Correct. You need to set up Ranger policy either through REST API or through GUI to configure this authorization behavior.
-Abhay From: Goden Yao <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Monday, May 8, 2017 at 11:51 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: GRANT ALL ON DATABASE ... I see. so to configure this I can either go on UI or through Ranger REST API but not a DDL (e.g. GRANT ALL ON DATABASE ... ), is that correct? On Mon, May 8, 2017 at 11:34 AM Abhay Kulkarni <[email protected]<mailto:[email protected]>> wrote: Hi Goden, If there is a Ranger policy with (database=<db-name>, table=*, column=*) as the resource-specification for a certain group, and if a hive request, is made by member of a group, Ranger authorization code will use policy matchers to match the requested resource with the policy resource. Matcher for this policy will match any table within the database <db-name> because of the wildcard '*' specified in its resource-specificaton. If resource is matched, the policy will be used to evaluate access to this resource provided user, groups and the requested access-type also match. In short, Ranger goes through policies (not tables) until a match is found. Hope that helps. -Abhay From: Goden Yao <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Monday, May 8, 2017 at 10:01 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: GRANT ALL ON DATABASE ... What's behind the stage for ranger to configure this - does it internally go through every table ? just want to understand the implementation details. On Thu, May 4, 2017 at 2:30 PM Ramesh Mani <[email protected]<mailto:[email protected]>> wrote: Goden, yes that is right, you can put "*" for table and column From: Goden Yao <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, May 4, 2017 at 2:21 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: GRANT ALL ON DATABASE ... Thanks Ramesh - in Ranger UI, I see table is always required when creating a policy - is that the case? so you are saying I can put "*" in table input field? On Thu, May 4, 2017 at 1:40 PM Ramesh Mani <[email protected]<mailto:[email protected]>> wrote: Goden, GRANT ALL/READ ON DATABASE XYZ you can maintain a policy for database "*" , but with respect to ROLE XXX can this ROLE be a "group" in LDAP/AP or unix? Then you can maintain this policy for GROUP XXX. Thanks, Ramesh From: Goden Yao <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Thursday, May 4, 2017 at 1:34 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: GRANT ALL ON DATABASE ... Hi Anyone may want to comment ? I found out this is actually supported in Hive Default Authorization (legacy) mode but probably not in SQL Standard Authorization, why is that? On Tue, May 2, 2017 at 10:20 AM Goden Yao <[email protected]<mailto:[email protected]>> wrote: Hi I wonder if Ranger policy can support something like "GRANT ALL/READ ON DATABASE XYZ to ROLE XXX"? Or I have to specify each table iteratively in a database? Thanks -Goden -- Goden -- Goden -- Goden -- Goden -- Goden
