[jira] [Commented] (RANGER-1195) Ranger should allow for "select *" and "describe" on tables where user access is limited to a subset of columns.

Tue, 06 Dec 2016 10:40:36 -0800 

    [ 
https://issues.apache.org/jira/browse/RANGER-1195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15726331#comment-15726331
 ] 

Ramesh Mani commented on RANGER-1195:
-------------------------------------

[~bosco]
ranger-hive-security.xml will have to have a new parameter 
"xasecure.hive.describetable.showcolumns.authorization.option" which will take 
values - none / show-all / show-allowed / " "
"" or none   - this will result in current behavior of not showing any columns 
when user has access to subset of the columns given by Ranger Hive Policy
show-all     - this will result in showing all the columns in Describe / Show 
Columns command (This  is equal to having NONE as value for this param and  
Ranger policy having * for  "Columns" giving access to all columns.
show-allowed - this will show only the columns which the user has access to via 
ranger policy. ( This is not implemented yet in ranger, when Hive provides the 
hook for filtering the objects this can be implemented and can be made as a 
default value when ranger plugin is enabled for HiveServer2 Auth ) 
I shall make this as part of the documentation.

> Ranger should allow for "select *" and "describe" on tables where user access 
> is limited to a subset of columns.
> ----------------------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-1195
>                 URL: https://issues.apache.org/jira/browse/RANGER-1195
>             Project: Ranger
>          Issue Type: Improvement
>          Components: plugins
>    Affects Versions: 0.5.1, 0.5.2, 0.6.0, 0.5.3, 0.6.1
>            Reporter: Michael Young
>            Assignee: Ramesh Mani
>             Fix For: 0.7.0
>
>         Attachments: RANGER-1195.patch
>
>
> If you create a Hive policy in Ranger which allows only a subset of columns 
> in a table, users are unable to "select * from tablename" or "describe 
> tablename".  The user must know in advance to which columns they are allowed 
> access, but they can't use "describe" to see a list of columns they are 
> allowed.
> When doing either select or describe in Hive, Ranger should dynamically 
> filter the columns the user is not allowed to see.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to