I see. so to configure this I can either go on UI or through Ranger REST API but not a DDL (e.g. GRANT ALL ON DATABASE ... ), is that correct?
On Mon, May 8, 2017 at 11:34 AM Abhay Kulkarni <[email protected]> wrote: > Hi Goden, > > If there is a Ranger policy with (database=<db-name>, table=*, column=*) > as the resource-specification for a certain group, and if a hive request, > is made by member of a group, Ranger authorization code will use policy > matchers to match the requested resource with the policy resource. Matcher > for this policy will match any table within the database <db-name> because > of the wildcard ‘*’ specified in its resource-specificaton. If resource is > matched, the policy will be used to evaluate access to this resource > provided user, groups and the requested access-type also match. > > In short, Ranger goes through policies (not tables) until a match is found. > > Hope that helps. > > -Abhay > > From: Goden Yao <[email protected]> > Reply-To: "[email protected]" <[email protected]> > Date: Monday, May 8, 2017 at 10:01 AM > > To: "[email protected]" <[email protected]> > Subject: Re: GRANT ALL ON DATABASE ... > > What's behind the stage for ranger to configure this - does it internally > go through every table ? just want to understand the implementation details. > > On Thu, May 4, 2017 at 2:30 PM Ramesh Mani <[email protected]> wrote: > >> Goden, yes that is right, you can put “*” for table and column >> >> >> From: Goden Yao <[email protected]> >> Reply-To: "[email protected]" <[email protected]> >> Date: Thursday, May 4, 2017 at 2:21 PM >> >> To: "[email protected]" <[email protected]> >> Subject: Re: GRANT ALL ON DATABASE ... >> >> Thanks Ramesh - in Ranger UI, I see table is always required when >> creating a policy - is that the case? so you are saying I can put "*" in >> table input field? >> >> On Thu, May 4, 2017 at 1:40 PM Ramesh Mani <[email protected]> wrote: >> >>> Goden, >>> >>> GRANT ALL/READ ON DATABASE XYZ you can maintain a policy for database >>> “*” , but with respect to ROLE XXX can this ROLE be a “group” in LDAP/AP or >>> unix? Then you can maintain this policy for GROUP XXX. >>> >>> Thanks, >>> Ramesh >>> >>> From: Goden Yao <[email protected]> >>> Reply-To: "[email protected]" <[email protected]> >>> Date: Thursday, May 4, 2017 at 1:34 PM >>> To: "[email protected]" <[email protected]> >>> Subject: Re: GRANT ALL ON DATABASE ... >>> >>> Hi Anyone may want to comment ? I found out this is actually supported >>> in Hive Default Authorization (legacy) mode but probably not in SQL >>> Standard Authorization, why is that? >>> >>> On Tue, May 2, 2017 at 10:20 AM Goden Yao <[email protected]> wrote: >>> >>>> Hi >>>> >>>> I wonder if Ranger policy can support something like "GRANT ALL/READ ON >>>> DATABASE XYZ to ROLE XXX"? >>>> >>>> Or I have to specify each table iteratively in a database? >>>> >>>> Thanks >>>> -Goden >>>> -- >>>> Goden >>>> >>> -- >>> Goden >>> >> -- >> Goden >> > -- > Goden > -- Goden
