Objective:
In this article, we will discuss the process of verifying if Dremio can successfully read the policies from the Ranger Server.
Description:
In most cases, Dremio users and admins get access denied errors when reading the Hive tables with Ranger-Based authorization. The possible scenarios for this error are either,
- The user doesn't have the required privileges on the databases
- Dremio doesn't have policy download privileges in Ranger.
- Configuration issues etc..!!
To isolate the issue between the scenario #1, #2 and #3 we can verify with the ranger policy cache in Dremio.
How It works:
The Ranger client has an ability to download the Ranger Policies from the Ranger Server Database and save it on the client machine. This file will be used to verify the policies present in the Ranger DB and the associated permissions tagged to the policies.
Dremio can also download the policies on the coordinator by using the property "ranger.plugin.hive.policy.cache.dir" in the Hive source settings under the advanced options section. Refer to the Screenshot Below
The screenshot reveals that the ranger hive policy cache directory has been designated as /tmp. Once the source settings are saved, and the user launches a Hive query in Dremio, the Ranger plugin downloads the policies from Ranger DB and records them in a JSON file (such as cm-ranger-hive.json), located in the /tmp directory on the Dremio coordinator.
If there are no files in the /tmp directory on the coordinator, it could indicate that Dremio is facing difficulties in reading Ranger Policies from the Ranger Server. There could be various scenarios where Dremio is unable to download the policies, despite providing download auth permissions (#2) to the Dremio service user in the Ranger server. These scenarios (#3) will be discussed in a separate article.
Reference:
https://docs.dremio.com/software/data-sources/hive-ranger/#configure-via-ranger-service-manager