0

Apache Hive protection via Apache Ranger is configured The connection goes through the zookeeper quorum, for example:

jdbc:hive2://d01.test.local:2181,d 02.test.local:2181,d 03.test.local:2181/;service Discovery Mode=zooKeeper;zooKeeperNamespace=hiveserver2

Users have the ability to connect to Hive2 by specifying a direct connection to the host, for example:

jdbc:hive2://d01.test.local:10000

But in the policy setting for Have Service Name there can be only one (file ranger-hive-security.xml )

How then to protect hive from such a direct connection?

If the policy is configured via zookeeper then the direct connection is not secured and the audit does not work

Alatau
  • 41
  • 1
  • 6

1 Answers1

1

Zookeeper quorum is for service high availability, it coordinates all the HS2 instances (from the specified hosts) in your cluster to work together.

As far as I know, specifying the property hive.zookeeper.quorum does not help Ranger to enforce each HS2 host with only one plugin.

To achieve what you desire, I think you can go for such configuration;

  • Install Ranger Hive plugin on each node where you have HS2.
  • Create one service/repository to specify with REPOSITORY_NAME in install.properties.
  • Configure each Hive plugin to use same service/repository.
  • Restart your HS2s.
  • Create/modify/delete your policies under the service/repository (REPOSITORY_NAME).

In this way, any policy you create/delete/modify under your service will affect all the HS2 nodes as they share same repo.

Sercan
  • 2,081
  • 2
  • 10
  • 23