To add Ramesh¹s answer. There is a switch/property to turn off falling back to Hadoop ACL. In which case, all the permission for HDFS should be in Ranger.
Regarding HiveCLI, you should consider it the same as Pig, which means you need to manage all the policy at the HDFS level. Because, for Pig and HiveCLI, you have to anyway give permission to the HDFS folder/files, which means the user can bypass any controls you might have put on the HiveCLI layer. In HiveServer2, it is like the client/server architecture, we recommend running HiveServer2 with ³doAs=false² mode and at the HDFS level, just give permissions the user ³hive² for the database HDFS folders and control all user access to the database using Hive Ranger policies. If there are any power users or nightly load jobs, you can always give those user permissions directly to the HDFS. I hope this clarifies. Thanks Bosco On 2/17/15, 10:05 AM, "Ramesh Mani" <[email protected]> wrote: >Hi Julien, > >Please find the answers. > >Thanks, >Ramesh > >On Feb 17, 2015, at 4:27 AM, Julien Carme <[email protected]> wrote: > >> Hello, >> >> I have been playing with Apache Ranger for some time and there are are >>some things that are still puzzling me: >> >> - With the HDFS plugin, it seems that rights are given when Ranger >>rights OR standard hadoop rights are provided. For example, a directory >>with 755 rights will always be readable by everyone, whatever Ranger >>says. Therefore, to have ranger actually controlling the rights of a >>directory, there is a need to chmod 700 this directory. Is that the >>expected behavior? > > Ramesh : Hadoop ACL will be in effective over Ranger ACL. So what you >are seeing is right behavior. >> >> - Hive plugin works great for hiveserver access, however the direct use >>of hive command line client does not take Ranger rights into account. >>Is that a feature? Is it planned to change in the future? > > Ranger Supports only HiveServer2. > > Hive CLI cannot be supported by Ranger because of its security >vulnerability. You can always by pass the security here in Hive CLI by >having different conf file. This is documented. >> >> I might have missed a documentation that would explain all that. >> >> Regards, >> >> Julien > > >-- >CONFIDENTIALITY NOTICE >NOTICE: This message is intended for the use of the individual or entity >to >which it is addressed and may contain information that is confidential, >privileged and exempt from disclosure under applicable law. If the reader >of this message is not the intended recipient, you are hereby notified >that >any printing, copying, dissemination, distribution, disclosure or >forwarding of this communication is strictly prohibited. If you have >received this communication in error, please contact the sender >immediately >and delete it from your system. Thank You.
