IBM Data and AI

Welcome to the IBM Data and AI Ideas Portal for Clients!

We welcome and appreciate your feedback on IBM Data and AI Products to help make them even better than they are today!
Before you submit an idea, please perform a search first as a similar idea may have already been reported in the portal. If a related idea is not yet listed, please create a new idea and include with it a description which includes expected behavior as well as why having this feature would improve the service and how it would address your use case.
IBM Employees:
Clients:
  • Our team welcomes any feedback and suggestions you have for improving our offerings / products! This forum allows us to connect your offering / product improvement ideas with IBM product and engineering teams.

  • If you have not registered on this portal please click on the following link and register. To complete registration you will need to open the email you will receive from Aha to confirm your identity. http://ibm.biz/IBM-Data-and-AI-Portal-Register

Additional Information:
  • The shorter URL for this site is: https://ibm.biz/IBM-Data-and-AI-Ideas

  • To view our roadmaps: http://ibm.biz/Data-and-AI-Roadmaps

  • Reminder: This is not the place to submit defects or support needs, please use normal support channel for these cases

  • Please do not use the Ideas Portal for reporting bugs - we ask that you report bugs or issues with the product by contacting IBM support.

BI 4.2 - Big SQL cannot create external hadoop table with Ranger policies

External Hadoop Tables + RWX permissions (in Ranger) + No DATAACCESS Privilege = Cannot create external tables

It just works if you either provide DATAACCESS to a specific user or set HDFS ACLs to RWX.

For example, assume that user USERX is granted READ, WRITE, and EXECUTE privileges through a Ranger policy on a given location, and USERX tries to create an external table on that location. USERX will get the SQL0551N error message
```
SQL0551N "" does not have the privilege to perform operation
"" on object "".
SQLSTATE=42501 "" does not have the privilege to perform operation
"" on object "", SQLCODE=-551, SQLSTATE=42501
```
See: https://www.ibm.com/support/knowledgecenter/en/SSPT3X_4.2.0/com.ibm.swg.im.infosphere.biginsights.trb.doc/doc/trb_bsl_ranger.html

Possible workarounds:

1. Provide *DATAACCESS* privilege to user - however, got access to everything https://www.ibm.com/support/knowledgecenter/en/SSEPGG_11.1.0/com.ibm.db2.luw.admin.sec.doc/doc/c0053934.html
* DATAACCESS is the authority that allows access to data within a specific database.
* For all tables, views, materialized query tables, and nicknames it gives these authorities and privileges:
* LOAD authority on the database
* SELECT privilege (including system catalog tables and views)
* INSERT privilege
* UPDATE privilege
* DELETE privilege
2. Grant RWX privilege on the location and its contents in HDFS

However,

the customer expects that it is working with Apache Ranger - it works for Hadoop Tables (no external), so they expect the same behaviour for External Hadoop Tables too.
  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Dec 28 2018
  • Will not implement
Idea Priority High
Customer Name IBM
  • Attach files
  • Admin
    Priya Tiruthani commented
    19 Jul, 2019 05:48pm

    There's some confusion on using Ranger capabilities with Hadoop ACLs. Please try the latest version and reach out to us if you still have trouble with Ranger.. many Ranger capabilities were introduced in recent releases. Thanks!

NOTICE TO EU RESIDENTS: per EU Data Protection Policy, if you wish to remove your personal information from the IBM ideas portal, please login to the ideas portal using your previously registered information then change your email to "anonymous@euprivacy.out" and first name to "anonymous" and last name to "anonymous". This will ensure that IBM will not send any emails to you about all idea submissions