[jira] [Updated] (RANGER-2389) Ranger Hive Plugin enhancement for KILL query and Replication commands authorization

Fri, 19 Jul 2019 08:40:12 -0700 


     [ 
https://issues.apache.org/jira/browse/RANGER-2389?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Velmurugan Periasamy updated RANGER-2389:
-----------------------------------------
    Fix Version/s: 2.0.0

> Ranger Hive Plugin enhancement for KILL query and Replication commands 
> authorization
> ------------------------------------------------------------------------------------
>
>                 Key: RANGER-2389
>                 URL: https://issues.apache.org/jira/browse/RANGER-2389
>             Project: Ranger
>          Issue Type: Bug
>          Components: Ranger
>            Reporter: Ramesh Mani
>            Assignee: Ramesh Mani
>            Priority: Major
>             Fix For: 2.0.0
>
>         Attachments: 
> 0001-RANGER-2389-Ranger-Hive-Plugin-enhancement-for-KILL-.patch
>
>
> 1) Hive KILL Query
> With the HIVE-17483 JIRA, Hive has introduced a way to kill query <id> and in 
> hive its a privileged action for Hive Admin Role. In order for the Ranger 
> Hive Authorizer to support authorization, we need to enhance the ranger hive 
> authorizer. Current Hive implementation is to Kill Query in a HiveService 
> which can be LLAP / HIVESERVER2 , later these HIVE SERVICEs can be grouped 
> into NAME SPACEs and kill query can be run against them. When 
> HiveServer2/LLAP Ranger Plugin sends the request to Ranger for Authorization, 
> it will be sending the HIVE SERVICE in the context with the COMMAND that is 
> executed. 
> With all the details proposal is to have 
> 1) In Ranger Hive Service Definition, we will have a new Resource "Hive 
> Service" to authorize.
> 2) In Ranger Hive Permission Model, we will have a new Permission "Service 
> Admin" to group Kill Query operation.
> "Service Admin" permission will enable hive ranger plugin to isolate various 
> admin operations in this case "Kill Query" and in future if hive introduces 
> other operations which are done at "HIVE SERVICE level" , group them under 
> this and authorize.
> "Service Admin" won't be able to do DATABASE / TABLE / COLUMN operations as 
> this will all be taken care by the existing DATABASE/TABLE/COLUMN level 
> permission model.
> 2) Replication Command
> Hive has enhanced it authorization for Replication Task 
> https://issues.apache.org/jira/browse/HIVE-17005. The proposal from Ranger 
> side is to have "Repl Admin" permission in RangerHive privilege model and 
> command REPL DUMP and REPL LOAD should be authorized for the users with 
> "ReplAdmin" privilege on Database / Table level.
> For REPL STATUS command, the user should have SELECT privilege on the 
> Database/ Table Level.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to