[jira] [Commented] (RANGER-1195) Ranger should allow for "select *" and "describe" on tables where user access is limited to a subset of columns.

Ramesh Mani (JIRA) Thu, 17 Nov 2016 16:17:41 -0800

    [ 
https://issues.apache.org/jira/browse/RANGER-1195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15675244#comment-15675244
 ]


Ramesh Mani commented on RANGER-1195:
-------------------------------------

Providing this patch based on the [~bosco]'s comment to have a property to show 
all columns.
ranger-hive-security.xml will have to have a new parameter 
"xasecure.hive.describetable.showcolumns.authorization.option" which will take 
values - none / show-all / show-allowed 
none - this will result in current behavior of not showing any columns when 
describe / show columns is executed.
show-all - this will result in showing all the columns.
show-allowed. this is not implemented yet in ranger. When HIVE provides the 
necessary hooks to filter the output we will show only the columns which user 
has access. Till then it will result in default behavior of not showing any 
columns. Also when this is implemented "SELECT"  should show only the columns 
which are allowed for the user.
Please review and provide your comments 

> Ranger should allow for "select *" and "describe" on tables where user access 
> is limited to a subset of columns.
> ----------------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-1195
>                 URL: https://issues.apache.org/jira/browse/RANGER-1195
>             Project: Ranger
>          Issue Type: Improvement
>          Components: plugins
>    Affects Versions: 0.5.1, 0.5.2, 0.6.0, 0.5.3, 0.6.1
>            Reporter: Michael Young
>             Fix For: 0.7.0
>
>         Attachments: RANGER-1195.patch
>
>
> If you create a Hive policy in Ranger which allows only a subset of columns 
> in a table, users are unable to "select * from tablename" or "describe 
> tablename".  The user must know in advance to which columns they are allowed 
> access, but they can't use "describe" to see a list of columns they are 
> allowed.
> When doing either select or describe in Hive, Ranger should dynamically 
> filter the columns the user is not allowed to see.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (RANGER-1195) Ranger should allow for "select *" and "describe" on tables where user access is limited to a subset of columns.

Reply via email to