ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-768) Hive Metastore Plugin
Date Tue, 12 Jan 2016 05:26:39 GMT

    [ https://issues.apache.org/jira/browse/RANGER-768?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15093314#comment-15093314
] 

Yan commented on RANGER-768:
----------------------------

[~bosco] I guess it might be possible not to add HDFS policies for each physical partition,
but for the partition/bucket/table specification in the DDL and use the "recursive" flag to
denote the actual storage files beneath the specifid storage directories. We may need to consult
with Hive experts on this. 

I have not found a need for a hook specifically for the HDFS policy derivation. The Listener
hook is for the Hive Metastore-based security in general. If HDFS policy sync is configured,
both this hook and the existing Authorizer hook will be enhanced to pass storage info back
to Admin. To save blind pass of the info for the Hive services that are NOT configured for
the HDFS policy sync, we probably need to pass the service config to the Hive plugin as Madhan
pointed out, contrary to my previous thought. Thanks. 

> Hive Metastore Plugin
> ---------------------
>
>                 Key: RANGER-768
>                 URL: https://issues.apache.org/jira/browse/RANGER-768
>             Project: Ranger
>          Issue Type: New Feature
>          Components: admin, plugins
>            Reporter: Yan
>         Attachments: Design Proposal for Hive Metastore Plugin of Ranger.docx, Design
Proposal for Hive Metastore Plugin of Ranger.docx
>
>
> Currently there is no Ranger processing of Hive table meta store events that could result
in privilege modifications. One example is that when a table is renamed by a Hive Server 2
client (the "beeline"), no proper privilege adjustments in Ranger are made to allow/deny previously
allowed/denied users the same privileges as before. In addition, more advanced features, such
as granting/denying similar accesses to Hive's HDFS data to users that have (or do not have)
privileges in the Hive, would require that detailed metadata of the Hive table, the storage
info to be specific, be available to Ranger in order to make the corresponding HDFS  data
accessible to the Hive users directly.
> This plugin will depend upon the existing Ranger Hive plugin, so it shares the same "service"
name as the associated Ranger Hive service deployed, and it will be "co-enabled" with the
existing Ranger Hive plugin.
> Design doc will come soon.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message