IBM Support

PH20398: RANGER PLUG IN FOR BIGSQL NOT PULLING IN RANGER HADOOP POLICIES IN PLACE

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as fixed if next.

Error description

  • The Ranger Hadoop policy for the bigsql table has been
restricted and the user has rwx on the directory.

When a user tries to drop a table they see the following
error:

SQL Exception(s) Encountered:
[State:
4250][Code: -551]: The statement failed because the
authorization ID does not have the required authorization or
privilege to perform the operation. Authorization ID: "USER".
Operation: "DROP TABLE". Object: "/analytics/shared/julie1"..
SQLCODE=-551, SQLSTATE= 4250, DRIVER=3.72.46

Once this fix is applied, you must set the hdfs.proxyuser.bigsql
configuration properties so that bigsql can impersonate the
connected user and perform the check against the Ranger HDFS
plugin.  These are set in Ambari in HDFS Configs -> Advanced ->
Custom core-site
.
hadoop.proxyuser.<bigsql>.groups
    The default value is *. Preferably, in order to be more
restrictive, for this fix this property needs to include all
those user groups that bigsql must impersonate to enable the
Ranger HDFS check.
.
hadoop.proxyuser.<bigsql>.hosts
    The default value is *. Preferably, in order to be more
restrictive, this property should be set to a comma-separated
list of all Big SQL head nodes.
.
Until the fix is available, use the local fix documented below.

Local fix

  • Manually set the permissions on the hdfs folder for the user to
include execute (rwx)

Problem summary

  • Please see problem description

Problem conclusion

  • 



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH20398
    • 

  • Reported component name
    IBM BIG SQL
    • 

  • Reported component ID
    5737E7400
    • 

  • Reported release
    504
    • 

  • Status
    CLOSED  FIN
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2019-12-17
    • 

  • Closed date
    2020-09-09
    • 

  • Last modified date
    2020-09-09
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSCRJT","label":"IBM Db2 Big SQL"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"504"}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            10 September 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback