ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Balaji Ganesan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-861) Ranger does not execute jobs under original user
Date Fri, 26 Feb 2016 22:39:18 GMT

    [ https://issues.apache.org/jira/browse/RANGER-861?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15169992#comment-15169992

Balaji Ganesan commented on RANGER-861:

<<When using Ranger hive queries are executed under a superuser account instead of the
users' own account>>

[~bolke] This has nothing to do with Ranger. Hive can operate under 2 modes - running Hive
queries as "hive" superuser or running Hive queries as the end user. There is configuration
in Hive called hiveserver2.enable.doAs which determines this. If you set this as false, all
Hive queries would be executed as "hive" superuser. I would recommend setting doAs as "false"
for Hive, and enabling column security in Hive using Ranger. In that way, users may not get
direct Hadoop access and they will only get access to columns granted access by Ranger. This
may not work in all scenarios, so you will have to configure Hive based on your use case.

> Ranger does not execute jobs under original user
> ------------------------------------------------
>                 Key: RANGER-861
>                 URL: https://issues.apache.org/jira/browse/RANGER-861
>             Project: Ranger
>          Issue Type: Improvement
>    Affects Versions: 0.5.2, 0.6.0
>            Reporter: Bolke de Bruin
> When using Ranger hive queries are executed under a superuser account instead of the
users' own account . This means that in the UIs one is unable to distinguish who is running
what job because they all reside under the same user. This is a usability issue.
> Also "What this means is that Hiveserver2 will run MR jobs in HDFS as the original user"
mentioned in http://hortonworks.com/blog/best-practices-for-hive-authorization-using-apache-ranger-in-hdp-2-2/
does not seem to be the case. The screenshots also support this as the files are being owned
by the hive user and permissions are only set for the hive user.
> For HDFS access can be granted by Ranger. It (ranger) however expects the files to be
owned by the 'hive' user otherwise they won't be accessible by services that do not integrate
with ranger, although the proper permissions/acls are in place.
> Moreover, logging for the different services now also doesn't include the user ids anymore
making it easier for someone to manipulate the logs. We consider this a security issue.
> We would like to see the option of:
> 1. Execution of (hive etc) jobs under the original user id
> 2. Making sure Ranger's hdfs policies are complementary to HDFS permissions (or setting
the right permissions on HDFS?), again making sure access is done under the original account,
not requiring file ownership by the hive user. 

This message was sent by Atlassian JIRA

View raw message