all - catalog, schema", "all - catalog", and so on.
Hive permission denied on Ranger audit path
The Hive service fails to operate correctly because it cannot write audit logs to HDFS. The follow exception AccessControl exception is displayed:
org.apache.hadoop.security.AccessControlException: Permission denied: user=hive, access=WRITE, inode="/ranger/audit":hdfs:supergroup:drwxr-xr-x
The Ranger cm_hdfs service requires the "hive" user to be included in the
Allow Conditions of the default "all - path" policy or of a specific /ranger/audit
policy, which has restricted access to the /ranger/audit path.
