Hive on MR3 integrates with Ranger exactly in the same way that Hive on Tez does. Below we illustrate how to integrate Ranger into an installation of Hive on MR3 in a Kerberos-enabled secure cluster. In a non-secure cluster without Kerberos, the user can skip those steps related to Kerberos tickets. As a running example, we assume that a Ranger service RED_hive is already active and that user hive starts HiveServer2.

The classpath of HiveServer2 should NOT include such files as ranger-hive-plugin-shim-2.4.0.jar and ranger-plugin-classloader-2.4.0.jar (which uses The classpath should include only those files under the directory ranger-hive-plugin-impl/.


Extend variable HIVE_MYSQL_DRIVER in to include the path to Ranger jar files, e.g.:


2. Copy the configuration files for the Hive plugin of Ranger

Locate the following configuration files for the Hive plugin of Ranger (which are typically found under /etc/hive) and make sure that they are readable to user hive:

  • ranger-hive-audit.xml
  • ranger-hive-security.xml
  • ranger-hive-policymgr-ssl.xml

Then either copy these files to a configuration directory, or create their links. For example, in order to run HiveServer2 with --tpcds --hivesrc3, we could create links in the directory conf/tpcds/hive3:

$ ln -s /etc/hive/conf.server/ranger-hive-audit.xml ranger-hive-audit.xml
$ ln -s /etc/hive/conf.server/ranger-hive-security.xml ranger-hive-security.xml
$ ln -s /etc/hive/conf.server/ranger-hive-policymgr-ssl.xml ranger-hive-policymgr-ssl.xml

3. Set the Kerberos principal and the keytab file

ranger-hive-audit.xml sets a configuration key xasecure.audit.jaas.Client.option.keyTab:


Retrieve the Kerberos principal (e.g., hive/red0@RED) from the keytab file, and update as follows:


4. Check the directory containing the policy cache

ranger-hive-security.xml sets a configuration key ranger.plugin.hive.policy.cache.dir to a directory containing the policy cache:


Make sure that the directory is accessible to user hive. Depending on the setting of Ranger, HiveServer2 may read a few more files (e.g., /etc/ranger/RED_hive/cred.jceks). Make sure that they are also accessible to user hive.

5. Update hive-site.xml to use Ranger

Set configuration keys specific to Ranger in hive-site.xml. For example, in order to run HiveServer2 with --tpcds --hivesrc3, we could add the following entries in conf/tpcds/hive3/hive-site.xml:






Note that it is okay to set hive.server2.enable.doAs to true because enabling impersonation is orthogonal to using Ranger.

6. Run HiveServer2 and Beeline

Run HiveServer2 as user hive, e.g.:

# as user hive
$ hive/ start --tpcds --hivesrc3