You can create a Hive Authorizer URL policy in Ranger that maintains Read and Write
permissions for a location or folder.
Hive supports several commands that include URLs which refer to a current or future
data location. Such locations must authorize end user access to that location.
Currently, you can create a Ranger HDFS policy that grants "All" permissions for a
location, recursively. If no such policy exists, HDFS authorization "falls back" to
the current ACL that defines access to a location or folder. By default the value
of the parameter is “hdfs:,file:”. If you remove “hdfs:”, access requests will be
authorized against the HIVE URL policy and won't check for hdfs plugin or Hadoop
ACL. This solution requires maintaining many policies or ACLs at the storage level.
You can create a Hive Authorizer URL policy in Ranger that maintains Read and Write
permissions for a location or folder.
To create a Hive Authorizer policy:
In Cloudera Manager > HIVE-1 > Configuration > Search. type ranger-hive.
In Hive Service Advanced Configuration Snippet (Safety Valve) for
ranger-hive-security.xml, click +.
Under HIVE-1, in Name,
type:
ranger.plugin.hive.urlauth.filesystem.schemes.
In Value, type:
file:
Click Save Changes.
In Cloudera Manager > Hive_On_Tez-1 > Configuration > Search. type ranger-hive.
In Hive Service Advanced Configuration Snippet (Safety Valve) for
ranger-hive-security.xml, click +.
Under HIVE_ON_TEZ-1, in
Name, type:
ranger.plugin.hive.urlauth.filesystem.schemes.
In Value, type:
file:
Click Save Changes.
In HIVE-1 > Actions, click Restart.
In HIVE_ON_TEZ-1 > Actions, click Restart.
By default the value of the parameter is “hdfs:,file:”. If you remove “hdfs:”,
access requests will be authorized against the HIVE URL policy and won't check
for hdfs plugin or Hadoop ACL.
In Ranger > Resource Policies > Hadoop SQL, click Add New Policy.
In Policy Details, select URL,
then type the URL represents the location or folder to which you want Ranger to
authorize access:
hdfs://<hostname>.root.hwx.site:8020/demo/data.
In Allow Conditions, select user(s), then choose
Read and Write permissions, as
shown in the following example:
This policy allows the user to READ / WRITE into the location defined by
the URL.
CREATE EXTERNAL TABLE IF NOT EXISTS STUDENT (student_ID INT,
FirstName STRING, LastName STRING, year STRING, Major STRING) COMMENT 'Student
Names' ROW FORMAT DELIMITED FIELDS TERMINATED BY ',' STORED AS TEXTFILE LOCATION
'/demo/data';
This will create a table reading data from the
location /demo/data provided user will have the necessary READ permission to
the location along with CREATE permission for table STUDENT
If the
storage system is S3A or ADFS, then URL policy would be maintained for the
scheme. For example, s3a://<folder>, abfs://<folder>.
Hive
supports URL policies for the following commmands that have URLs defined for
the respective location: