[
https://issues.apache.org/jira/browse/RANGER-2391?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ramesh Mani updated RANGER-2391:
--------------------------------
Attachment: 0001-RANGER-2391-Ranger-authorization-for-ADD-COMPILE-and.patch
> Ranger authorization for ADD, COMPILE and CREATE TEMPORARY UDF operation in
> Hive
> --------------------------------------------------------------------------------
>
> Key: RANGER-2391
> URL: https://issues.apache.org/jira/browse/RANGER-2391
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Ramesh Mani
> Assignee: Ramesh Mani
> Priority: Major
> Attachments:
> 0001-RANGER-2391-Ranger-authorization-for-ADD-COMPILE-and.patch
>
>
> Ranger authorization for ADD, COMPILE and CREATE TEMPORARY UDF operation in
> Hive.
> Current the CREATE TEMPORARY UDF has a workaround solution of having a policy
> with Database=* and UDF= specified since the temp udf is not associated to
> any DB. Similarly, ADD JAR and COMPILE <Script> in the hive all are not
> associated with any specific database, but it has a significance in reading
> any warehouse data and manipulating.
> In this, we categorize these UDF related operations to a resource "Global"
> and we maintain a policy with "Temp UDF admin" as permission with "*" or
> "global" as resource value, which authorizes ADD, COMPILE and CREATE
> TEMPORARY UDF.
> In this way, we don't have to have a "*" policy for DB and UDF to do the
> authorization of temporary UDF related commands.
> Permanent UDFs are authorized by the existing DB/UDF policy in Ranger Hive
> authorizer.
> When migrating to this version, if any customer uses the workaround of "*"
> policy for any temporary UDF, they have to create this new policy in order
> for the authorization to happen after migration.
> There will be a warning before anyone creates this policy as this is given
> only to the trusted user similar to UDF policy
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
