[jira] [Commented] (RANGER-768) Hive Metastore Plugin

Thu, 07 Jan 2016 21:06:07 -0800 

    [ 
https://issues.apache.org/jira/browse/RANGER-768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15088713#comment-15088713
 ] 

Madhan Neethiraj commented on RANGER-768:
-----------------------------------------

bq. 2.2.2       Ranger Hive Privilege Adjustments as Result of Hive DDL/DML 
Operations
bq. HIVE SQL DDL/DML operations that add/remove/change a resource name will see 
the Ranger policy on the exactly matched resource to be added/removed/changed 
accordingly.  Failure of such adjustments will not cause the operation to fail, 
but just to log a warning of the failure.  An example of such a failure is a 
“rename” operation that finds an existing policy already on the renamed 
resource. This is possible because Ranger policy could be on nonexistent 
objects while SQL does not allow such a scenario.
The details on Ranger policy updates during drop/rename of Hive 
database/table/column look good. What would be the policy updates on 
database/table/column create?

> Hive Metastore Plugin
> ---------------------
>
>                 Key: RANGER-768
>                 URL: https://issues.apache.org/jira/browse/RANGER-768
>             Project: Ranger
>          Issue Type: New Feature
>          Components: admin, plugins
>            Reporter: Yan
>         Attachments: Design Proposal for Hive Metastore Plugin of 
> Ranger.docx, Design Proposal for Hive Metastore Plugin of Ranger.docx
>
>
> Currently there is no Ranger processing of Hive table meta store events that 
> could result in privilege modifications. One example is that when a table is 
> renamed by a Hive Server 2 client (the "beeline"), no proper privilege 
> adjustments in Ranger are made to allow/deny previously allowed/denied users 
> the same privileges as before. In addition, more advanced features, such as 
> granting/denying similar accesses to Hive's HDFS data to users that have (or 
> do not have) privileges in the Hive, would require that detailed metadata of 
> the Hive table, the storage info to be specific, be available to Ranger in 
> order to make the corresponding HDFS  data accessible to the Hive users 
> directly.
> This plugin will depend upon the existing Ranger Hive plugin, so it shares 
> the same "service" name as the associated Ranger Hive service deployed, and 
> it will be "co-enabled" with the existing Ranger Hive plugin.
> Design doc will come soon.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to