[jira] [Commented] (RANGER-1195) Ranger should allow for "select *" and "describe" on tables where user access is limited to a subset of columns.

Mon, 07 Nov 2016 17:29:26 -0800 

    [ 
https://issues.apache.org/jira/browse/RANGER-1195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15646084#comment-15646084
 ] 

Don Bosco Durai commented on RANGER-1195:
-----------------------------------------

I am not very sure how much this will help. I feel, it will further confuse the 
user, because the user can see the columns during describe, but can't access 
some of it. So the user will have to do trial and error to discover to which 
columns the user has permission by running queries with the columns and 
eliminating it one by one.

I understand, this will require changes from the Hive side, which I feel that 
is the right thing to do. We should work with them to see if they can enhance 
their API.

Regarding showing all v/s none, from the security point of view, we shouldn't 
show what the user doesn't have permission to see. But if the admin/user wants 
convenience, then we can show everything. I feel, you will get users from both 
camp.

If you are planning to show (till we get the APIs from Hive team), then I will 
suggest to make it configurable at the plugin side using some property.

Thanks

> Ranger should allow for "select *" and "describe" on tables where user access 
> is limited to a subset of columns.
> ----------------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-1195
>                 URL: https://issues.apache.org/jira/browse/RANGER-1195
>             Project: Ranger
>          Issue Type: Improvement
>          Components: plugins
>    Affects Versions: 0.5.1, 0.5.2, 0.6.0, 0.5.3, 0.6.1
>            Reporter: Michael Young
>             Fix For: 0.7.0
>
>
> If you create a Hive policy in Ranger which allows only a subset of columns 
> in a table, users are unable to "select * from tablename" or "describe 
> tablename".  The user must know in advance to which columns they are allowed 
> access, but they can't use "describe" to see a list of columns they are 
> allowed.
> When doing either select or describe in Hive, Ranger should dynamically 
> filter the columns the user is not allowed to see.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to