Home
Arenadata Platform Security
Services
Ranger
Usage examples
Use the Hive chained plugin for HDFS and Ozone

Use the Hive chained plugin for HDFS and Ozone

Sergei Tikhomirov

Contents

Prerequisites
Usage

Hive-chained plugins allow you to set up only the Hive SQL plugin, based on which the storage policies will be formed automatically. This functionality is implemented using Resource Mapping Manager.

Prerequisites

Enable the Ranger Hive plugin.
For HDFS, enable the Ranger HDFS plugin with the Hive SQL support parameter enabled.
For Ozone, enable the Ranger Ozone plugin with the Hive SQL support parameter enabled. Make sure that Ozone has been integrated with the cluster services.

Create a database and table with data in Hive:

CREATE DATABASE testdb;
CREATE TABLE testdb.test_table (id INT, name STRING)
  STORED AS PARQUET;

INSERT INTO testdb.test_table VALUES (1, 'hello'), (2, 'world');

Usage

HDFS
Ozone

Check the HDFS location:

$ hdfs dfs -ls /apps/hive/warehouse/testdb.db/test_table

The expected output is:

Found 1 items
-rw-r--r--   3 hive hadoop        618 2026-04-20 11:32 /apps/hive/warehouse/testdb.db/test_table/000000_0

Verify that the mappings have arrived from Ranger:
```
$ cat <mappings_location>
```
where <mappings_location> is the value of the ranger.plugin.hdfs.hive.resource.mappings.file.location HDFS parameter.
Create a Hive policy in Ranger with the following parameters:
- Policy Name — test-chained-read
- Hive Database — testdb
- Hive Table — test_table
- Column — *
- Allow Conditions → Select Users — test_user
- Allow Conditions → Permissions — select

Read from HDFS:

$ sudo -su test_user hdfs dfs -cat /apps/hive/warehouse/testdb.db/test_table/000000_0

The expected output is:

PAR1???00?ʃhelloworld&helloworldJR^<H
                                     hive_schema%id
                                                   %name%L,&idJJ<(<)&??<&
                                                                         name^^&R<6(worldhello<&??@??Lwriter.time.zoneEtc/UTCwriter.model.name4.0.1writer.date.prolepticfalsewriter.zone.conversion.legacyfalseJparquet-mr version 1.15.2 (build 859eac165b08f927fa14590c33bc5f476405fb68),?PAR1

If the permissions are insufficient, you will get the following error:

cat: org.apache.ranger.authorization.hadoop.exceptions.RangerAccessControlException:
Permission denied: user=test_user, access=EXECUTE, inode="/apps/hive/warehouse/testdb.db/test_table/000000_0"

Check the Ozone location:

$ ozone fs -ls ofs://adhom/apps/hive/warehouse/testdb.db/test_table

The expected output is:

Found 1 items
drwxrwxrwx   - hive macbook          0 2026-04-21 12:28 ofs://adhom/apps/hive/warehouse/testdb.db/test_table/000000_0

Verify that the mappings have arrived from Ranger:
```
$ cat <mappings_location>
```
where <mappings_location> is the value of the ranger.plugin.ozone.hive.resource.mappings.file.location Ozone parameter.
Create a Hive policy in Ranger with the following parameters:
- Policy Name — test-chained-read
- Hive Database — testdb
- Hive Table — test_table
- Column — *
- Allow Conditions → Select Users — test_user
- Allow Conditions → Permissions — select

Read from Ozone:

$ sudo -su test_user ozone fs -cat ofs://adhom/apps/hive/warehouse/testdb.db/test_table/000000_0

The expected output is:

PAR1???00?ʃhelloworld&helloworldJR^<H
                                     hive_schema%id
                                                   %name%L,&idJJ<(<)&??<&
                                                                         name^^&R<6(worldhello<&??@??Lwriter.time.zoneEtc/UTCwriter.model.name4.0.1writer.date.prolepticfalsewriter.zone.conversion.legacyfalseJparquet-mr version 1.15.2 (build 859eac165b08f927fa14590c33bc5f476405fb68),?PAR1

If the permissions are insufficient, you will get the following error:

cat: User test_user doesn't have READ permission to access key Volume:apps Bucket:hive Key:warehouse/testdb.db/test_table/000000_0

Found a mistake? Seleсt text and press Ctrl+Enter to report it