[jira] [Commented] (RANGER-768) Hive Metastore Plugin

Fri, 08 Jan 2016 12:26:50 -0800 

    [ 
https://issues.apache.org/jira/browse/RANGER-768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15089882#comment-15089882
 ] 

Don Bosco Durai commented on RANGER-768:
----------------------------------------

I agree with Madhan. Creating two different policies and keeping both of them 
in sync will be error prone. I feel, we should clearly split the design into 
two parts.
1. Ranger MetaStore Authorization Plugin - This should be just like any 
standard plugins, which does enforcement and auditing. The only extension we 
should do is that it should reuse the policies from Hive. So there should be 
extension done to support this.
2. Resource Sync Plugin - This should monitor the changes that happen within 
the MetaStore for Database/Table mapping to HDFS resources (later HBase). So if 
anything changes, it should make the call to Ranger Admin and notify it. On the 
RangerAdmin side, we should plan to update the appropriate polices or resource 
mapping. In this way, we don't have to spread the knowledge of Policy 
Creation/Management to plugin. And keep the plugin as simple and light weight 
as possible.






> Hive Metastore Plugin
> ---------------------
>
>                 Key: RANGER-768
>                 URL: https://issues.apache.org/jira/browse/RANGER-768
>             Project: Ranger
>          Issue Type: New Feature
>          Components: admin, plugins
>            Reporter: Yan
>         Attachments: Design Proposal for Hive Metastore Plugin of 
> Ranger.docx, Design Proposal for Hive Metastore Plugin of Ranger.docx
>
>
> Currently there is no Ranger processing of Hive table meta store events that 
> could result in privilege modifications. One example is that when a table is 
> renamed by a Hive Server 2 client (the "beeline"), no proper privilege 
> adjustments in Ranger are made to allow/deny previously allowed/denied users 
> the same privileges as before. In addition, more advanced features, such as 
> granting/denying similar accesses to Hive's HDFS data to users that have (or 
> do not have) privileges in the Hive, would require that detailed metadata of 
> the Hive table, the storage info to be specific, be available to Ranger in 
> order to make the corresponding HDFS  data accessible to the Hive users 
> directly.
> This plugin will depend upon the existing Ranger Hive plugin, so it shares 
> the same "service" name as the associated Ranger Hive service deployed, and 
> it will be "co-enabled" with the existing Ranger Hive plugin.
> Design doc will come soon.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to