From 7fe104a0815ce30651173829aa7dae71a574fcd4 Mon Sep 17 00:00:00 2001 From: Ramesh Mani Date: Tue, 16 Dec 2025 11:39:40 -0800 Subject: [PATCH 1/6] RANGER-5424:Hive Insert command failed in Ranger Docker setup due to authentication and authorization issue --- .../scripts/admin/create-ranger-services.py | 4 + .../scripts/hive/ranger-hive-setup.sh | 80 +++++++++++++------ 2 files changed, 61 insertions(+), 23 deletions(-) diff --git a/dev-support/ranger-docker/scripts/admin/create-ranger-services.py b/dev-support/ranger-docker/scripts/admin/create-ranger-services.py index 28ea034293..23aca395e4 100644 --- a/dev-support/ranger-docker/scripts/admin/create-ranger-services.py +++ b/dev-support/ranger-docker/scripts/admin/create-ranger-services.py @@ -21,6 +21,10 @@ def service_not_exists(service): 'policy.download.auth.users': 'hdfs', 'tag.download.auth.users': 'hdfs', 'userstore.download.auth.users': 'hdfs', + 'default-policy.1.name': 'hive-tez-path', + 'default-policy.1.resource.path': '/*,/tmp', + 'default-policy.1.policyItem.1.users': 'hive', + 'default-policy.1.policyItem.1.accessTypes': 'read,write,execute', 'ranger.plugin.hdfs.policy.refresh.synchronous':'true'}}) hive = RangerService({'name': 'dev_hive', 'type': 'hive', diff --git a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh index bacf00400f..a68e3e33ed 100755 --- a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh +++ b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh @@ -139,32 +139,66 @@ cp ${HADOOP_HOME}/etc/hadoop/yarn-site.xml ${HIVE_HOME}/conf/ cp ${TEZ_HOME}/conf/tez-site.xml ${HIVE_HOME}/conf/ # Upload Tez libraries to HDFS -su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" hdfs - -# Recreate Tez tarball if it doesn't exist (it gets removed during Docker build) -if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then - echo "Recreating Tez tarball for HDFS upload..." - cd /opt - tar czf apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/ +if [ "${KERBEROS_ENABLED}" == "true" ]; then + echo "Kerberos enabled - authenticating as hive user..." + su -c "kinit -kt /etc/keytabs/hive.keytab hive/\`hostname -f\`@EXAMPLE.COM" hive + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" hive + + # Recreate Tez tarball if it doesn't exist + if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then + echo "Recreating Tez tarball for HDFS upload..." + cd /opt + tar czf apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/ + fi + + su -c "${HADOOP_HOME}/bin/hdfs dfs -put -f /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" hive + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" hive + su -c "kdestroy" hive +else + # Non-Kerberos mode - use hdfs user + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" hdfs + + # Recreate Tez tarball if it doesn't exist (it gets removed during Docker build) + if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then + echo "Recreating Tez tarball for HDFS upload..." + cd /opt + tar czf apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/ + fi + + su -c "${HADOOP_HOME}/bin/hdfs dfs -put -f /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" hdfs + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" hdfs fi -su -c "${HADOOP_HOME}/bin/hdfs dfs -put /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" hdfs -su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" hdfs - # Create HDFS user directory for hive -su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" hdfs -su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" hdfs - -# Create HDFS /tmp/hive directory for Tez staging -su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" hdfs -su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /tmp/hive" hdfs - -# Fix /tmp directory permissions for Ranger (critical for INSERT operations) -su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /tmp" hdfs - -# Create /user/root directory for YARN job execution -su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" hdfs -su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" hdfs +if [ "${KERBEROS_ENABLED}" == "true" ]; then + su -c "kinit -kt /etc/keytabs/hive.keytab hive/\`hostname -f\`@EXAMPLE.COM" hive + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" hive + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" hive + + # Create HDFS /tmp/hive directory for Tez staging + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" hive + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /tmp/hive" hive + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /tmp" hive + + # Create /user/root directory for YARN job execution + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" hive + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" hive + su -c "kdestroy" hive +else + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" hdfs + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" hdfs + + # Create HDFS /tmp/hive directory for Tez staging + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" hdfs + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /tmp/hive" hdfs + + # Fix /tmp directory permissions for Ranger (critical for