Skip to content

EMR Hive Plugin: S3 URL Authorization

Overview

Beginning with Privacera Platform 9.x and EMR 6.10+, the EMR Hive plugin now enforces S3 URL–level authorization checks consistent with Apache Ranger’s implementation.

This ensures that any Hive query accessing S3 paths must have explicit permissions defined for the corresponding S3 URL.

No Configuration Required

This feature is enabled by default and does not require any additional configuration.

Key Points

Aspect Details
S3 URL check for Hive Enabled by default and mandatory
Can URL check be disabled? No
Are privacera_s3 policies used by Hive? No — Hive requires its own URL policies
Supported versions Privacera 9.x+ and EMR 6.10+

Important

  • Hive does not inherit permissions from the privacera_s3 service.
  • Access is denied unless a corresponding S3 URL policy is defined in privacera_hive.

Required S3 URL Policies

Create S3 URL policies in the privacera_hive service to authorize the S3 paths accessed by Hive queries.

Example Policy

Field Value
Service privacera_hive
Resource s3://my-bucket/data/*
Permissions read, write
Users/Groups/Roles As applicable

This policy must explicitly match the S3 path being accessed.

Policy Creation Steps

  1. Navigate to the Privacera Portal.
  2. Go to Access Management > Policies.
  3. Select the privacera_hive service.
  4. Click Add New Policy.
  5. Configure the policy with the required S3 URL path and permissions.

  6. Assign the appropriate users, groups, or roles.

  7. Save the policy.

Troubleshooting

Access Denied Errors

If you encounter access denied errors when running Hive queries against S3 locations:

  1. Verify that S3 URL policies exist in the privacera_hive service: Ensure that the S3 path being accessed is covered by a corresponding S3 URL policy in the privacera_hive service.

  2. Check policy path matching: The policy path must match the exact S3 location being accessed. Use wildcards (*) appropriately to cover subdirectories or multiple objects.

  3. Verify permissions: Confirm that the relevant user, group, or role has the necessary permissions (e.g., read, write) defined in the policy.

  4. Check audit logs: Review the Privacera audit logs to identify which policy evaluation failed and to confirm the exact S3 path and permissions involved.

Example Error

Text Only
1
Access denied by Ranger plugin: URL authorization check failed for s3://my-bucket/data/

Solution: Create an S3 URL policy in the privacera_hive service with the resource s3://my-bucket/data/* and grant the appropriate permissions to the required users, groups, or roles.