[
https://issues.apache.org/jira/browse/HIVE-21833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16866056#comment-16866056
]
Sam An commented on HIVE-21833:
-------------------------------
We choose not to add ownername and ownertype in the toString() method, because
in many NegativeCliDriver tests, when authorization fails, tests print out the
HivePrivilegeObject content. By adding these 2, there will be mismatches each
time a new user submit the test. That's why we don't add it in toString, but
only in compareTo method.
> Ranger Authorization in Hive based on object ownership
> ------------------------------------------------------
>
> Key: HIVE-21833
> URL: https://issues.apache.org/jira/browse/HIVE-21833
> Project: Hive
> Issue Type: New Feature
> Components: HiveServer2
> Reporter: Sam An
> Assignee: Sam An
> Priority: Major
> Attachments: HIVE-21833.1.patch, HIVE-21833.2.patch,
> HIVE-21833.6.patch, HIVE-21833.7.patch, HIVE-21833.8.patch, HIVE-21833.9.patch
>
>
> Background: Currently Hive Authorizer for Ranger does not provide owner
> information for Hive objects as part of AuthZ calls. This has resulted in
> gaps with respect to Sentry AuthZ and customers/partners cannot leverage
> privileges for owners in their authorization model.
>
> User Story: As an enterprise security admin, I need to be able to set
> privileges based on Hive object ownership for setting up access controls in
> Ranger so that I can provide appropriate protections and permissions for my
> enterprise users.
>
> Acceptance criteria:
> 1) Owner information is available in Hive -Ranger AuthZ calls
> 2) Ranger admin users can use owner information to set policies based on
> object ownership in Ranger UI and APIs
> 3) OWNER Macro based policies continue to work for Hive objects
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
