[jira] [Comment Edited] (RANGER-1195) Ranger should allow for "select *" and "describe" on tables where user access is limited to a subset of columns.

Fri, 04 Nov 2016 00:10:31 -0700 

    [ 
https://issues.apache.org/jira/browse/RANGER-1195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15635434#comment-15635434
 ] 

Ramesh Mani edited comment on RANGER-1195 at 11/4/16 7:09 AM:
--------------------------------------------------------------

[~Jaraxal] We should also include SHOW COLUMNS (FROM|IN) table_name [(FROM|IN) 
db_name] as it also provide the same functionality. Ranger HiveAuthorizer 
should show all the columns for  DESCRIBE/SHOW COLUMNS on table if user has any 
access on database/table/column
[~bosco] Filtering out the columns which user doesn't have access needs change 
in Hive. HiveAuthorizer.filterListCmdObjects() is called during 'SHOW 
DATABASES' & 'SHOW TABLES'  which is used to filter out the database and tables 
which user doesn't have access to. Now HIVE has to include DESCRIBE/SHOW 
COLUMNS in its call  to provide that necessary hook to Ranger for filtering out 
the columns. I am not sure how the other products like Oracle or MYSQL does it 
for these commands.


was (Author: rmani):
[~Jaraxal] We should also include SHOW COLUMNS (FROM|IN) table_name [(FROM|IN) 
db_name] as it also provide the same functionality. Ranger HiveAuthorizer 
should show all the columns for  DESCRIBE/SHOW COLUMNS on table if user has any 
access on database/table/column

> Ranger should allow for "select *" and "describe" on tables where user access 
> is limited to a subset of columns.
> ----------------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-1195
>                 URL: https://issues.apache.org/jira/browse/RANGER-1195
>             Project: Ranger
>          Issue Type: Improvement
>          Components: plugins
>    Affects Versions: 0.5.1, 0.5.2, 0.6.0, 0.5.3, 0.6.1
>            Reporter: Michael Young
>             Fix For: 0.7.0
>
>
> If you create a Hive policy in Ranger which allows only a subset of columns 
> in a table, users are unable to "select * from tablename" or "describe 
> tablename".  The user must know in advance to which columns they are allowed 
> access, but they can't use "describe" to see a list of columns they are 
> allowed.
> When doing either select or describe in Hive, Ranger should dynamically 
> filter the columns the user is not allowed to see.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to