Quite late, but let me at least respond back ☺ a) I'm trying to understand if there is a way decouple Hive metadata authorization (SHOW DATABASES, SHOW TABLES, etc) from the SELECT permission grant. I'd like for users to be able do schema discovery without having access to the underlying data but currently I'm finding no way to accomplish this. These are enforced at the Ranger Hive Plugin. You will have to update the code for that.
b) is there any good documentation that describes the practical difference between an exclude and deny with respect to a resource based policy? We haven't enabled deny via the config yet (it's one of our next tests) but I have yet to see excludes work in the way expect and I'd assume someone has documented this stuff well somewhere. Excludes is more of a convenience option. E.g. if you 100 columns and only couple of columns needs to be restricted, then you can use excludes to remove from the policy. But this doesn’t stop the user from accessing these columns if there were any other policies which gave permissions to these columns. Deny has precedence over allow. So if you have enabled “Deny” and if there is a deny for any user, then no other policy can override it. c) is there an exposed Swagger resource for a local Ranger server? I was able to explore the apidocs via the official swagger documentation on the wiki but have had no luck discovering a working spec via our current running PoC server. There were some work recently done on this. Not sure whether it addresses your question. Sorry for the delay. Bosco From: Matt Goeke <mgo...@riotgames.com> Reply-To: <user@ranger.apache.org> Date: Thursday, November 30, 2017 at 4:17 PM To: <user@ranger.apache.org> Subject: Ranger + Hive Hey all, We are running on 71. and have a couple issues I'm curious about from an admin perspective: a) I'm trying to understand if there is a way decouple Hive metadata authorization (SHOW DATABASES, SHOW TABLES, etc) from the SELECT permission grant. I'd like for users to be able do schema discovery without having access to the underlying data but currently I'm finding no way to accomplish this. b) is there any good documentation that describes the practical difference between an exclude and deny with respect to a resource based policy? We haven't enabled deny via the config yet (it's one of our next tests) but I have yet to see excludes work in the way expect and I'd assume someone has documented this stuff well somewhere. c) is there an exposed Swagger resource for a local Ranger server? I was able to explore the apidocs via the official swagger documentation on the wiki but have had no luck discovering a working spec via our current running PoC server. Thank you in advance for any help! -- Matt
