@Bosco, What happens with doAs=false if user is creating/using an external table? Would they also run as hive user and hence hive user need to be given permission in HDFS to any such external files? Thanks
On 7/1/15, 6:17 AM, "Don Bosco Durai" <[email protected]> wrote: >Tanping > >Current Ranger permission model is permissive, which means by default >there are no permissions. However, if you give one, then you can¹t take >back. > >This model simplifies the management of the policies. However, if you want >to revoke permissions for certain user, then it becomes difficult. > >In your use case, we recommend that you manage HDFS permissions only from >Ranger. You should do ³hdfs dfs -chmod -R 0000 /usr/hive² and then give >explicit permissions to users from Ranger. > >If you are using HiveServer2, then we recommend to configure HS2 with >³doAs=false². In this case, you just need to give permission to user >³hive² in the HDFS level and manage all the table/column permissions at >the Hive level using Ranger. In this case, you can also give more granular >permissions up to column level. > >If you feel revoke will be useful for you, then can you create a JIRA. In >the next release we can come up with a simplified version of revoke. > >Thanks > >Bosco > > >On 7/1/15, 12:57 PM, "Tanping Wang" <[email protected]> wrote: > >>Hi, all, >>My understanding of Ranger is that Ranger would open up/relax the file >>permission inherited from Unix. Can Ranger restrict/remove the >>permissions >>for a user? For example, if a user, John does have permission to >>/usr/hive. Can Ranger revoke the permission? >>Regards, >>tanping > >
