[ https://issues.apache.org/jira/browse/ATLAS-3111?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ramesh Mani resolved ATLAS-3111. -------------------------------- Resolution: Invalid Wrongly assigned project. > Ranger Hive Plugin enhancement for KILL query and Replication commands > authorization > ------------------------------------------------------------------------------------ > > Key: ATLAS-3111 > URL: https://issues.apache.org/jira/browse/ATLAS-3111 > Project: Atlas > Issue Type: Bug > Reporter: Ramesh Mani > Priority: Major > > 1) Hive KILL Query > With the HIVE-17483 JIRA, Hive has introduced a way to kill query <id> and in > hive its a privileged action for Hive Admin Role. In order for the Ranger > Hive Authorizer to support authorization, we need to enhance the ranger hive > authorizer. Current Hive implementation is to Kill Query in a HiveService > which can be LLAP / HIVESERVER2 , later these HIVE SERVICEs can be grouped > into NAME SPACEs and kill query can be run against them. When > HiveServer2/LLAP Ranger Plugin sends the request to Ranger for Authorization, > it will be sending the HIVE SERVICE in the context with the COMMAND that is > executed. > With all the details proposal is to have > 1) In Ranger Hive Service Definition, we will have a new Resource "Hive > Service" to authorize. > 2) In Ranger Hive Permission Model, we will have a new Permission "Service > Admin" to group Kill Query operation. > "Service Admin" permission will enable hive ranger plugin to isolate various > admin operations in this case "Kill Query" and in future if hive introduces > other operations which are done at "HIVE SERVICE level" , group them under > this and authorize. > "Service Admin" won't be able to do DATABASE / TABLE / COLUMN operations as > this will all be taken care by the existing DATABASE/TABLE/COLUMN level > permission model. > 2) Replication Command > Hive has enhanced it authorization for Replication Task > https://issues.apache.org/jira/browse/HIVE-17005. The proposal from Ranger > side is to have "Repl Admin" permission in RangerHive privilege model and > command REPL DUMP and REPL LOAD should be authorized for the users with > "Admin" privilege on Database / Table level. > For REPL STATUS command, the user should have SELECT privilege on the > Database/ Table Level. -- This message was sent by Atlassian JIRA (v7.6.3#76005)