How to prevent Apache Hive from connecting directly to jdbc bypassing Zookeeper

Apache Hive protection via Apache Ranger is configured
The connection goes through the zookeeper quorum, for example:

jdbc:hive2://d01.test.local:2181,d 02.test.local:2181,d 03.test.local:2181/;service Discovery Mode=zooKeeper;zooKeeperNamespace=hiveserver2

Users have the ability to connect to Hive2 by specifying a direct connection to the host, for example:

jdbc:hive2://d01.test.local:10000

But in the policy setting for Have Service Name there can be only one (file ranger-hive-security.xml )

How then to protect hive from such a direct connection?

If the policy is configured via zookeeper then the direct connection is not secured and the audit does not work

Zookeeper quorum is for service high availability, it coordinates all the HS2 instances (from the specified hosts) in your cluster to work together.

As far as I know, specifying the property hive.zookeeper.quorum does not help Ranger to enforce each HS2 host with only one plugin.

To achieve what you desire, I think you can go for such configuration;

• Install Ranger Hive plugin on each node where you have HS2.
• Create one service/repository to specify with REPOSITORY_NAME in install.properties.
• Configure each Hive plugin to use same service/repository.
• Restart your HS2s.
• Create/modify/delete your policies under the service/repository (REPOSITORY_NAME).

In this way, any policy you create/delete/modify under your service will affect all the HS2 nodes as they share same repo.