ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Don Bosco Durai <bdu...@hortonworks.com>
Subject Re: Does Ranger Restrict Any Permissoin
Date Thu, 02 Jul 2015 20:36:39 GMT
Alok, HS2 will do all the access as user “hive”. Yes you will need to give
access to user “hive” to access the external folders. However, for
security reasons, HS2 will make sure that the calling user has the
necessary permissions to read the external folder. So in this way, user X
can load data from user Y’s personal folder.

Bosco


On 7/1/15, 7:46 PM, "Alok Lal" <alal@hortonworks.com> wrote:

>@Bosco,
>What happens with doAs=false if user is creating/using an external table?
>Would they also run as hive user and hence hive user need to be given
>permission in HDFS to any such external files?
>Thanks
>
>On 7/1/15, 6:17 AM, "Don Bosco Durai" <bosco@apache.org> wrote:
>
>>Tanping
>>
>>Current Ranger permission model is permissive, which means by default
>>there are no permissions. However, if you give one, then you can¹t take
>>back. 
>>
>>This model simplifies the management of the policies. However, if you
>>want
>>to revoke permissions for certain user, then it becomes difficult.
>>
>>In your use case, we recommend that you manage HDFS permissions only from
>>Ranger. You should do ³hdfs dfs -chmod -R 0000 /usr/hive² and then give
>>explicit permissions to users from Ranger.
>>
>>If you are using HiveServer2, then we recommend to configure HS2 with
>>³doAs=false². In this case, you just need to give permission to user
>>³hive² in the HDFS level and manage all the table/column permissions at
>>the Hive level using Ranger. In this case, you can also give more
>>granular
>>permissions up to column level.
>>
>>If you feel revoke will be useful for you, then can you create a JIRA. In
>>the next release we can come up with a simplified version of revoke.
>>
>>Thanks
>>
>>Bosco
>>
>>
>>On 7/1/15, 12:57 PM, "Tanping Wang" <tanpingw@gmail.com> wrote:
>>
>>>Hi, all,
>>>My understanding of Ranger is that Ranger would open up/relax the file
>>>permission inherited from Unix.  Can Ranger restrict/remove the
>>>permissions
>>>for a user?  For example, if a user, John does have permission to
>>>/usr/hive.  Can Ranger revoke the permission?
>>>Regards,
>>>tanping
>>
>>
>

Mime
View raw message