This is an automated email from the ASF dual-hosted git repository. rmani pushed a commit to branch RANGER-5424_Patch in repository https://gitbox.apache.org/repos/asf/ranger.git
commit 7fe104a0815ce30651173829aa7dae71a574fcd4 Author: Ramesh Mani <[email protected]> AuthorDate: Tue Dec 16 11:39:40 2025 -0800 RANGER-5424:Hive Insert command failed in Ranger Docker setup due to authentication and authorization issue --- .../scripts/admin/create-ranger-services.py | 4 ++ .../scripts/hive/ranger-hive-setup.sh | 80 +++++++++++++++------- 2 files changed, 61 insertions(+), 23 deletions(-) diff --git a/dev-support/ranger-docker/scripts/admin/create-ranger-services.py b/dev-support/ranger-docker/scripts/admin/create-ranger-services.py index 28ea03429..23aca395e 100644 --- a/dev-support/ranger-docker/scripts/admin/create-ranger-services.py +++ b/dev-support/ranger-docker/scripts/admin/create-ranger-services.py @@ -21,6 +21,10 @@ def service_not_exists(service): 'policy.download.auth.users': 'hdfs', 'tag.download.auth.users': 'hdfs', 'userstore.download.auth.users': 'hdfs', + 'default-policy.1.name': 'hive-tez-path', + 'default-policy.1.resource.path': '/*,/tmp', + 'default-policy.1.policyItem.1.users': 'hive', + 'default-policy.1.policyItem.1.accessTypes': 'read,write,execute', 'ranger.plugin.hdfs.policy.refresh.synchronous':'true'}}) hive = RangerService({'name': 'dev_hive', 'type': 'hive', diff --git a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh index bacf00400..a68e3e33e 100755 --- a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh +++ b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh @@ -139,32 +139,66 @@ cp ${HADOOP_HOME}/etc/hadoop/yarn-site.xml ${HIVE_HOME}/conf/ cp ${TEZ_HOME}/conf/tez-site.xml ${HIVE_HOME}/conf/ # Upload Tez libraries to HDFS -su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" hdfs - -# Recreate Tez tarball if it doesn't exist (it gets removed during Docker build) -if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then - echo "Recreating Tez tarball for HDFS upload..." - cd /opt - tar czf apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/ +if [ "${KERBEROS_ENABLED}" == "true" ]; then + echo "Kerberos enabled - authenticating as hive user..." + su -c "kinit -kt /etc/keytabs/hive.keytab hive/\`hostname -f\`@EXAMPLE.COM" hive + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" hive + + # Recreate Tez tarball if it doesn't exist + if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then + echo "Recreating Tez tarball for HDFS upload..." + cd /opt + tar czf apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/ + fi + + su -c "${HADOOP_HOME}/bin/hdfs dfs -put -f /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" hive + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" hive + su -c "kdestroy" hive +else + # Non-Kerberos mode - use hdfs user + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" hdfs + + # Recreate Tez tarball if it doesn't exist (it gets removed during Docker build) + if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then + echo "Recreating Tez tarball for HDFS upload..." + cd /opt + tar czf apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/ + fi + + su -c "${HADOOP_HOME}/bin/hdfs dfs -put -f /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" hdfs + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" hdfs fi -su -c "${HADOOP_HOME}/bin/hdfs dfs -put /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" hdfs -su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" hdfs - # Create HDFS user directory for hive -su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" hdfs -su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" hdfs - -# Create HDFS /tmp/hive directory for Tez staging -su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" hdfs -su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /tmp/hive" hdfs - -# Fix /tmp directory permissions for Ranger (critical for INSERT operations) -su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /tmp" hdfs - -# Create /user/root directory for YARN job execution -su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" hdfs -su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" hdfs +if [ "${KERBEROS_ENABLED}" == "true" ]; then + su -c "kinit -kt /etc/keytabs/hive.keytab hive/\`hostname -f\`@EXAMPLE.COM" hive + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" hive + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" hive + + # Create HDFS /tmp/hive directory for Tez staging + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" hive + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /tmp/hive" hive + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /tmp" hive + + # Create /user/root directory for YARN job execution + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" hive + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" hive + su -c "kdestroy" hive +else + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" hdfs + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" hdfs + + # Create HDFS /tmp/hive directory for Tez staging + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" hdfs + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /tmp/hive" hdfs + + # Fix /tmp directory permissions for Ranger (critical for INSERT operations) + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /tmp" hdfs + + # Create /user/root directory for YARN job execution + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" hdfs + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" hdfs +fi # Initialize Hive schema su -c "${HIVE_HOME}/bin/schematool -dbType ${RANGER_DB_TYPE} -initSchema" hive