INSERT operations) + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /tmp" hdfs + + # Create /user/root directory for YARN job execution + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" hdfs + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" hdfs +fi # Initialize Hive schema su -c "${HIVE_HOME}/bin/schematool -dbType ${RANGER_DB_TYPE} -initSchema" hive From 6d06e780c677e5f13882957c5735865aa91deeab Mon Sep 17 00:00:00 2001 From: Ramesh Mani Date: Wed, 17 Dec 2025 09:30:33 -0800 Subject: [PATCH 2/6] RANGER-5424:Hive Insert command failed in Ranger Docker setup due to authentication and authorization issue - review comment fix --- .../scripts/admin/create-ranger-services.py | 2 + .../scripts/hive/ranger-hive-setup.sh | 90 +++++++++---------- 2 files changed, 46 insertions(+), 46 deletions(-) diff --git a/dev-support/ranger-docker/scripts/admin/create-ranger-services.py b/dev-support/ranger-docker/scripts/admin/create-ranger-services.py index 23aca395e4..a59e737a0b 100644 --- a/dev-support/ranger-docker/scripts/admin/create-ranger-services.py +++ b/dev-support/ranger-docker/scripts/admin/create-ranger-services.py @@ -21,8 +21,10 @@ def service_not_exists(service): 'policy.download.auth.users': 'hdfs', 'tag.download.auth.users': 'hdfs', 'userstore.download.auth.users': 'hdfs', + 'setup.additional.default.policies': 'true', 'default-policy.1.name': 'hive-tez-path', 'default-policy.1.resource.path': '/*,/tmp', + 'default-policy.1.resource.path.is-recursive': 'true', 'default-policy.1.policyItem.1.users': 'hive', 'default-policy.1.policyItem.1.accessTypes': 'read,write,execute', 'ranger.plugin.hdfs.policy.refresh.synchronous':'true'}}) diff --git a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh index a68e3e33ed..5daae22e61 100755 --- a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh +++ b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh @@ -128,6 +128,36 @@ cat < ${TEZ_HOME}/conf/tez-site.xml EOF +rebuild_tez_tarball() { + if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then + echo "Recreating Tez tarball for HDFS upload..." + cd /opt + tar czf apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/ + fi +} + +create_hdfs_directories_and_files() { + exec_user=$1; + + # prepare tez directories and files in hdfs folders + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" $exec_user + su -c "${HADOOP_HOME}/bin/hdfs dfs -put -f /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" $exec_user + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" $exec_user + + # Create HDFS user directory for hive + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" $exec_user + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" $exec_user + + # Create HDFS /tmp/hive directory for Tez staging + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" $exec_user + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /tmp/hive" $exec_user + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /tmp" $exec_user + + # Create /user/root directory for YARN job execution + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" $exec_user + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" $exec_user +} + # Copy Tez JARs to Hive lib directory cp ${TEZ_HOME}/lib/tez-*.jar ${HIVE_HOME}/lib/ cp ${TEZ_HOME}/tez-*.jar ${HIVE_HOME}/lib/ @@ -142,62 +172,30 @@ cp ${TEZ_HOME}/conf/tez-site.xml ${HIVE_HOME}/conf/ if [ "${KERBEROS_ENABLED}" == "true" ]; then echo "Kerberos enabled - authenticating as hive user..." su -c "kinit -kt /etc/keytabs/hive.keytab hive/\`hostname -f\`@EXAMPLE.COM" hive - su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" hive + rc=$? + if [ $rc -ne 0 ]; then + echo "ERROR: kinit failed for hive principal (exit code=$rc)" >&2 + exit $rc + fi + + echo "kinit successful, proceeding operations as hive user" # Recreate Tez tarball if it doesn't exist - if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then - echo "Recreating Tez tarball for HDFS upload..." - cd /opt - tar czf apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/ - fi + rebuild_tez_tarball + + #create hdfs directories and files for hive and tez + create_hdfs_directories_and_files 'hive' - su -c "${HADOOP_HOME}/bin/hdfs dfs -put -f /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" hive - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" hive su -c "kdestroy" hive else # Non-Kerberos mode - use hdfs user su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" hdfs # Recreate Tez tarball if it doesn't exist (it gets removed during Docker build) - if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then - echo "Recreating Tez tarball for HDFS upload..." - cd /opt - tar czf apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/ - fi - - su -c "${HADOOP_HOME}/bin/hdfs dfs -put -f /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" hdfs - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" hdfs -fi - -# Create HDFS user directory for hive -if [ "${KERBEROS_ENABLED}" == "true" ]; then - su -c "kinit -kt /etc/keytabs/hive.keytab hive/\`hostname -f\`@EXAMPLE.COM" hive - su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" hive - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" hive - - # Create HDFS /tmp/hive directory for Tez staging - su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" hive - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /tmp/hive" hive - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /tmp" hive - - # Create /user/root directory for YARN job execution - su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" hive - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" hive - su -c "kdestroy" hive -else - su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" hdfs - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" hdfs - - # Create HDFS /tmp/hive directory for Tez staging - su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" hdfs - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /tmp/hive" hdfs - - # Fix /tmp directory permissions for Ranger (critical for INSERT operations) - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /tmp" hdfs + rebuild_tez_tarball - # Create /user/root directory for YARN job execution - su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" hdfs - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" hdfs + #create hdfs directories and files for hive and tez + create_hdfs_directories_and_files 'hdfs' fi # Initialize Hive schema From 0f678e9888dda2654a21eda11944e6341b352fe4 Mon Sep 17 00:00:00 2001 From: Ramesh Mani Date: Wed, 17 Dec 2025 10:53:42 -0800 Subject: [PATCH 3/6] RANGER-5424:Hive Insert command failed in Ranger Docker setup due to authentication and authorization issue - review comment fix #2 --- .../scripts/hive/ranger-hive-setup.sh | 29 +++++++++---------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh index 5daae22e61..442824c83a 100755 --- a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh +++ b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh @@ -131,31 +131,30 @@ EOF rebuild_tez_tarball() { if [ ! -f "/opt/apache-tez-${TEZ_VERSION}-bin.tar.gz" ]; then echo "Recreating Tez tarball for HDFS upload..." - cd /opt - tar czf apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/ + tar -C /opt -czf /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz apache-tez-${TEZ_VERSION}-bin/ fi } create_hdfs_directories_and_files() { - exec_user=$1; + exec_user=$1 # prepare tez directories and files in hdfs folders - su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" $exec_user - su -c "${HADOOP_HOME}/bin/hdfs dfs -put -f /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" $exec_user - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" $exec_user + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" "$exec_user" + su -c "${HADOOP_HOME}/bin/hdfs dfs -put -f /opt/apache-tez-${TEZ_VERSION}-bin.tar.gz /apps/tez/" "$exec_user" + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 755 /apps/tez" "$exec_user" # Create HDFS user directory for hive - su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" $exec_user - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" $exec_user + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" "$exec_user" + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" "$exec_user" # Create HDFS /tmp/hive directory for Tez staging - su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" $exec_user - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /tmp/hive" $exec_user - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /tmp" $exec_user + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" "$exec_user" + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 1777 /tmp/hive" "$exec_user" + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 1777 /tmp" "$exec_user" # Create /user/root directory for YARN job execution - su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" $exec_user - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" $exec_user + su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" "$exec_user" + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" "$exec_user" } # Copy Tez JARs to Hive lib directory @@ -183,7 +182,7 @@ if [ "${KERBEROS_ENABLED}" == "true" ]; then # Recreate Tez tarball if it doesn't exist rebuild_tez_tarball - #create hdfs directories and files for hive and tez + # Create hdfs directories and files for hive and tez create_hdfs_directories_and_files 'hive' su -c "kdestroy" hive @@ -194,7 +193,7 @@ else # Recreate Tez tarball if it doesn't exist (it gets removed during Docker build) rebuild_tez_tarball - #create hdfs directories and files for hive and tez + # Create hdfs directories and files for hive and tez create_hdfs_directories_and_files 'hdfs' fi From 434aa236b358b889003793d13173b948a26ddef2 Mon Sep 17 00:00:00 2001 From: Ramesh Mani Date: Mon, 29 Dec 2025 13:16:43 -0800 Subject: [PATCH 4/6] RANGER-5424:Hive Insert command failed in Ranger Docker setup due to authentication and authorization issue - review comment fix #3 --- .../scripts/admin/create-ranger-services.py | 2 +- .../ranger-docker/scripts/hive/ranger-hive-setup.sh | 10 ++++++---- dev-support/ranger-docker/scripts/kdc/entrypoint.sh | 2 ++ 