[
https://issues.apache.org/jira/browse/RANGER-1851?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16219767#comment-16219767
]
Ramesh Mani commented on RANGER-1851:
-------------------------------------
[~sershe] To get some more details on workload management commands, if those
commands operates with in the context of HIVE Services like LLAP / Hive Server2
and does admin operation related to those services, then we can be grouped
under "Service Admin" permission in Ranger.
If workload management commands goes beyond that, say it can do Database Admin
operation, we should think of something like "ADMIN" who can do various
Database Operation + Service Operations like Kill Query.
In both cases HiveAuthorizer interface has to provide the necessary context to
ranger to classify and authorize. Could you please provide me the details on
those work load commands and its purpose?
> Enhance Ranger Hive Plugin to support authorization for KILL QUERY command
> --------------------------------------------------------------------------
>
> Key: RANGER-1851
> URL: https://issues.apache.org/jira/browse/RANGER-1851
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: 1.0.0, master
> Reporter: Ramesh Mani
> Assignee: Ramesh Mani
> Priority: Critical
>
> With the HIVE-17483 JIRA, Hive has introduced a way to kill query <id> and
> in hive its a privileged action for Hive Admin Role. In order for the Ranger
> Hive Authorizer to support authorization, we need to enhance the ranger hive
> authorizer. Current Hive implementation is to Kill Query in a HiveService
> which can be LLAP / HIVESERVER2 , later these HIVE SERVICEs can be grouped
> into NAME SPACEs and kill query can be run against them. When
> HiveServer2/LLAP Ranger Plugin sends the request to Ranger for Authorization,
> it will be sending the HIVE SERVICE in the context with the COMMAND that is
> executed.
> With all the details proposal is to have
> 1) In Ranger Hive Service Definition, we will have a new Resource "Hive
> Service" to authorize.
> 2) In Ranger Hive Permission Model, we will have a new Permission "Service
> Admin" to group Kill Query operation.
> - "Service Admin" permission will enable hive ranger plugin to isolate
> various admin operations in this case "Kill Query" and in future if hive
> introduces other operations which are done at "HIVE SERVICE level" , group
> them under this and authorize.
> - "Service Admin" won't be able to do DATABASE / TABLE / COLUMN
> operations as this will all be taken care by the existing
> DATABASE/TABLE/COLUMN level permission model.
> [~madhan.neethiraj] [~vperiasamy][~thejas][~bosco][~sneethiraj]
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
