ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Don Bosco Durai (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-768) Hive Metastore Plugin
Date Thu, 14 Jan 2016 00:25:39 GMT

    [ https://issues.apache.org/jira/browse/RANGER-768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15097345#comment-15097345
] 

Don Bosco Durai commented on RANGER-768:
----------------------------------------

[~yzhou2001], thanks for the updated document. Can you also add the state diagram? Or let's
move to Wiki and add in that.

Few comments:

bq. 2.1 – System Authorization. It is required that the user of “hive” be a Ranger admin
user to allow him the access to manipulate HDFS privileges 
Since “hive” user already have the required permission to the warehouse folder in HDFS,
do we still need to give admin privilege to it? 

bq. 2.2.1: Hive service name as the existing Hive plugin
When we are designing, we need to make sure we can support two services with the same name.
Might need changes to the Ranger Admin. We could have one primary and other one as logical/secondary.
Can we make a list of design concerns we need to discuss?

bq. 2.2.3 A “prohibitive” approach will be adopted when privileges are managed at a finer
granularity that the finest backing storage ACL unit of files.
We should list all the use cases, so it will be easy to come up with the test cases

bq. 2.3 In addition, the RangerServiceREST’s grant/revokeAccess methods, once determined
that there is a non-null value of the service’s configured key of “resourceService”,
will locate a HDFS service with the name and adjust policies accordingly therein.
How are we planning to send the HDFS resources associated with the policy?

We also need to address use cases where Ranger is enabled in a pre-existing environment. How
do load resources for existing tables and partition



> Hive Metastore Plugin
> ---------------------
>
>                 Key: RANGER-768
>                 URL: https://issues.apache.org/jira/browse/RANGER-768
>             Project: Ranger
>          Issue Type: New Feature
>          Components: admin, plugins
>            Reporter: Yan
>         Attachments: Design Proposal for Hive Metastore Plugin of Ranger - V1.2.docx,
Design Proposal for Hive Metastore Plugin of Ranger.docx, Design Proposal for Hive Metastore
Plugin of Ranger.docx
>
>
> Currently there is no Ranger processing of Hive table meta store events that could result
in privilege modifications. One example is that when a table is renamed by a Hive Server 2
client (the "beeline"), no proper privilege adjustments in Ranger are made to allow/deny previously
allowed/denied users the same privileges as before. In addition, more advanced features, such
as granting/denying similar accesses to Hive's HDFS data to users that have (or do not have)
privileges in the Hive, would require that detailed metadata of the Hive table, the storage
info to be specific, be available to Ranger in order to make the corresponding HDFS  data
accessible to the Hive users directly.
> This plugin will depend upon the existing Ranger Hive plugin, so it shares the same "service"
name as the associated Ranger Hive service deployed, and it will be "co-enabled" with the
existing Ranger Hive plugin.
> Design doc will come soon.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message