Ramesh Mani created RANGER-1851:
-----------------------------------
Summary: Enhance Ranger Hive Plugin to support authorization for
KILL QUERY command
Key: RANGER-1851
URL: https://issues.apache.org/jira/browse/RANGER-1851
Project: Ranger
Issue Type: Bug
Components: Ranger
Affects Versions: 0.7.1, master
Reporter: Ramesh Mani
Assignee: Ramesh Mani
Priority: Critical
With the HIVE-17483 JIRA, Hive has introduced a way to kill query <id> and in
hive its a privileged action for Hive Admin Role. In order for the Ranger Hive
Authorizer to support authorization, we need to enhance the ranger hive
authorizer. Current Hive implementation is to Kill Query in a HiveService which
can be LLAP / HIVESERVER2 , later these HIVE SERVICEs can be grouped into NAME
SPACEs and kill query can be run against them. When HiveServer2/LLAP Ranger
Plugin sends the request to Ranger for Authorization, it will be sending the
HIVE SERVICE in the context with they COMMAND.
With all the details proposal is to have
1) In Ranger Hive Service Definition, we will have a new Resource "Hive
Service" to authorize.
2) In Ranger Hive Permission Model, we will have a new Permission "Service
Admin" to group Kill Query operation.
- "Service Admin" permission will enable hive ranger plugin to isolate
various admin operations in this case "Kill Query" and in future if hive
introduces other operations which are done at "HIVE SERVICE level" , group them
under this and authorize.
- "Service Admin" won't be able to do DATABASE / TABLE / COLUMN operations
as this will all be taken care by the existing DATABASE/TABLE/COLUMN level
permission model.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
