Ramesh Mani created RANGER-2391:
-----------------------------------
Summary: Ranger authorization for ADD, COMPILE and CREATE
TEMPORARY UDF operation in Hive
Key: RANGER-2391
URL: https://issues.apache.org/jira/browse/RANGER-2391
Project: Ranger
Issue Type: Bug
Components: Ranger
Reporter: Ramesh Mani
Ranger authorization for ADD, COMPILE and CREATE TEMPORARY UDF operation in
Hive.
Current the CREATE TEMPORARY UDF has a workaround solution of having a policy
with Database=* and UDF= specified since the temp udf is not associated to any
DB. Similarly, ADD JAR and COMPILE <Script> in the hive all are not associated
with any specific database, but it has a significance in reading any warehouse
data and manipulating.
In this, we categorize these UDF related operations to a resource "Global" and
we maintain a policy with "Temp UDF admin" as permission with "*" or "global"
as resource value, which authorizes ADD, COMPILE and CREATE TEMPORARY UDF.
In this way, we don't have to have a "*" policy for DB and UDF to do the
authorization of temporary UDF related commands.
Permanent UDFs are authorized by the existing DB/UDF policy in Ranger Hive
authorizer.
When migrating to this version, if any customer uses the workaround of "*"
policy for any temporary UDF, they have to create this new policy in order for
the authorization to happen after migration.
There will be a warning before anyone creates this policy as this is given only
to the trusted user similar to UDF policy
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
