[
https://issues.apache.org/jira/browse/RANGER-1851?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16221544#comment-16221544
]
Sergey Shelukhin commented on RANGER-1851:
------------------------------------------
[~rmani] these are service operation commands if I understand the distinction
correctly. They are not scoped in the database.
In short, Hive cluster has a resource management policy (resource plan) that
contains multiple query pools with different resource allocations, etc.;
connections are mapped to pools based on user, application type, etc.; also,
pools may have triggers that automatically perform actions (like kill or change
priority) based on query counters. All of those entities (resource plan, pool,
mapping, trigger) have create/alter/drop commands, as well as commands that
link them together and enable/disable them.
There's a description in detail in attached Hive jira, I can also send you a 15
page google doc if desired ;)
Does this make sense?
> Enhance Ranger Hive Plugin to support authorization for KILL QUERY command
> --------------------------------------------------------------------------
>
> Key: RANGER-1851
> URL: https://issues.apache.org/jira/browse/RANGER-1851
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: 1.0.0, master
> Reporter: Ramesh Mani
> Assignee: Ramesh Mani
> Priority: Critical
>
> With the HIVE-17483 JIRA, Hive has introduced a way to kill query <id> and
> in hive its a privileged action for Hive Admin Role. In order for the Ranger
> Hive Authorizer to support authorization, we need to enhance the ranger hive
> authorizer. Current Hive implementation is to Kill Query in a HiveService
> which can be LLAP / HIVESERVER2 , later these HIVE SERVICEs can be grouped
> into NAME SPACEs and kill query can be run against them. When
> HiveServer2/LLAP Ranger Plugin sends the request to Ranger for Authorization,
> it will be sending the HIVE SERVICE in the context with the COMMAND that is
> executed.
> With all the details proposal is to have
> 1) In Ranger Hive Service Definition, we will have a new Resource "Hive
> Service" to authorize.
> 2) In Ranger Hive Permission Model, we will have a new Permission "Service
> Admin" to group Kill Query operation.
> - "Service Admin" permission will enable hive ranger plugin to isolate
> various admin operations in this case "Kill Query" and in future if hive
> introduces other operations which are done at "HIVE SERVICE level" , group
> them under this and authorize.
> - "Service Admin" won't be able to do DATABASE / TABLE / COLUMN
> operations as this will all be taken care by the existing
> DATABASE/TABLE/COLUMN level permission model.
> [~madhan.neethiraj] [~vperiasamy][~thejas][~bosco][~sneethiraj]
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