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/dev-support/ranger-docker/scripts/admin/create-ranger-services.py b/dev-support/ranger-docker/scripts/admin/create-ranger-services.py index a59e737a0b..bca70dc5a2 100644 --- a/dev-support/ranger-docker/scripts/admin/create-ranger-services.py +++ b/dev-support/ranger-docker/scripts/admin/create-ranger-services.py @@ -23,7 +23,7 @@ def service_not_exists(service): 'userstore.download.auth.users': 'hdfs', 'setup.additional.default.policies': 'true', 'default-policy.1.name': 'hive-tez-path', - 'default-policy.1.resource.path': '/*,/tmp', + 'default-policy.1.resource.path': '/apps/tez,/tmp/hive', 'default-policy.1.resource.path.is-recursive': 'true', 'default-policy.1.policyItem.1.users': 'hive', 'default-policy.1.policyItem.1.accessTypes': 'read,write,execute', diff --git a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh index 442824c83a..60aaecd8ac 100755 --- a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh +++ b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh @@ -27,6 +27,8 @@ EOF if [ "${KERBEROS_ENABLED}" == "true" ] then ${RANGER_SCRIPTS}/wait_for_keytab.sh hive.keytab + ${RANGER_SCRIPTS}/wait_for_keytab.sh hdfs.keytab + ${RANGER_SCRIPTS}/wait_for_keytab.sh HTTP.keytab fi cp ${RANGER_SCRIPTS}/hive-site.xml ${HIVE_HOME}/conf/hive-site.xml @@ -169,11 +171,11 @@ cp ${TEZ_HOME}/conf/tez-site.xml ${HIVE_HOME}/conf/ # Upload Tez libraries to HDFS if [ "${KERBEROS_ENABLED}" == "true" ]; then - echo "Kerberos enabled - authenticating as hive user..." - su -c "kinit -kt /etc/keytabs/hive.keytab hive/\`hostname -f\`@EXAMPLE.COM" hive + echo "Kerberos enabled - authenticating as hdfs user..." + su -c "kinit -kt /etc/keytabs/hdfs.keytab hdfs/\`hostname -f\`@EXAMPLE.COM" hdfs rc=$? if [ $rc -ne 0 ]; then - echo "ERROR: kinit failed for hive principal (exit code=$rc)" >&2 + echo "ERROR: kinit failed for hdfs principal (exit code=$rc)" >&2 exit $rc fi @@ -183,7 +185,7 @@ if [ "${KERBEROS_ENABLED}" == "true" ]; then rebuild_tez_tarball # Create hdfs directories and files for hive and tez - create_hdfs_directories_and_files 'hive' + create_hdfs_directories_and_files 'hdfs' su -c "kdestroy" hive else diff --git a/dev-support/ranger-docker/scripts/kdc/entrypoint.sh b/dev-support/ranger-docker/scripts/kdc/entrypoint.sh index ffb9638a2b..61dd2bd170 100644 --- a/dev-support/ranger-docker/scripts/kdc/entrypoint.sh +++ b/dev-support/ranger-docker/scripts/kdc/entrypoint.sh @@ -92,6 +92,8 @@ function create_keytabs() { create_principal_and_keytab hbase ranger-hbase create_principal_and_keytab hive ranger-hive + create_principal_and_keytab hdfs ranger-hive + create_principal_and_keytab HTTP ranger-hive create_principal_and_keytab kafka ranger-kafka From 0930d79211c83e69dfb86a029c176f1ee073b84f Mon Sep 17 00:00:00 2001 From: Ramesh Mani Date: Mon, 29 Dec 2025 14:21:03 -0800 Subject: [PATCH 5/6] RANGER-5424:Hive Insert command failed in Ranger Docker setup due to authentication and authorization issue - fixed co-pilot review comments --- dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh index 60aaecd8ac..65adbd1bba 100755 --- a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh +++ b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh @@ -187,7 +187,7 @@ if [ "${KERBEROS_ENABLED}" == "true" ]; then # Create hdfs directories and files for hive and tez create_hdfs_directories_and_files 'hdfs' - su -c "kdestroy" hive + su -c "kdestroy" hdfs else # Non-Kerberos mode - use hdfs user su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /apps/tez" hdfs From f40939c4d54e9af42f2a28d5dc2df304e5d78108 Mon Sep 17 00:00:00 2001 From: Ramesh Mani Date: Mon, 29 Dec 2025 20:46:06 -0800 Subject: [PATCH 6/6] RANGER-5424:Hive Insert command failed in Ranger Docker setup due to authentication and authorization issue - fixed issue with folder permissions scope --- .../ranger-docker/scripts/hive/ranger-hive-setup.sh | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh index 65adbd1bba..5cbaa0ef54 100755 --- a/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh +++ b/dev-support/ranger-docker/scripts/hive/ranger-hive-setup.sh @@ -147,16 +147,15 @@ create_hdfs_directories_and_files() { # Create HDFS user directory for hive su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/hive" "$exec_user" - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 777 /user/hive" "$exec_user" + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 770 /user/hive" "$exec_user" # Create HDFS /tmp/hive directory for Tez staging su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /tmp/hive" "$exec_user" - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 1777 /tmp/hive" "$exec_user" - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 1777 /tmp" "$exec_user" + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod -R 770 /tmp/hive" "$exec_user" # Create /user/root directory for YARN job execution su -c "${HADOOP_HOME}/bin/hdfs dfs -mkdir -p /user/root" "$exec_user" - su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 777 /user/root" "$exec_user" + su -c "${HADOOP_HOME}/bin/hdfs dfs -chmod 770 /user/root" "$exec_user" } # Copy Tez JARs to Hive lib directory