Hive plugin

Enable plugin

To enable the Ranger Hive plugin, follow the steps below:

  1. Go to the CLUSTERS → <your_ADH_cluster> → Services page.

  2. Click green arrow at Hive and select the Manage Ranger Plugin action.

  3. Select the required state in checkbox (enabled or disabled).

    adh manage ranger plugin
    Plugin state

    If you choose the enabled state, then a default policy will be applied to the Ranger for the Hive plugin.

  4. Click Run.

Add a new policy to a service

To add a new policy to an existing Hive service, you should perform the following actions:

  1. On the Service Manager page, click an existing service on the Hive tab.

    ranger admin hive
    Service Manager
    ranger admin hive is dark
    Service Manager
  2. On the <Hive service> page, click add new policy to add the new policy.

    ranger admin addnewpol
    Add new policy
    ranger admin addnewpol is dark
    Add new policy
  3. Go to <Hive_existing_service> → Create Policy and fill in the required fields.

    In the Policy Details section:

    • Policy Name — the policy name. This name cannot be duplicated across the system. This field is required.

      • enable —  the policy radio button is enabled by default.

      • normal/override — allows you to specify an override policy. When override state is selected, the access permissions of the new policy override the access permissions in existing policies. This feature can be used with Add Validity Period to create the temporary access policies that override existing policies.

    • Policy Label — provides the following features:

      • Allows to group the sets of policies with one or more labels.

      • Allows searching for policies by label names. You can use search on the Policy listing page and on the Report page.

      • Helps to export/import policies. If a user has to export some specific set of policies, then they can search for a policy label and export the specific set of policies.

    • database — specify the applicable database name. The autocomplete feature displays available databases based on the entered text. Allowed values:

      • Select include state to allow access by default.

      • Select exclude state to deny access.

        The following options are available only if the database option is selected:

      • table/udf — specifies a table-based or UDF-based policy. Select table or udf, then enter the applicable table or UDF name.

      • Hive Column — specify the applicable Hive column name. If you are using the Ranger Hive plugin with HiveServer2, where column or description permissions include all, you must set a parameter for Hive columns to display as expected. In Ambari → Hive, in ranger-hive-security.xml, enter: xasecure.hive.describetable.showcolumns.authorization.option=show-all. Failure to set this parameter will result in the error message HiveAccessControlException.

    • url — specify the cloud storage path (for example, s3a://dev-admin/demo/campaigns.txt) where the end-user permission is needed to read/write the Hive data from/to a cloud storage path. Permissions:

      • READ — operation on the URL permits the user to perform HiveServer2 operations which use S3 as data source for Hive tables.

      • WRITE — operation on the URL permits the user to perform HiveServer2 operations which write data to the specified S3 location.

    • hiveservice — used only when Permissions=Service Admin. Enables a user who has Service Admin permission in Ranger to run the stop query API: kill query <queryID>. This field is required.

    • global — create global policies that use matching patterns and define the desired default access.

      UDF create is a privileged operation. Please, make sure you grant them only to trusted users.
    • Description — describe the purpose of the policy. This field is optional.

    • Audit Logging — click YES to enable audit for the policy.

    • Add Validity Period — specify a start and end time for the policy.

    In the Allow Conditions section:

    • Select Role — specify the role to which this policy applies. A role is a collection of permissions. Roles present an easier way to manage a set of permissions based on specific access criteria.

    • Select Group — specify the groups to which this policy applies. To promote the user to Administrator, select the Delegate Admin checkbox. Administrators can edit or delete the policy and create child policies. The public group contains all users, so granting access to the public group grants access to all users.

    • Select User — specify a user to which this policy applies (outside an already-specified group) or make the user an Administrator for this policy. Administrators can create child policies based on existing policies.

    • Permissions — add or edit permissions.

    • Delegate Admin — use to grant administrator privileges to the users or groups specified in the policy.

    Click ranger grey plus to add additional conditions. Conditions take priority in the order listed in the policy. The condition at the top of the list is applied first, then the second, then the third, and so on.

  4. Click Add.

Found a mistake? Seleсt text and press Ctrl+Enter to report it