[
https://issues.apache.org/jira/browse/RANGER-1195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15646264#comment-15646264
]
Michael Young commented on RANGER-1195:
---------------------------------------
[~rmani] [~bosco] I agree with Don that showing columns to users they are not
allowed to see/access will cause confusion. And as Don points out, it will
require trial and error on the part of the user to figure out which columns
they can and can't see. If a table has 100 columns, can you image the
frustration of a user where only 10 of those columns are restricted?
Furthermore, this request is primarily a security focused request. In many
organizations where security is absolutely critical, users are not supposed to
know tables and columns exist that they are not allowed to see. If a DESCRIBE
shows all columns, then the user inherently knows information about the schema
they should not know. Sometimes the names of the schema itself (names of the
columns) is sensitive.
> Ranger should allow for "select *" and "describe" on tables where user access
> is limited to a subset of columns.
> ----------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-1195
> URL: https://issues.apache.org/jira/browse/RANGER-1195
> Project: Ranger
> Issue Type: Improvement
> Components: plugins
> Affects Versions: 0.5.1, 0.5.2, 0.6.0, 0.5.3, 0.6.1
> Reporter: Michael Young
> Fix For: 0.7.0
>
>
> If you create a Hive policy in Ranger which allows only a subset of columns
> in a table, users are unable to "select * from tablename" or "describe
> tablename". The user must know in advance to which columns they are allowed
> access, but they can't use "describe" to see a list of columns they are
> allowed.
> When doing either select or describe in Hive, Ranger should dynamically
> filter the columns the user is not allowed to see.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
